kustomize controller unable to decrypt kms encoded yaml file data

[Satcomproj]

i am using S3 as source and before pushing the data to S3 i am encrypting the data with kms key. i have added a irsa role to decrypt the kms key to the kustomization controller service account. but kustomize controller is failing to decode the data.

getting error: "error":"failed to decode Kubernetes YAML from /tmp/kustomization-3479328615/resources/prod/org_ns79.yaml: MalformedYAMLError: yaml: control characters are not allowed "}

here is the complete code

package main

import ( "bytes" "encoding/gob" "fmt" "io/fs" "io/ioutil" "log" "time"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
"github.com/aws/aws-sdk-go/service/s3"
"gopkg.in/yaml.v2"

)

type Organization struct { APIVersion string yaml:"apiVersion" Kind string yaml:"kind" Metadata Metadata yaml:"metadata" Spec Spec yaml:"spec" Status Status yaml:"status" }

type Metadata struct { Annotations map[string]interface{} yaml:"annotations" CreationTime time.Time yaml:"creationTimestamp" Generation int yaml:"generation" Name string yaml:"name" ResourceVersion string yaml:"resourceVersion" UID string yaml:"uid" }

type Spec struct { ConfigRef ConfigRef yaml:"configRef" OrganizationType string yaml:"organizationType" Scopes []Scope yaml:"scopes" }

type ConfigRef struct { Name string yaml:"name" }

type Scope struct { AccessMode string yaml:"accessMode" AuthClientRef AuthClientRef yaml:"authClientRef" IsolationRef IsolationRef yaml:"isolationRef" }

type AuthClientRef struct { Name string yaml:"name" }

type IsolationRef struct { Name string yaml:"name" Namespace string yaml:"namespace,omitempty" }

type Status struct { Conditions []Condition yaml:"conditions" }

type Condition struct { LastTransitionTime time.Time yaml:"lastTransitionTime" Message string yaml:"message" ObservedGeneration int yaml:"observedGeneration" Reason string yaml:"reason" Status string yaml:"status" Type string yaml:"type" }

func main() {

bucket := "gitops-flux-1"
key := "resources/prod/org_ns79.yaml"
var org Organization

fmt.Println("test add org")

dataOrg, err := ioutil.ReadFile("org_1.yaml")
if err != nil {
    fmt.Println("Error reading encrypted YAML file:", err)
}

if err := yaml.Unmarshal(dataOrg, &org); err != nil {
    log.Fatalf("failed to unmarshal YAML: %v", err)
}
fmt.Println(org)

updateOrg(&org)

keyID := "280653b3-28d8-4154-bcea-3391fb0797cb"

data, err := yaml.Marshal(org)
if err != nil {
    log.Fatalf(" failed to create updated spec : %v", err)
    return
}

WriteToAExternalFile("resource_status.yaml", data, 0644)

cypherData, err := encryptDataWithKMS(data, keyID)
if err != nil {
    log.Fatalf(" failed to encrypt data : %v", err)
    return
}

if err = uploadFileToS3(bucket, key, cypherData); err != nil {
    log.Fatalf("failed to upload file %v", err)
}

}

func WriteToAExternalFile(filename string, data []byte, perm fs.FileMode) error { err := ioutil.WriteFile(filename, data, perm) if err != nil { fmt.Println("Error writing YAML file:", err) return err }

fmt.Printf(" file  %s created successfully!", filename)
return nil

}

func StructToBytes(org Organization) ([]byte, error) { var buffer bytes.Buffer encoder := gob.NewEncoder(&buffer) err := encoder.Encode(org) if err != nil { return nil, err } return buffer.Bytes(), nil }

func BytesToStruct(data []byte) (*Organization, error) { var org Organization buffer := bytes.NewBuffer(data) decoder := gob.NewDecoder(buffer) err := decoder.Decode(&org) if err != nil { return nil, err } return &org, nil }

func encryptDataWithKMS(data []byte, keyID string) ([]byte, error) { // Create a new session sess, err := session.NewSession(&aws.Config{ Region: aws.String("us-east-1"), // Optionally provide credentials, leave this out to use default credentials. // Credentials: credentials.NewStaticCredentials("YOUR_AWS_ACCESS_KEY_ID", "YOUR_AWS_SECRET_ACCESS_KEY", ""), }) if err != nil { fmt.Println("Error creating session:", err) return nil, err } // Create a KMS client kmsClient := kms.New(sess)

// Encrypt the data using the specified KMS key
params := &kms.EncryptInput{
    KeyId:     aws.String(keyID),
    Plaintext: data, // by default encoded base 64
}

resp, err := kmsClient.Encrypt(params)
if err != nil {
    return nil, err
}

//ciphertextBase64 := base64.StdEncoding.EncodeToString(resp.CiphertextBlob)
// Return the encrypted data (ciphertext)
//return bytes.NewBufferString(ciphertextBase64).Bytes(), nil

return resp.CiphertextBlob, nil

}

func updateOrg(org Organization) Organization {

org.Metadata.Name = "98e64260-f154-4d0d-be7d-fa217ea72937"
//fmt.Println(org)
return org

}

func uploadFileToS3(bucketName, fileName string, fileContent []byte) error { // Create a new AWS session sess, err := session.NewSession(&aws.Config{ Region: aws.String("us-east-1"), // Optionally provide credentials, leave this out to use default credentials. // Credentials: credentials.NewStaticCredentials("YOUR_AWS_ACCESS_KEY_ID", "YOUR_AWS_SECRET_ACCESS_KEY", ""), }) if err != nil { fmt.Println("Error creating session:", err) return err }

// Create S3 service client
svc := s3.New(sess)

// Upload file to S3 bucket
_, err = svc.PutObject(&s3.PutObjectInput{
    Bucket: aws.String(bucketName),
    Key:    aws.String(fileName),
    Body:   bytes.NewReader(fileContent),
})
if err != nil {
    return err
}
return nil

}

1.is it a valid approach?

2. apart from adding irsa i have not done anything else. here is the kustomization resouce

apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: flux-test-kustomization namespace: flux-test-1 spec: interval: 1m sourceRef: kind: Bucket name: my-bucket namespace: flux-system path: /resources/prod prune: true

[stefanprodan]

You need to use the sops CLI to encrypt the Kubernetes secret, then enabled decryption in the Flux Kustomization. Docs here:

• https://fluxcd.io/flux/components/kustomize/kustomizations/#decryption
• https://fluxcd.io/flux/guides/mozilla-sops/