-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct documentation about SOPS for different file types than YAML #654
Comments
I didn't test the pre-upgrade behavior out yet, but I can confirm the generated secret comes out like this:
The content of the json file is encapsulated in a I did not notice this at first (we were discussing this in Slack, trying to resolve it there), but in the docs, it is mentioned that you should mark up your sops encrypting with an It didn't seem to fix anything at first, but on a second glance it looks like adding the https://fluxcd.io/docs/components/kustomize/kustomization/#kustomize-secretgenerator With the input-type=json, I get this result (it looks normal):
and without it, I get the json encapsulated in a "data" field as shown above. I do not know what would have changed between 0.28 and 0.29 to cause this, I've been through the changelogs in Kustomize controller and I see there were some SOPS changes that most certainly are relevant in the 0.24.0 release of Kustomize Controller which landed in Flux 0.29.0: https:/fluxcd/kustomize-controller/blob/v0.24.0/CHANGELOG.md#0240 I wouldn't rule out that this could be a regression, as I don't see it mentioned as a breaking change at the top level, it only gets this mention, not listed in the section marked for breaking changes:
I suspect this PR was the one that had the impact: |
At a guess the old behavior was selecting the JSON format (based on the filename?), and the new behavior selects the binary format instead by default: (which would explain why JSON format data is being stored in a "data" element rather than regurgitated as plain JSON.) |
Dropping by to note that I'm observing the same behavior.
Writing that to disk and processing the output:
So the "new" behavior is happening when the sops encrypted material is being extracted from the contents (rather than an issue on the way "into" the flux repo) in this particular case. (I can provide more details about my case if it's helpful, certainly.) |
What version of the controller are you on? I have a feeling this was indeed a regression, but solved by #644 which is available in |
Attempted from scratch just now. Unfortunately no change, and it did report 0.25 for kustomize controller.
|
@bigfleet did you pass |
@stefanprodan I was in position to alter the handling of the encrypted data to provide the input type hint, and it did resolve the issue. So, for this participant, there is a "workaround" by being more explicit with SOPS regarding the input you're encrypting. I will leave to others whether there's something to be done here or not. Behavior has changed for default params-- is it ever a breaking change if there was no behavior committed to? Not for me to say. |
Maybe this can be closed? The behavior should be documented, although it is already documented how to use this, I'm not sure what changed was inside Flux. It sounds like you tested and found the behavior has changed in Flux, based on a SOPS upgrade from https:/fluxcd/kustomize-controller/blob/v0.24.0/CHANGELOG.md#0240 it might have changed. If the issue can be solved by being a bit more explicit in the pipeline, can we commit to the current behavior now, or are we at the mercy of SOPS upstream if it changes again? I don't know but I think this can be closed. |
I would be in favor of closing in preference of a ticket that updates the docs to provide a commented example of how to get the desired results. (This will be a common use case, enabling flux to leverage pull secrets.) I don't think any current docs include the input-type option to sops, or explain the importance of their correct usage. I can help write them if this approach sounds correct. |
I agree that the whole way that SOPS accepts input and output types is confusing. You can get away with just telling it that everything is "binary," and if you control both the encryption and decryption sides, it all works fine. The trouble comes when Flux has to apply heuristics to guess what the input type had been and to choose an output type. Hidde's #644 addressed a complaint of mine: When I encrypted a JSON-formatted Docker credential and I told SOPS that the input type was JSON, Flux didn't believe me because the Secret data key is ".dockerconfigjson"—as mandated by the Kubernetes API— which does not end in the ".json" sentinel suffix. (Note the missing period.) If I "lied" to SOPS and told it that my input data was "binary" instead of JSON, then when Flux got it wrong and decrypted this Secret field as "binary," I got back out what I had put in originally. However, I then had to know that I had to "lie" to SOPS, which seemed unfair. Hidde corrected Flux's heuristic in this case, so that it would guess correctly that the input type had most likely been JSON. As Jim suggested in #654 (comment), I think the current behavior is optimal, but that we'd all benefit from clarifying documentation that tells users exactly how to prepare a JSON-formatted Docker credential for distribution via Flux. |
I went back and tested against the docs here: https://fluxcd.io/docs/components/kustomize/kustomization/#kustomize-secretgenerator They do not seem to work as written, there are two issues that as far as I can tell are not SOPS regressions, as they fail in similar ways on SOPS 3.7.1 (the version from one year ago) Let's convert this to a Docs issue, as long as some folks are using this successfully we can be reasonably assured that the functionality overall works, but I am less confident the docs are correct. These statements in particular:
I'm not sure how these commands should work. SOPS apparently requires you to provide an input file, it will not accept
But even with stdin, these commands all depend on your
I added these in mine:
two rules at the bottom, (commented out because I thought they should not be necessary and I think they do not come from our docs anywhere.) These commands start working with the additions uncommented to match these other paths. I am at a loss why I missed this when I tried last week. These are all SOPS troubles though, and the creation of secrets from Flux's perspective is a SOPS responsibility, so we can fix it through docs, and we can try to get something fixed in SOPS if the behavior is wrong, but on Flux's side I think this is just a documentation issue, I'll change the title to reflect that. |
(I do not have write access to the repo so I cannot update titles) /rename Correct documentation about SOPS for different file types than YAML |
Issue
Upgrading from Flux v0.28.5 to v0.30.2 (kustomize-controller v0.23.5) using the bootstrap method recreated all of the secrets in our cluster, breaking SOPS Kustomize generated secrets.
For example, before the upgrade (kustomize-controller v0.22.3) the secret would look like this after decoding the data field:
And after the upgrade (kustomize-controller v0.23.5):
Forcing the
kustomize-controller
back to versionv0.22.3
(leaving everything else) triggered all the secrets to get recreated again and reverted them back to a working state.Replicate issue:
creds.txt:
Encrypt the file:
sops -p "fingeprint" -e creds.txt > creds.json
creds.json:
kustomization.yaml
The text was updated successfully, but these errors were encountered: