From 997e6be3a2b5b9e6bd78d181f53e07a6389ea0a6 Mon Sep 17 00:00:00 2001
From: Soule BA <soule@weave.works>
Date: Thu, 3 Feb 2022 18:02:06 +0100
Subject: [PATCH] Make sure to trim all sops data
If implemented this fixes #2363 and make sure we can build with sops
encrypted data
Signed-off-by: Soule BA <soule@weave.works>
---
internal/build/build.go | 31 ++++++++++++++++++++--------
internal/build/build_test.go | 39 ++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 8 deletions(-)
diff --git a/internal/build/build.go b/internal/build/build.go
index 416c2b0b..923852d5 100644
--- a/internal/build/build.go
+++ b/internal/build/build.go
@@ -36,6 +36,7 @@ import (
"sigs.k8s.io/kustomize/api/resmap"
"sigs.k8s.io/kustomize/api/resource"
"sigs.k8s.io/kustomize/kyaml/filesys"
+ "sigs.k8s.io/kustomize/kyaml/yaml"
)
const (
@@ -262,17 +263,31 @@ func trimSopsData(res *resource.Resource) error {
if res.GetKind() == "Secret" {
dataMap := res.GetDataMap()
- for k, v := range dataMap {
- data, err := base64.StdEncoding.DecodeString(v)
- if err != nil {
- if _, ok := err.(base64.CorruptInputError); ok {
- return fmt.Errorf("failed to decode secret data: %w", err)
- }
- }
+ asYaml, err := res.AsYAML()
+ if err != nil {
+ return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+ }
- if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+ //delete any sops data as we don't want to expose it
+ if bytes.Contains(asYaml, []byte("sops:")) && bytes.Contains(asYaml, []byte("mac: ENC[")) {
+ res.PipeE(yaml.FieldClearer{Name: "sops"})
+ for k := range dataMap {
dataMap[k] = sopsMess
}
+
+ } else {
+ for k, v := range dataMap {
+ data, err := base64.StdEncoding.DecodeString(v)
+ if err != nil {
+ if _, ok := err.(base64.CorruptInputError); ok {
+ return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+ }
+ }
+
+ if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+ dataMap[k] = sopsMess
+ }
+ }
}
res.SetDataMap(dataMap)
diff --git a/internal/build/build_test.go b/internal/build/build_test.go
index ffda319e..17b2cf39 100644
--- a/internal/build/build_test.go
+++ b/internal/build/build_test.go
@@ -91,6 +91,45 @@ kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
+`,
+ },
+ {
+ name: "secret sops secret",
+ yamlStr: `apiVersion: v1
+data:
+ .dockercfg: ENC[AES256_GCM,data:KHCFH3hNnc+PMfWLFEPjebf3W4z4WXbGFAANRZyZC+07z7wlrTALJM6rn8YslW4tMAWCoAYxblC5WRCszTy0h9rw0U/RGOv5H0qCgnNg/FILFUqhwo9pNfrUH+MEP4M9qxxbLKZwObpHUE7DUsKx1JYAxsI=,iv:q48lqUbUQD+0cbYcjNMZMJLRdGHi78ZmDhNAT2th9tg=,tag:QRI2SZZXQrAcdql3R5AH2g==,type:str]
+kind: Secret
+metadata:
+ name: secret
+type: kubernetes.io/dockerconfigjson
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eU1CTEJhVXZ4eEVYYkVV
+ OU90TEcrR2pYckttN0pBanJoSUZWSW1RQXlRCkUydFJ3V1NZUTBuVFF0aC9GUEcw
+ bUdhNjJWTkoyL1FUVi9Dc1dxUDBkM0UKLS0tIE1sQXkwcWdGaEFuY0RHQTVXM0J6
+ dWpJcThEbW15V3dXYXpPZklBdW1Hd1kKoIAdmGNPrEctV8h1w8KuvQ5S+BGmgqN9
+ MgpNmUhJjWhgcQpb5BRYpQesBOgU5TBGK7j58A6DMDKlSiYZsdQchQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2022-02-03T16:03:17Z"
+ mac: ENC[AES256_GCM,data:AHdYSawajwgAFwlmDN1IPNmT9vWaYKzyVIra2d6sPcjTbZ8/p+VRSRpVm4XZFFsaNnW5AUJaouwXnKYDTmJDXKlr/rQcu9kXqsssQgdzcXaA6l5uJlgsnml8ba7J3OK+iEKMax23mwQEx2EUskCd9ENOwFDkunP02sxqDNOz20k=,iv:8F5OamHt3fAVorf6p+SoIrWoqkcATSGWVoM0EK87S4M=,tag:E1mxXnc7wWkEX5BxhpLtng==,type:str]
+ pgp: []
+ encrypted_regex: ^(data|stringData)$
+ version: 3.7.1
+`,
+ expected: `apiVersion: v1
+data:
+ .dockercfg: KipTT1BTKio=
+kind: Secret
+metadata:
+ name: secret
+type: kubernetes.io/dockerconfigjson
`,
},
}
--
GitLab