fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOPS: Fix dotenv decryption error reporting 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2021-10-19 10:48:16 +03:00
parent 95dca0feb6
commit c610944139
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
controllers/kustomization_decryptor.go
View File

@ -25,6 +25,7 @@ import (
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"strings"
securejoin "github.com/cyphar/filepath-securejoin" securejoin "github.com/cyphar/filepath-securejoin"
"go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3"
@ -216,8 +217,14 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
secretGens := kus.SecretGenerator secretGens := kus.SecretGenerator
for _, gen := range secretGens { for _, gen := range secretGens {
for _, envFile := range gen.EnvSources { for _, envFile := range gen.EnvSources {
filepath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(filepath) envFileParts := strings.Split(envFile, "=")
if len(envFileParts) > 1 {
envFile = envFileParts[1]
}
envPath := filepath.Join(dirpath, envFile)
data, err := ioutil.ReadFile(envPath)
if err != nil { if err != nil {
return err return err
} }
@ -225,10 +232,10 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
if bytes.Contains(data, []byte("sops_mac=ENC[")) { if bytes.Contains(data, []byte("sops_mac=ENC[")) {
out, err := kd.DataWithFormat(data, formats.Dotenv, formats.Dotenv) out, err := kd.DataWithFormat(data, formats.Dotenv, formats.Dotenv)
if err != nil { if err != nil {
return nil return err
} }
err = ioutil.WriteFile(filepath, out, 0644) err = ioutil.WriteFile(envPath, out, 0644)
if err != nil { if err != nil {
return fmt.Errorf("error writing to file: %w", err) return fmt.Errorf("error writing to file: %w", err)
} }

6
docs/spec/v1beta2/kustomization.md
View File

@ -994,7 +994,7 @@ The kustomize-controller scans the values of Kubernetes Secrets, and when it
detects that the values are SOPS encrypted, it decrypts them before applying detects that the values are SOPS encrypted, it decrypts them before applying
them on the cluster. them on the cluster.
For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with sops: For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with SOPS:
```sh ```sh
cat config.json | sops -e --input-type=json > config.json.encrypted cat config.json | sops -e --input-type=json > config.json.encrypted
@ -1012,7 +1012,7 @@ secretGenerator:
- config.json=config.json.encrypted - config.json=config.json.encrypted
``` ```
For dotenv files, use the `envs` directive and set the file extension to `.env`: For dotenv files, use the `envs` directive:
```yaml ```yaml
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
@ -1020,7 +1020,7 @@ kind: Kustomization
secretGenerator: secretGenerator:
- name: config - name: config
envs: envs:
- config.env=config.env.encrypted - config.env.encrypted
``` ```
## Status ## Status