Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decryptor: improve detection of in and out formats for Secret data fields #644

Merged
merged 2 commits into from
Apr 29, 2022
Merged

decryptor: improve detection of in and out formats for Secret data fields #644

merged 2 commits into from
Apr 29, 2022

Conversation

hiddeco
Copy link
Member

@hiddeco hiddeco commented Apr 29, 2022
edited
Loading

This PR improves two things:

  1. It ensures a Secret .dockerconfigjson field gets formatted back into JSON, instead of it being detected as binary output.
  2. It checks the base64 decoded bytes from a Secret field for any of the known marker bytes, thereby allowing data to be encrypted into any format.

Test image (multi-arch): docker.io/hiddeco/kustomize-controller:decryptor-detect-dockercfg-83e3e33@sha256:08016777ad75813681a3

@hiddeco hiddeco added bug Something isn't working area/sops SOPS related issues and pull requests labels Apr 29, 2022
@hiddeco
decryptor: detect DockerConfigJsonKey as JSON out
a7639c6 
This ensures the Secret field gets formatted back into JSON, instead of
it being detected as binary output.

Signed-off-by: Hidde Beydals <hello@hidde.co>
@hiddeco hiddeco force-pushed the decryptor-detect-dockercfg branch from 551c831 to a7639c6 Compare April 29, 2022 09:00
@hiddeco hiddeco changed the title decryptor: detect DockerConfigJsonKey as JSON out decryptor: improve detection of in and out formats for Secret data fields Apr 29, 2022
@hiddeco hiddeco force-pushed the decryptor-detect-dockercfg branch from ca69fb6 to 83e3e33 Compare April 29, 2022 09:57
@hiddeco hiddeco added the enhancement New feature or request label Apr 29, 2022
@hiddeco hiddeco added this to the GA milestone Apr 29, 2022
seh
seh reviewed Apr 29, 2022
View reviewed changes
controllers/kustomization_decryptor.go
Comment on lines +740 to +742
case strings.HasSuffix(path, corev1.DockerConfigJsonKey):
return formats.Json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should only look for this key when the Secret's "type" field is "kubernetes.io/dockerconfigjson."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think that with the current approach, it gives people some flexibility to e.g. have opaque Secrets with multiple .dockerconfigjson files, for whatever reason that may be required. In addition to simplifying the code :-).

@hiddeco hiddeco force-pushed the decryptor-detect-dockercfg branch from 83e3e33 to ddb277d Compare April 29, 2022 12:35
@hiddeco hiddeco requested a review from stefanprodan April 29, 2022 12:50
seh
seh approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@seh seh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modulo the switch from var to const, this would have helped me when encrypting my Docker credentials. I used sops --encrypt --input-type=json first, but found that Flux couldn't interpret the decrypted content correctly. With this patch, it looks like that would have worked as expected.

controllers/kustomization_decryptor.go Outdated Show resolved Hide resolved
@hiddeco hiddeco force-pushed the decryptor-detect-dockercfg branch from ddb277d to 3516d3f Compare April 29, 2022 12:53
@hiddeco
decryptor: detect format of Secret data field
36df540 
This checks the base64 decoded bytes from a Secret field for any of the
marker bytes, thereby allowing data to be encrypted into any format.
Instead of the previous behavior which assumed it to either be YAML or
JSON.

Signed-off-by: Hidde Beydals <hello@hidde.co>
@hiddeco hiddeco force-pushed the decryptor-detect-dockercfg branch from 3516d3f to 36df540 Compare April 29, 2022 13:27
stefanprodan
stefanprodan approved these changes Apr 29, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @hiddeco 🥇

@hiddeco hiddeco merged commit a139a02 into main Apr 29, 2022
@hiddeco hiddeco deleted the decryptor-detect-dockercfg branch April 29, 2022 13:41
@hiddeco hiddeco mentioned this pull request May 20, 2022
Closed
@stefanprodan stefanprodan modified the milestones: GA, Bootstrap GA Jul 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

@seh seh seh approved these changes

Assignees
No one assigned
Labels
area/sops SOPS related issues and pull requests bug Something isn't working enhancement New feature or request
Projects
Maintainers' Focus
Archived in project
Milestone
Bootstrap GA
Development

Successfully merging this pull request may close these issues.
3 participants
@hiddeco @seh @stefanprodan