search

viaduct-ai / kustomize-sops

KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources
Apache License 2.0
615 stars 83 forks source link

Enhancement proposition: input type support for files #238

Open hmehta opened 2 months ago

hmehta commented 2 months ago

I would like to request a small enhancement: supporting the sops-supported input/output-type arguments for files in KSOPS. This would allow the user to use files using the INI-format without explicitly defining the .ini filetype extension. See my project for example:

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
  - ksops-secret-generator.yaml

ksops-secret-generator.yaml:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: my-ksops-generator
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ksops
secretFrom:
  - metadata:
      name: my-secret
      annotations:
        kustomize.config.k8s.io/needs-hash: "true"
    type: Opaque
    files:
      # I would love to be able to do something like:
      # - path: my.enc.credentials
      #   type: ini
      - my.enc.credentials
      - other.enc.ini

Both my.enc.credentials and other.enc.ini were generated like this:

cat > my.enc.credentials <<EOF
[section]
key = value
EOF
sops --input-type=ini --output-type=ini -i -e my.enc.credentials

If I only use the file ending in .ini, everything works as expected, but if the file extension is not .ini, the INI-format is not detected. This is caused by: https://github.com/viaduct-ai/kustomize-sops/blob/master/ksops.go#L228

So the suggestion is to have the files array contain either strings to files like now when the formats.FormatForPath would be used to deduce the format to pass to sops decryptDataWithFormat and also support something like this:

files:
  - path: my.enc.credentials
    type: ini
  - path: my.enc.docker.config
    type: json