Markus Siebert

At the moment we use it already for keys, but handle them as 'strings' in the aws call. I agree we should add an option to pass the secret as...

This is fixed in Version 2.0 you have to create a binary secret with sops and use `rawOutput: RawOutput.BINARY` in your Secret

Just tried out locally, https://github.com/kubernetes-sigs/controller-tools/blob/main/pkg/crd/schema.go#L277 changing this line to ``` typeInfo := typeInfoRaw.(interface{ Obj() *types.TypeName }) ``` fixes it

``` 15:16:12 [ .. ] go generate linux_arm64 panic: interface conversion: types.Type is *types.Alias, not *types.Named goroutine 1 [running]: sigs.k8s.io/controller-tools/pkg/crd.namedToSchema(0x1400563c360, 0x14005704810) /..some..provider../vendor/sigs.k8s.io/controller-tools/pkg/crd/schema.go:277 +0x2d4 sigs.k8s.io/controller-tools/pkg/crd.typeToSchema(0x1400563c360, {0x102efc8a8, 0x14005704810}) /..some..provider../vendor/sigs.k8s.io/controller-tools/pkg/crd/schema.go:199 +0xec sigs.k8s.io/controller-tools/pkg/crd.structToSchema(0x1400880b638, 0x14005704828)...

Tested this - does not work with psp: ``` message: 'pods "grafana-64f4f78b5f-xkwr8" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "init-chown-data" must not include "DAC_READ_SEARCH" in securityContext.capabilities.add)' ``` Don't think...

But I don't understand - shouldn't the default be the hardened? I am only here, because of the issues. Never decided to activate the init container. Never had any psp...

The default is enable chown

ok, was able to reproduce :-) thank you for your clear definition of the steps to reproduce! sops decrypt --input-type binary --output-type binary test.yaml returns the same "error". _(Thats the...