Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS: Decrypt Kubernetes secrets generated by kustomize #329

Merged
merged 1 commit into from
Apr 29, 2021
Merged

SOPS: Decrypt Kubernetes secrets generated by kustomize #329

merged 1 commit into from
Apr 29, 2021

Conversation

bob-rohan
Copy link
Contributor

@bob-rohan bob-rohan commented Apr 21, 2021
edited by stefanprodan
Loading

Kustomize-controller can currently decrypt SOPS encrypted files - but
whole files only.

Kubernetes Secrets are base64 encoded, therefore when a SOPS encrypted
file, is added as base64 encoded data to a Kubernetes Secret, it is not
decrypted.

Fix: #328

@bob-rohan bob-rohan force-pushed the 328_base64_encoded_sops_encrypted_secrets branch from e9b5e08 to 8127709 Compare April 21, 2021 14:25
@bob-rohan bob-rohan mentioned this pull request Apr 21, 2021
Closed
@bob-rohan bob-rohan force-pushed the 328_base64_encoded_sops_encrypted_secrets branch 2 times, most recently from 1706144 to a7e7613 Compare April 27, 2021 20:32
@stefanprodan stefanprodan changed the title #328 Decrypt base64 encoded SOPS encrypted secrets #328 Decrypt base64 encoded SOPS encrypted secrets Apr 28, 2021
stefanprodan
stefanprodan reviewed Apr 28, 2021
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bob-rohan can you please add a sub-section here https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta1/kustomization.md#secrets-decryption and document the new decryption option. Please mention kustomize secret generator and how to use it.

@bob-rohan bob-rohan force-pushed the 328_base64_encoded_sops_encrypted_secrets branch from 193e063 to adb196d Compare April 28, 2021 10:45
@stefanprodan
Copy link
Member

@bob-rohan can you please squash all commits into a single one and rename it to "Decrypt base64 encoded SOPS encrypted secrets". Thanks!

@bob-rohan bob-rohan force-pushed the 328_base64_encoded_sops_encrypted_secrets branch from adb196d to 9ffafd6 Compare April 28, 2021 10:53
Decrypt base64 encoded SOPS encrypted secrets
a77ea03 
Signed-off-by: Bob Rohan <bob.rohan@hodge.co.uk>
@bob-rohan bob-rohan force-pushed the 328_base64_encoded_sops_encrypted_secrets branch from 9ffafd6 to a77ea03 Compare April 28, 2021 10:54
@stefanprodan stefanprodan changed the title Decrypt base64 encoded SOPS encrypted secrets SOPS: Decrypt Kubernetes secrets generated by kustomize Apr 29, 2021
stefanprodan
stefanprodan approved these changes Apr 29, 2021
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @bob-rohan 🏅

@stefanprodan stefanprodan merged commit 2a03b6e into fluxcd:main Apr 29, 2021
@bob-rohan bob-rohan deleted the 328_base64_encoded_sops_encrypted_secrets branch April 29, 2021 10:03
@apeschel
Copy link
Contributor

apeschel commented May 3, 2021

Thank you @bob-rohan, this is fantastic work!

@gmaiztegi gmaiztegi mentioned this pull request May 31, 2021
Merged
@stefanprodan stefanprodan added the area/sops SOPS related issues and pull requests label Jun 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/sops SOPS related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Decrypt base64 encoded SOPS encrypted secrets
3 participants
@bob-rohan @stefanprodan @apeschel