search

fluxcd / kustomize-controller

The GitOps Toolkit Kustomize reconciler
https://fluxcd.io
Apache License 2.0
252 stars 180 forks source link

Flux decrypts SOPS for resources that come from Kustomization, but not from Component #1235

Open vlasov-y opened 3 weeks ago

vlasov-y commented 3 weeks ago

Describe the bug

It is possible to create resources from both Kustomization and Component stacks, but in the second case, secrets are left encrypted.

Steps to reproduce

Create kustomize.toolkit.fluxcd.io/v1 Kustomization that read sources with files like below.

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: cluster
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age
...
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
secretGenerator:
  - name: token
    envs:
    - token.sops.env
    options:
      disableNameSuffixHash: true
token=ENC[AES256_GCM,data:pNbegN0N...G6t2KUo=,tag:...,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_0__map_recipient=age1knuvddndz...
sops_age__list_1__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_1__map_recipient=age1vmk6z84kf...
sops_lastmodified=2024-08-22T07:26:35Z
sops_mac=...
sops_unencrypted_suffix=_unencrypted
sops_version=3.9.0

Expected behavior

Secret with decryped token. But receive a secret with all fields straight from env file

Screenshots and recordings

No response

OS / Distro

EKS 1.30.2

Flux version

2.3.0

Flux check

► checking prerequisites
✔ Kubernetes 1.30.2-eks-db838b0 >=1.28.0-0
► checking version in cluster
✔ distribution: flux-2.3.0
✔ bootstrapped: false
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.0.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.3.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.3.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.3.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

Git provider

GitLab

Container Registry provider

ECR

Additional context

No response

Code of Conduct

stefanprodan commented 2 weeks ago

To support this, the discovery mechanism for generators needs to be extended to components. Similar to: https://github.com/fluxcd/kustomize-controller/blob/6c91a199fdfb43af42c17f17f463d72507747bc5/internal/decryptor/decryptor.go#L659-L663