search

viaduct-ai / kustomize-sops

KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources
Apache License 2.0
643 stars 82 forks source link

Support for configmaps #39

Closed HumairAK closed 4 years ago

HumairAK commented 4 years ago

As far as I can tell, currently kustomize-sops doesn't support configmaps (if I'm wrong please let me know how I can do this!)

Usecase: I am using a configmap generator to generate some configmaps, but the config files have sops encrypted values. Currently I can't both use this encrypted file in the configmapgenerator and the ksops generator -- would be nice if there was something like a kustomize-sops-configmap generator that would add some sort of a decryption step before proceeding with configmap generation.

devstein commented 4 years ago

Hi @HumairAK thanks for making an issue!

By design KSOPS actually supports any K8s resource, including ConfigMaps. It is agnostic to the underlying resource type when decrypting, but it only works with valid encrypted K8s resources.

This behavior is different from the built-in configMapGenerator which generates a new K8s resource (ConfigMap) from local files (regardless if files are K8s resources or a data file).

It might be possible to support generating a new resource from encrypted files and then decrypting, but that would require a slightly different design where the arguments to KSOPS are the generates K8s resource name/kind/version. It also depends on the generator evaluation order of kustomize.

Either way, I suggest creating a ConfigMap manually without using the configMapGenerator then encrypted it with SOPS and using KSOPS to generate the final decrypted ConfigMap resource.

Hope this helps! Let me know if you have any questions.

HumairAK commented 4 years ago

I suggest creating a ConfigMap manually without using the configMapGenerator then encrypted it with SOPS and using KSOPS to generate the final resource.

Yeah, this was my initial reaction as well. But I soon realized this might not work for me. So in my case I have a yaml file that I pull into the configMapGenerator. In this yaml file there are some values I"d like to encrypt. If I instead use a ConfigMap then the yaml file is included in the ConfigMap as a string, and afaik sops wouldn't be able to work here. Isn't that correct?

devstein commented 4 years ago

@HumairAK Could you provide an example? What I am suggesting is 

# secret-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: secret-configmap
data:
  secret.yaml: |
    secret: value

then you can run 

# assumes you have your .sops.yaml setup as reccommended in the README 
sops -e secret-configmap.yaml > secret-configmap.enc.yaml

and your generator looks like this:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: super-secret-generator
files:
  - secret-configmap.enc.yaml

Is this what you are trying to do?

Also, why do you need to use a ConfigMap as opposed to a Secret for this?

HumairAK commented 4 years ago

In my example "value" above would need to be encrypted and not the entire value for the data field.

Though, I think your last point asks a very relevant question. Conceptually a configmap shouldn't have secret values, those should be stored as k8s secrets. I will probably re-adjust. Thanks for the quick responses @devstein !