Closed HumairAK closed 4 years ago
Hi @HumairAK thanks for making an issue!
By design KSOPS
actually supports any K8s resource, including ConfigMaps. It is agnostic to the underlying resource type when decrypting, but it only works with valid encrypted K8s resources.
This behavior is different from the built-in configMapGenerator
which generates a new K8s resource (ConfigMap) from local files (regardless if files are K8s resources or a data file).
It might be possible to support generating a new resource from encrypted files and then decrypting, but that would require a slightly different design where the arguments to KSOPS
are the generates K8s resource name/kind/version. It also depends on the generator evaluation order of kustomize
.
Either way, I suggest creating a ConfigMap
manually without using the configMapGenerator
then encrypted it with SOPS and using KSOPS
to generate the final decrypted ConfigMap
resource.
Hope this helps! Let me know if you have any questions.
I suggest creating a ConfigMap manually without using the configMapGenerator then encrypted it with SOPS and using KSOPS to generate the final resource.
Yeah, this was my initial reaction as well. But I soon realized this might not work for me. So in my case I have a yaml file that I pull into the configMapGenerator
. In this yaml file there are some values I"d like to encrypt. If I instead use a ConfigMap
then the yaml
file is included in the ConfigMap
as a string, and afaik sops wouldn't be able to work here. Isn't that correct?
@HumairAK Could you provide an example? What I am suggesting is
# secret-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: secret-configmap
data:
secret.yaml: |
secret: value
then you can run
# assumes you have your .sops.yaml setup as reccommended in the README
sops -e secret-configmap.yaml > secret-configmap.enc.yaml
and your generator looks like this:
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: super-secret-generator
files:
- secret-configmap.enc.yaml
Is this what you are trying to do?
Also, why do you need to use a ConfigMap
as opposed to a Secret
for this?
In my example "value" above would need to be encrypted and not the entire value for the data
field.
Though, I think your last point asks a very relevant question. Conceptually a configmap shouldn't have secret values, those should be stored as k8s secrets. I will probably re-adjust. Thanks for the quick responses @devstein !
As far as I can tell, currently kustomize-sops doesn't support configmaps (if I'm wrong please let me know how I can do this!)
Usecase: I am using a configmap generator to generate some configmaps, but the config files have sops encrypted values. Currently I can't both use this encrypted file in the configmapgenerator and the ksops generator -- would be nice if there was something like a kustomize-sops-configmap generator that would add some sort of a decryption step before proceeding with configmap generation.