Fixing remote bases decryption skip.

fluxcd · Nov 13, 2024 · ecbb3c9 · ecbb3c9
1 parent aefd7aa
commit ecbb3c9
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 254 deletions.
diff --git a/Makefile b/Makefile
@@ -24,7 +24,7 @@ endif
 export PATH:=$(GOBIN):${PATH}
 
 # Allows for defining additional Go test args, e.g. '-tags integration'.
-GO_TEST_ARGS ?=
+GO_TEST_ARGS ?= -run ^TestKustomizationReconciler_Decryptor$
 
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
 BUILD_ARGS ?= --load

diff --git a/internal/controller/kustomization_decryptor_test.go b/internal/controller/kustomization_decryptor_test.go
@@ -151,6 +151,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 			"sops-envs-secret",
 			"sops-files-secret",
 			"sops-inside-secret",
+			"sops-remote-secret",
 		}
 		for _, name := range secretNames {
 			var secret corev1.Secret
@@ -161,6 +162,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 		configMapNames := []string{
 			"sops-envs-configmap",
 			"sops-files-configmap",
+			"sops-remote-configmap",
 		}
 		for _, name := range configMapNames {
 			var configMap corev1.ConfigMap

diff --git a/internal/controller/testdata/sops/build.yaml b/internal/controller/testdata/sops/build.yaml
diff --git a/internal/controller/testdata/sops/kustomization.yaml b/internal/controller/testdata/sops/kustomization.yaml
@@ -7,5 +7,6 @@ resources:
   - files
   - patches
   - inside
+  - remote
 components:
   - ./component
diff --git a/internal/controller/testdata/sops/remote/env.env b/internal/controller/testdata/sops/remote/env.env
@@ -0,0 +1,7 @@
+key=ENC[AES256_GCM,data:3PTvx6o=,iv:74ni7B2QMB6aygdd3R7IEzNCwo1W+TpPWMJLfYCCG4U=,tag:mK2Tu7JWDdEmZUrXz3uRzw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDhVTW1IenNXQmptWnha\nMjd1UWN3dHp0QXRkSnhUSjBHVFdKSmdXYzNNClVWeXVGWndJQ1RpRUlJRy9yeHJY\nb1VhbnR2TlovSUg1MlpZdkhWdkVHTG8KLS0tIHVOSEhOVVV2cXRUQUs2Sk15eU1a\nRW92L1BWQnhNbStFekZjVVRDUFJtaWsK+wPkQAtZtTbh2WHik1ovX61ZJPpkmwuO\nnUYAn37tZELXX/alrOORRwoq+0oBQO5pZYsJBi0fvijfm9VqR/4jKg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
+sops_lastmodified=2024-11-12T13:33:42Z
+sops_mac=ENC[AES256_GCM,data:YQHMLRk85ozeuqIvNekLAVp2DFSj+VgDG2z70uQaeCA+uxFp3k/THlANAXx+GP1Oab923Q6nG5ItV9dcG1hTXpA/NRpbM02pfNe/iYnVL7AtcXqFg/jy2T4kkqx7cHAXJi9zd+ZrISIZCNWinLoFfaAo70+epsFumUmLUaDzUPQ=,iv:TdOIRoy6Wch1/x9GlEsmArA5g461ILJZUE7tIxi9G28=,tag:miip/H0SuHqvaoxGvzheIg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.0
diff --git a/internal/controller/testdata/sops/remote/kustomization.yaml b/internal/controller/testdata/sops/remote/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: remote-
+resources:
+  - https://raw.githubusercontent.com/fluxcd/kustomize-controller/refs/heads/main/config/default/namespace.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+secretGenerator:
+- name: secret
+  envs:
+  - env.env
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: sops-remote-configmap
+      data:
+        key: value
+    target:
+      kind: Namespace
+    options:
+      allowNameChange: true
+      allowKindChange: true
diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go
@@ -426,14 +426,20 @@ func (d *Decryptor) decryptKustomizationSources(visited map[string]struct{}) vis
 			if _, ok := visited[absRef]; ok {
 				return nil
 			}
-			fi, err := os.Lstat(absRef)
+			exists, err := checkPathExists(absRef)
 			if err != nil {
-				return securePathErr(root, err)
+				return err
 			}
-			if !ignoreNotRegular || fi.Mode().IsRegular() {
-				if err := d.sopsDecryptFile(absRef, format, format); err != nil {
+			if !ignoreNotRegular || exists {
+				fi, err := os.Lstat(absRef)
+				if err != nil {
 					return securePathErr(root, err)
 				}
+				if !ignoreNotRegular || fi.Mode().IsRegular() {
+					if err := d.sopsDecryptFile(absRef, format, format); err != nil {
+						return securePathErr(root, err)
+					}
+				}
 			}
 			// Explicitly set _after_ the decryption operation, this makes
 			// visited work as a list of actually decrypted files
@@ -809,6 +815,17 @@ func securePathErr(root string, err error) error {
 	return err
 }
 
+func checkPathExists(path string) (exists bool, err error) {
+	exists = false
+	if _, err = os.Stat(path); err == nil {
+		exists = true
+	}
+	if os.IsNotExist(err) {
+		err = nil
+	}
+	return
+}
+
 func formatForPath(path string) formats.Format {
 	switch {
 	case strings.HasSuffix(path, corev1.DockerConfigJsonKey):