Question - which version of upstream sops?

[ghost]

Hi there, the README states that the enc field is not used/managed due to the way Kubernetes manages objects.

sops-secrets-operator is not using standard sops library decryption interface function, modified upstream function is used to decrypt data which ignores enc signature field in sops metadata. This is due to the fact that when Kubernetes resource is applied it is always mutated by Kubernetes, for example resource version is generated and added to the resource. But any mutation invalidates sops metadata enc field and standard decryption function fails.

Is this still the case? If so, can you please provide the link of the modified upstream function?

[isindir]

Hi @domhdp , that is in controller code: https://github.com/isindir/sops-secrets-operator/blob/master/controllers/sopssecret_controller.go#L376 , I took it out some time ago and did not check since then if the function in the upstream code has been changed (may have been already).

The code now is copiled using https://github.com/isindir/sops-secrets-operator/blob/master/go.mod#L10 version of sops.

Please let me know if that answers your question.

[ghost]

Great thanks for that. Are you monitoring the upstream function? How foes the custom function stay up to date with the upstream version?

---

From: isindir notifications@github.com Sent: Monday, December 7, 2020 9:45:54 PM To: isindir/sops-secrets-operator sops-secrets-operator@noreply.github.com Cc: Dom Eales dom@harvestdp.com; Mention mention@noreply.github.com Subject: Re: [isindir/sops-secrets-operator] Question - which version of upstream sops? (#43)

Hi @domhdphttps://github.com/domhdp , that is in controller code: https://github.com/isindir/sops-secrets-operator/blob/master/controllers/sopssecret_controller.go#L376

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/isindir/sops-secrets-operator/issues/43#issuecomment-739836659, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGK3QRGGMDRJTKDP5XVI5OTSTSW6FANCNFSM4UQE7DEQ.

[isindir]

The original function is described here and you can check the code as well, it is pretty much the same (may be a bit more decomposed) as it was when I copied it:

https://github.com/mozilla/sops#12development-branch (see: To use sops as a library, take a look at the decrypt package.) -> https://godoc.org/go.mozilla.org/sops/v3/decrypt#Data -> https://github.com/mozilla/sops/blob/master/decrypt/decrypt.go#L73

[ghost]

@isindir Thanks for that. I think it would be better if IgnoreMAC was included in the upstream external API of mozilla/sops, in a similar way to

https://github.com/mozilla/sops/blob/38b25bd449619e1d6da20e637702f7c73203aa44/cmd/sops/common/common.go#L92

Then there would be no need to maintain the custom function... is that right?

[ghost]

I have created an upstream issue here https://github.com/mozilla/sops/issues/783

[isindir]

I think it is not going to happen based on the upstream project answer. Closing this issue.