fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOPS: Fix dotenv decryption error reporting 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2021-10-19 10:48:16 +03:00
parent 95dca0feb6
commit c610944139
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
controllers/kustomization_decryptor.go
View File

@ -25,6 +25,7 @@ import (
"os"
"os/exec"
"path/filepath"
"strings"
securejoin "github.com/cyphar/filepath-securejoin"
"go.mozilla.org/sops/v3"
@ -216,8 +217,14 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
secretGens := kus.SecretGenerator
for _, gen := range secretGens {
for _, envFile := range gen.EnvSources {
filepath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(filepath)
envFileParts := strings.Split(envFile, "=")
if len(envFileParts) > 1 {
envFile = envFileParts[1]
}
envPath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(envPath)
if err != nil {
return err
}
@ -225,10 +232,10 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
if bytes.Contains(data, []byte("sops_mac=ENC[")) {
out, err := kd.DataWithFormat(data, formats.Dotenv, formats.Dotenv)
if err != nil {
return nil
return err
}
err = ioutil.WriteFile(filepath, out, 0644)
err = ioutil.WriteFile(envPath, out, 0644)
if err != nil {
return fmt.Errorf("error writing to file: %w", err)
}

6
docs/spec/v1beta2/kustomization.md
View File

@ -994,7 +994,7 @@ The kustomize-controller scans the values of Kubernetes Secrets, and when it
detects that the values are SOPS encrypted, it decrypts them before applying
them on the cluster.
For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with sops:
For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with SOPS:
```sh
cat config.json | sops -e --input-type=json > config.json.encrypted
@ -1012,7 +1012,7 @@ secretGenerator:
- config.json=config.json.encrypted
```
For dotenv files, use the `envs` directive and set the file extension to `.env`:
For dotenv files, use the `envs` directive:
```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
@ -1020,7 +1020,7 @@ kind: Kustomization
secretGenerator:
- name: config
envs:
- config.env=config.env.encrypted
- config.env.encrypted
```
## Status