kustomize-controller
kustomize-controller copied to clipboard
Run SOPS decryption before krusty.run
At the moment, the SOPS decryption happens on a per resource level after the krusty library has done a kustomize run, as seen here:
https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_controller.go#L627-L640
This causes issues when a file encrypted with SOPS is merged with another file - the resulting merged file cannot be decrypted and errors will occur. This means that any file encrypted with SOPS is heavily limited in how it can be used.
If the SOPS decryption happened before the kustomize run, then there wouldn't be any restrictions on how SOPS encrypted files could be used.
One possible solution would be to decrypt the files with SOPS, then pass the decrypted files to krusty for a build. It could roughly look like this at the high level:
- Make a temp dir and deep copy
root/dirPath
to the temp dir - Decrypt all SOPS encrypted files
- Pass the temp dir to
krusty.run
.
This could either be done here, in the secureBuildKustomization
function: https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_generator.go#L252
Or just before the call to secureBuildKustomization
, here: https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_controller.go#L615
Some other potential options that come to mind:
- Move the SOPS decryption logic upstream to the krusty library.
- Override
krusty.run
with a new function that adds a SOPS decrypt for each file before the file is read.