-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validate.sh error "sops: Additional property sops is not allowed" #48
Comments
The validate script could be clearer about what it does, but I've read it somewhat carefully to understand the details, and I found that it validates basically three things:
That leaves an opening that we should call out explicitly in the docs, for how to structure your repo so that secrets are kept in a way that they are not validated, by kubeval which cannot validate them before they are decrypted: https://github.com/kingdonb/bootstrap-repo/tree/staging/secrets/cluster-api This directory simply doesn't include a The biggest risk of keeping secrets encrypted in the repo is that someone will be able to decrypt them who should not have been able to, into a namespace where they can read secrets (when they should not have access to this secret or decryption key.) So PRs to "secrets" repo can be closely monitored, perhaps through codeowners, to ensure that keys are used responsibly by all project members. At a certain point you have to go, "hey, write access to the repo means you are trusted" if you are giving people access to decryption keys through Flux, but it's a small thing that might help, and it works with the validation script. 👍 |
If anybody stumbles across this, since the validate.sh script was changed to use kubeconform instead of kubeval, the correct flag for skipping secrets now is |
I think we do recommend users keep secrets in a repo, so they can take advantage of Kustomize Secret generators. We have some docs about how that can be used with SOPS - this But we are a bit light on prescriptive guidance about where secrets are kept, especially considering that solutions like KeyVault and KMS can be used that keep the secret entirely out-of-band and csi secrets (where you cannot take advantage of the secretGenerator anymore) If you want to add that I'll open a separate issue for the other doc, I have some ideas about how we can expand on the SOPS guide and separate cloud-provider guides for using KMS. The user might get the idea these solutions are exclusive of each other, if we don't show a specific example that covers the use of all these in concert at the same time. |
Hello,
First of all, this repo has been very helpful!!!
Reason for opening this issue is that when using sops to store encrypted secrets in a repo with a similar structure as this, the validate.sh exits with non-zero exit code and these errors:
I believe it is due to the nature of a sops encrypted secret having the
sops:
section while being ofkind: Secret
and not matching the standard k8s Secret spec:To work around this, we updated the script as such so kubeval could skip validation of Secrets:
Would like to seek out other possible ways folks think this to address could be addressed.
Thanks!
The text was updated successfully, but these errors were encountered: