kustomize-controller
kustomize-controller copied to clipboard
fluxcd
SOPS: Decryption does not work for envs in secretGenerator
Description
I'm trying to use SOPS to replace plaintext secrets in my .env files with encrypted ones. However, I can't get fluxcd to actually decrypt Secrets generated by secretGenerator and envs.
Example
I'm using the example from #463:
Create an env file:
ROUTER_PASSWORD=admin
DB_PASSWORD=admin
Encrypt it with SOPS:
sops --encrypt --in-place podinfo.env
Create a kustomization.yaml that generates an env secret:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
secretGenerator:
- name: env-secret
envs:
- podinfo.env
Configure Flux to decrypt the secret before apply:
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: secrets
namespace: flux-system
spec:
decryption:
provider: sops
secretRef:
name: sops-age
interval: 1m0s
path: ./secrets
prune: true
sourceRef:
kind: GitRepository
name: flux-system
Expected behavior: secrets contains the unencrypted values of ROUTER_PASSWORD and DB_PASSWORD
Actual behavior: secrets is actually still encrypted and contains SOPS info
Version
I first encountered this behavior in version 2.3.0 but have since upgraded to version 2.4.0.
Do you have .sops.yaml in the root of the repo?
creation_rules:
- path_regex: podinfo.env
key_groups:
- age:
- age1qwer1234 # Your key goes here
Yes and the encrypted podinfo.env file looks good to me.
When I replace envs with files it works.
We do look for the envs files here: https://github.com/fluxcd/kustomize-controller/blob/d7bad03364cf2ab7b7077061b99be2fc4d4c81cb/internal/decryptor/decryptor.go#L454, maybe the issues is with the format, can you try adding --input-type=env to the sops encrypt command.
I actually already tried both --input-type=env and --output-type=env.
Here's what my file looks like:
ROUTER_PASSWORD=ENC[AES256_GCM,data:D1cQnLk=,iv:b/lWUjH5vOHfVbbY75psMshc+IU+PaMaEiTgNdYWDhE=,tag:dDHQDPxaRhUD+utEe2GstQ==,type:str]
DB_PASSWORD=ENC[AES256_GCM,data:GaS8mW0=,iv:VhjrNitVUewvDhfW4Q355Ro+//0HBSq6PHne8rC1wWQ=,tag:oTfpBgfOwpIw0aI8D9h5vg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZitHc3RpTnNNcmF6Q3Fu\nUDNSVXVvbEJvZmM3dEtqV08yK1BrRmZ5QWxjCjVuU3IxaStoR2ZrUnBIbnNhVlNI\nWlkyL1NrSzBZTHcwdDJqbW1IVzFFeUUKLS0tIGVrbGtHeWxab0pNK0MzSlB5Zmc3\nVzREa3NxUm9aTzJYK1ZQcnVjYUdGSGsK8fX3JapwaNJdAT5bZbAI2/egIHKM1lpC\nl5vAuw5857NZjrzEe8FatkvuzX7YHjXMqnbgl+y1hUKmONHSB8mstg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age120ql8fth37c5a76xzlmpurswwxps5h5wc0t6x366k3llp9q06f6sr3p5fp
sops_lastmodified=2024-10-18T13:03:05Z
sops_mac=ENC[AES256_GCM,data:+wxaJG0IYrgalVvvxdz3ZhPzSO060XMmQHa8dfvcS/mCzODELmk7FnTM60krtuFu/6LEEp8vwPUA+xXgpiChj+9nRLSkopC2ORvP9B0jupxvPBUENQkR81khnW0oAHC/TZWbqo8nVXcP2WlA/YWZSYLFtx4Iia9onApyh2Mc1XY=,iv:Hhls8NM0rZgqll4WnD0zudPIYrfxm3MjqP9LrnooWsc=,tag:JQl5LJ7O77YJXRiwGqvrjw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1
@Do-min-ik your code works fine for me, I do not have any issues with encrypted secret data.
Yup, the example provided does indeed work. The culprit is actually my "pre-processing". Instead of the actual files I'm calling kubectl kustomize . and use the resulting output without creating any kustomization.yaml whatsoever. Apparently, the controller can't handle that.
There used to be the following comment in kustomization_controller.go: // decrypt .env files before building kustomization
I'm pretty new to Go but I guess this is the reason why my "pre-processed" output doesn't work. At this point my .env file is already a Secret, but all the sops fields are in the wrong location (data instead of sops).
This cannot work since the SOPS metadata is not present in the final secret for env files. You either let Flux build the secrets or you encrypt the Kubernetes secret yaml after you build it with kustomize.
Yes, that's what I meant.
Closing this now because it's not a problem with Fluxcd but rather wrong usage.