kustomize-controller icon indicating copy to clipboard operation
kustomize-controller copied to clipboard
verified publisher icon fluxcd

Flux decrypts SOPS for resources that come from Kustomization, but not from Component

Open vlasov-y opened this issue 1 year ago • 1 comments

Describe the bug

It is possible to create resources from both Kustomization and Component stacks, but in the second case, secrets are left encrypted.

Steps to reproduce

Create kustomize.toolkit.fluxcd.io/v1 Kustomization that read sources with files like below.

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: cluster
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age
...

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
secretGenerator:
  - name: token
    envs:
    - token.sops.env
    options:
      disableNameSuffixHash: true

token=ENC[AES256_GCM,data:pNbegN0N...G6t2KUo=,tag:...,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_0__map_recipient=age1knuvddndz...
sops_age__list_1__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_1__map_recipient=age1vmk6z84kf...
sops_lastmodified=2024-08-22T07:26:35Z
sops_mac=...
sops_unencrypted_suffix=_unencrypted
sops_version=3.9.0

Expected behavior

Secret with decryped token. But receive a secret with all fields straight from env file

Screenshots and recordings

No response

OS / Distro

EKS 1.30.2

Flux version

2.3.0

Flux check

► checking prerequisites
✔ Kubernetes 1.30.2-eks-db838b0 >=1.28.0-0
► checking version in cluster
✔ distribution: flux-2.3.0
✔ bootstrapped: false
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.0.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.3.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.3.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.3.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

Git provider

GitLab

Container Registry provider

ECR

Additional context

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

vlasov-y avatar Aug 22 '24 08:08 vlasov-y

To support this, the discovery mechanism for generators needs to be extended to components. Similar to: https://github.com/fluxcd/kustomize-controller/blob/6c91a199fdfb43af42c17f17f463d72507747bc5/internal/decryptor/decryptor.go#L659-L663

stefanprodan avatar Aug 27 '24 06:08 stefanprodan