Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS: Decryption does not work for envs in secretGenerator #1271

Closed
Do-min-ik opened this issue Oct 17, 2024 · 9 comments
Closed

SOPS: Decryption does not work for envs in secretGenerator #1271

Do-min-ik opened this issue Oct 17, 2024 · 9 comments

Comments

@Do-min-ik
Copy link

Description

I'm trying to use SOPS to replace plaintext secrets in my .env files with encrypted ones. However, I can't get fluxcd to actually decrypt Secrets generated by secretGenerator and envs.

Example

I'm using the example from #463:

Create an env file:

ROUTER_PASSWORD=admin
DB_PASSWORD=admin

Encrypt it with SOPS:

sops --encrypt --in-place podinfo.env

Create a kustomization.yaml that generates an env secret:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
secretGenerator:
  - name: env-secret
    envs:
      - podinfo.env

Configure Flux to decrypt the secret before apply:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: secrets
  namespace: flux-system
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age
  interval: 1m0s
  path: ./secrets
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system

Expected behavior: secrets contains the unencrypted values of ROUTER_PASSWORD and DB_PASSWORD
Actual behavior: secrets is actually still encrypted and contains SOPS info

Version

I first encountered this behavior in version 2.3.0 but have since upgraded to version 2.4.0.
@vlasov-y
Copy link
Contributor

Do you have .sops.yaml in the root of the repo?

creation_rules:
  - path_regex: podinfo.env
    key_groups:
      - age:
          - age1qwer1234 # Your key goes here

@Do-min-ik
Copy link
Author

Yes and the encrypted podinfo.env file looks good to me.

When I replace envs with files it works.

@stefanprodan
Copy link
Member

We do look for the envs files here:

kustomize-controller/internal/decryptor/decryptor.go

Line 454 in d7bad03

for _, envFile := range gen.EnvSources {
, maybe the issues is with the format, can you try adding --input-type=env to the sops encrypt command.

@Do-min-ik
Copy link
Author

I actually already tried both --input-type=env and --output-type=env.

Here's what my file looks like:

ROUTER_PASSWORD=ENC[AES256_GCM,data:D1cQnLk=,iv:b/lWUjH5vOHfVbbY75psMshc+IU+PaMaEiTgNdYWDhE=,tag:dDHQDPxaRhUD+utEe2GstQ==,type:str]
DB_PASSWORD=ENC[AES256_GCM,data:GaS8mW0=,iv:VhjrNitVUewvDhfW4Q355Ro+//0HBSq6PHne8rC1wWQ=,tag:oTfpBgfOwpIw0aI8D9h5vg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZitHc3RpTnNNcmF6Q3Fu\nUDNSVXVvbEJvZmM3dEtqV08yK1BrRmZ5QWxjCjVuU3IxaStoR2ZrUnBIbnNhVlNI\nWlkyL1NrSzBZTHcwdDJqbW1IVzFFeUUKLS0tIGVrbGtHeWxab0pNK0MzSlB5Zmc3\nVzREa3NxUm9aTzJYK1ZQcnVjYUdGSGsK8fX3JapwaNJdAT5bZbAI2/egIHKM1lpC\nl5vAuw5857NZjrzEe8FatkvuzX7YHjXMqnbgl+y1hUKmONHSB8mstg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age120ql8fth37c5a76xzlmpurswwxps5h5wc0t6x366k3llp9q06f6sr3p5fp
sops_lastmodified=2024-10-18T13:03:05Z
sops_mac=ENC[AES256_GCM,data:+wxaJG0IYrgalVvvxdz3ZhPzSO060XMmQHa8dfvcS/mCzODELmk7FnTM60krtuFu/6LEEp8vwPUA+xXgpiChj+9nRLSkopC2ORvP9B0jupxvPBUENQkR81khnW0oAHC/TZWbqo8nVXcP2WlA/YWZSYLFtx4Iia9onApyh2Mc1XY=,iv:Hhls8NM0rZgqll4WnD0zudPIYrfxm3MjqP9LrnooWsc=,tag:JQl5LJ7O77YJXRiwGqvrjw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

@vlasov-y
Copy link
Contributor

@Do-min-ik your code works fine for me, I do not have any issues with encrypted secret data.
image

@Do-min-ik
Copy link
Author

Do-min-ik commented Oct 23, 2024
edited
Loading

Yup, the example provided does indeed work. The culprit is actually my "pre-processing". Instead of the actual files I'm calling kubectl kustomize . and use the resulting output without creating any kustomization.yaml whatsoever. Apparently, the controller can't handle that.

@Do-min-ik
Copy link
Author

There used to be the following comment in kustomization_controller.go: // decrypt .env files before building kustomization

I'm pretty new to Go but I guess this is the reason why my "pre-processed" output doesn't work. At this point my .env file is already a Secret, but all the sops fields are in the wrong location (data instead of sops).

@stefanprodan
Copy link
Member

This cannot work since the SOPS metadata is not present in the final secret for env files. You either let Flux build the secrets or you encrypt the Kubernetes secret yaml after you build it with kustomize.

@Do-min-ik
Copy link
Author

Yes, that's what I meant.

Closing this now because it's not a problem with Fluxcd but rather wrong usage.

@Do-min-ik Do-min-ik closed this as not planned Won't fix, can't repro, duplicate, stale Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefanprodan @Do-min-ik @vlasov-y