Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SOPS: Document env secret generator #469

Merged
merged 2 commits into from
Oct 19, 2021
Merged

SOPS: Document env secret generator #469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
95dca0f
SOPS: Document env secret generator
stefanprodan Oct 19, 2021
c610944
SOPS: Fix dotenv decryption error reporting
stefanprodan Oct 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions controllers/kustomization_decryptor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"os"
"os/exec"
"path/filepath"
"strings"

securejoin "github.com/cyphar/filepath-securejoin"
"go.mozilla.org/sops/v3"
Expand Down Expand Up @@ -216,19 +217,25 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
secretGens := kus.SecretGenerator
for _, gen := range secretGens {
for _, envFile := range gen.EnvSources {
filepath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(filepath)

envFileParts := strings.Split(envFile, "=")
if len(envFileParts) > 1 {
envFile = envFileParts[1]
}

envPath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(envPath)
if err != nil {
return err
}

if bytes.Contains(data, []byte("sops_mac=ENC[")) {
out, err := kd.DataWithFormat(data, formats.Dotenv, formats.Dotenv)
if err != nil {
return nil
return err
}

err = ioutil.WriteFile(filepath, out, 0644)
err = ioutil.WriteFile(envPath, out, 0644)
if err != nil {
return fmt.Errorf("error writing to file: %w", err)
}
Expand Down
29 changes: 29 additions & 0 deletions docs/spec/v1beta2/kustomization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -994,6 +994,35 @@ The kustomize-controller scans the values of Kubernetes Secrets, and when it
detects that the values are SOPS encrypted, it decrypts them before applying
them on the cluster.

For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with SOPS:

```sh
cat config.json | sops -e --input-type=json > config.json.encrypted
cat config.yaml | sops -e --input-type=yaml > config.yaml.encrypted
cat config.env | sops -e --input-type=env > config.env.encrypted
```

For kustomize-controller to be able to decrypt a JSON config, you need to set the file extension to `.json`:

```yaml
kind: Kustomization
secretGenerator:
- name: config
files:
- config.json=config.json.encrypted
```

For dotenv files, use the `envs` directive:

```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: config
envs:
- config.env.encrypted
```

## Status

When the controller completes a Kustomization apply, reports the result in the `status` sub-resource.
Expand Down