Merge pull request #1283 from vlasov-y/main

Enable decryption of secrets generated by Kustomize components
fluxcd · Nov 12, 2024 · 29080cb · 29080cb
2 parents d7bad03 + 681573b
commit 29080cb
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 1 deletion.
diff --git a/internal/controller/kustomization_decryptor_test.go b/internal/controller/kustomization_decryptor_test.go
@@ -200,6 +200,10 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year2", Namespace: id}, &year2Secret)).To(Succeed())
 		g.Expect(string(year2Secret.Data["year"])).To(Equal("year2"))
 
+		var year3Secret corev1.Secret
+		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year3", Namespace: id}, &year3Secret)).To(Succeed())
+		g.Expect(string(year3Secret.Data["year"])).To(Equal("year3"))
+
 		var encodedSecret corev1.Secret
 		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-month", Namespace: id}, &encodedSecret)).To(Succeed())
 		g.Expect(string(encodedSecret.Data["month.yaml"])).To(Equal("month: May\n"))

diff --git a/internal/controller/testdata/test-dotenv/overlays/component/kustomization.yaml b/internal/controller/testdata/test-dotenv/overlays/component/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+secretGenerator:
+  - name: sops-year3
+    envs:
+      - year3.env
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/internal/controller/testdata/test-dotenv/overlays/component/year3.env b/internal/controller/testdata/test-dotenv/overlays/component/year3.env
@@ -0,0 +1,7 @@
+year=ENC[AES256_GCM,data:c+S7GjA=,iv:bcYeALfyGDWlXi5UqOFVC2tCdex5MXaJKxn6awDIfAI=,tag:UQepDih41dSSUiebFYNxiw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4L01FcTR6dVpPR1JpNldW\nSURuaHBEZ3RrY1hpS1Mxam10VEhVSE85RG5NClFTZHEvQzBnbjVHK3VydEIxVkZE\ncEI0a1hVMmtVSXZjNU5VQXBVV2RIS0UKLS0tIEZlUndyWEVZZUl1bHI0a3JwS2M1\nQnNNcFZxaTNzWlZoSFRpdWd2QUJjNGcKzEaQDRjvnFPkwCXL6K5s5guI5xP0urcD\nfeYHuyAS9Td0l/5fTyDlLv6jFJ09QS1ob0OL0GAvknwjbRlbaWjrAA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
+sops_lastmodified=2024-11-10T18:49:59Z
+sops_mac=ENC[AES256_GCM,data:jeyF+D6Y5tGtcaxWfK65PlbjZLicI1lFi0uEcEq2fLVv9vPCpSO/iAfGGOqQiMPbndAV7FdqeFCSXC4gmf27gysR3FvHnYrbLZDO+fZm5K6Fk2IReSCZIHLxVGUlC9E5z1NFfPjJdD3fMM5I6sT7Cpn6xCg/rHavmfOEwW2dU94=,iv:kgxhX2NhFEmgfbOD7FpiXI+WXXZrpzf7R8r1RMSPPjs=,tag:aHge+qF1wsAszeTL25HtBw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.0
diff --git a/internal/controller/testdata/test-dotenv/overlays/kustomization.yaml b/internal/controller/testdata/test-dotenv/overlays/kustomization.yaml
@@ -8,3 +8,5 @@ secretGenerator:
       - year1.env
 generatorOptions:
   disableNameSuffixHash: true
+components:
+  - component
diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go
@@ -697,9 +697,13 @@ func recurseKustomizationFiles(root, path string, visit visitKustomization, visi
 		return err
 	}
 
+	// Components may contain resources as well, ...
+	// ...so we have to process both .resources and .components values
+	resources := append(kus.Resources, kus.Components...)
+
 	// Recurse over other resources in Kustomization,
 	// repeating the above logic per item
-	for _, res := range kus.Resources {
+	for _, res := range resources {
 		if !filepath.IsAbs(res) {
 			res = filepath.Join(path, res)
 		}