Decrypt SopsSecret objects only in specific namespace #176
Comments
rjeczkow
changed the title
|
@rjeczkow thanks for reporting, I added section in README please let me know if this method works for you. |
|
Thank you very much for quick response! I see one problem: |
|
The idea (at least for the Bitnami Sealed Secrets) is that namespace name is added to encryption/decryption key |
|
I missed it out yesterday, tested now - I'm afraid it is not possible to implement this feature due to the fact I'm by design avoiding wrapping encrypted object to the spec.field . From the day one, I have decided for the simplicity of the operation to encrypt the whole SopsSecret resource using sops cli tool. For a tool which potentially could work the desired way, please see here: https://github.com/craftypath/sops-operator . Also see https://github.com/isindir/sops-secrets-operator?tab=readme-ov-file#known-issues second point there. If that is a security concern for your use case, I'd highly recommend not to use this operator. |
|
I have reverted the change and removed release. |
|
Updated known issues section with better explanation. |
|
Thank you for your time and effort. |
|
@rjeczkow : it may be possible to restrict which namespace a copy of operator can run on, either:
Would you be interested in one of these options ? And which one would be more interesting ? |
|
I know I am not the reporter of the issue, but reading the issue, got interested in the options.
thank you! |
Hi
Is there a possibility to create SopsSecret object that would be possible to decrypt into a Secret object only in a specific namespace? Similar to 'strict' scope in Bitnami Sealed Secrets.
I'd like to avoid having cluster-wide secrets so that not everyone who has access to the SopsSecret object (in a git repo) is able to decrypt it in his own namespace.
The text was updated successfully, but these errors were encountered: