search

viaduct-ai / kustomize-sops

KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources
Apache License 2.0
654 stars 84 forks source link

fix #189: allows secret generation from literals #236

Open JoelDimbernat opened 7 months ago

JoelDimbernat commented 7 months ago

Fixes #189

JoelDimbernat commented 7 months ago

Anything missing for someone to review this PR?

devstein commented 5 months ago

Anything missing for someone to review this PR?

@JoelDimbernat just forgot to assign me 😁

JoelDimbernat commented 5 months ago

I'm trying to fix issue #189

The main use case I see is when you want to mix non encrypted literals with an encrypted file in the same resulting secret.

I can't remember my exact use case, but I remember I looked for how to do it and stumbled on that issue. Maybe @blinkeye could tell us more.

reneleonhardt commented 2 months ago

Hello @blinkeye does this fix your problem?

albundy83 commented 4 weeks ago

Hello, I think the use case is to be able to replace easily the classic secretGenerator when used with literals syntaxe.

Here a kustomize.yaml without ksops:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - deployment.yaml
  - service.yaml

secretGenerator:
  - name: cloudnative-pg-s3
    literals:
      - ACCESS_KEY_ID=yyyyyyyyyyyyyyyyyyyy
      - ACCESS_SECRET_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

generatorOptions:
  labels:
    app: frankenphp
  annotations:
    argocd.argoproj.io/sync-wave: '0'

And with ksops and literals support kustomize.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - deployment.yaml
  - service.yaml

generators:
  - sops-secret-generator.yaml

and of course sops-secret-generator.yaml file:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: ksops-secret-from-generator
  annotations:
    config.kubernetes.io/function: "exec:\n  # if the binary is your PATH, you can do \n  path: ksops\n  # otherwise, path should be relative to manifest files, like\n  # path: ../../../ksops\n"
secretFrom:
  - metadata:
      name: cloudnative-pg-s3
      annotations:
        argocd.argoproj.io/sync-wave: '0'
      labels:
        app: frankenphp
    literals:
      - ENC[AES256_GCM,data:koqsnfF4DJs1q5tmnEQhZN3YMZ5SPVSZfn6/DcoT6Nhyyw==,iv:70Io/WBio9EgjdKCHmW2MDILfoc7pZHlQWkzDhKoBhw=,tag:Jnj7H6ClJhwmFuDdRGw5KA==,type:str]
      - ENC[AES256_GCM,data:4c5PLLjChVXcR8eMMa+SG+HogafhQp8Q89iS4OJs1NhbqEpHbe57vZPtNqNNLkD4yxw=,iv:fN/3ylxK3aKhwIMvUuCWXL/BkJmwhIQ98htEXU8EH7M=,tag:u0c7zdvPife7XpYvPCJNXQ==,type:str]
sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1z9zm8evxf6yczcyc976srtjvhsxpxhme6w94jmurdnx7a38a3f9q3ywu2d
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVE5xbERaaWJiemhoNEVj
        NkFXNUdMc3lhdEpWOGk3NWswYnVvSmhxUkRjCkJFVVNpbExrYzdLL0VlakhwR0xX
        S2h0SVZiVmp2MWh2NXFrbVRuRUNlMTQKLS0tIHVYQ3NDNm1PN3I5Z2laS2NYem9K
        c3JCcUxEcGpxanowWjc0djJyaGYvQlUKFgnuyZPyLjemfnFA8Z8eqBAtAbjN21fS
        vIHrqEu1dCoGWsxEBg9lbo11rR4MToLRElcw6SAuyRFR8KVdDUHZag==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: '2024-10-17T17:09:16Z'
  mac: ENC[AES256_GCM,data:t1CyTgqyRIc2mBAb8DhYNDKXEUjL1Us8hbPLIMLrUQsWqspHEN1kDjUck4aRTYveyfsoMFk5exQD+owKXiOtLGMybBe3UhIeQu/Bwh1c7ZfqWmgy92Z0TrCpO9XWCEj8FfVDr954ryEsmtJQO+KrqHtj5KPlkkIs93KdSiKIInc=,iv:dC02lVAokp63qcxaOMMM+at9GMvYCfFaonqbA++Zook=,tag:mKEnTDscJ9Hi4kKxamw9vQ==,type:str]
  pgp: []
  unencrypted_regex: ^(apiVersion|metadata|kind|type)$
  version: 3.9.1

I have tried with current version of ksops (v4.3.2), I don't have any error but Secret does not contain ACCESS_KEY_ID and ACCESS_SECRET_KEY:

apiVersion: v1
kind: Secret
metadata:
  name: cloudnative-pg-s3
  namespace: default
  labels:
    app: frankenphp
    argocd.argoproj.io/instance: frankenphp
  annotations:
    argocd.argoproj.io/sync-wave: '0'
type: Opaque
albundy83 commented 3 weeks ago

Is it something that could be merged ? I could create another PR to improve README.md if you want

albundy83 commented 3 weeks ago

@devstein is it something that could be merged ?

devstein commented 3 weeks ago

Hi @albundy83 I'll take a look this weekend. Yes feel free to create a separate PR, thanks.

@JoelDimbernat doesn't appear to be active

albundy83 commented 3 weeks ago

I have tried again but now, all I have is is this error:

one or more objects failed to apply, reason: Secret "cloudnative-pg-s3" is invalid: [data[ENC[AES256_GCM,data:F/E2wQFSCeUxE+KGBxVoZQUCDb36dtsDTznrCptcXAHVwB1c642TKfOuxlT85lsMZys]: Invalid value: "ENC[AES256_GCM,data:F/E2wQFSCeUxE+KGBxVoZQUCDb36dtsDTznrCptcXAHVwB1c642TKfOuxlT85lsMZys": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+'), data[ENC[AES256_GCM,data:vcDxFMp1VzRnM2B+/jVnL5Y+nycVU9c68Jcp9M6b2JOQ,iv:vykYhvnw+u5950S8AxFSn48BSH0RLtbrFSRs4gpyOSQ]: Invalid value: "ENC[AES256_GCM,data:vcDxFMp1VzRnM2B+/jVnL5Y+nycVU9c68Jcp9M6b2JOQ,iv:vykYhvnw+u5950S8AxFSn48BSH0RLtbrFSRs4gpyOSQ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')]

I don't understand how I achieve to make it works once ... :(

albundy83 commented 2 weeks ago

I think the code can't work like this as others functions are decrypting from file and not directly from the current file.