Merge pull request #469 from fluxcd/secretGenerator-docs

SOPS: Document env secret generator
fluxcd · Oct 19, 2021 · fd30e4e · fd30e4e
2 parents 5ab853d + c610944
commit fd30e4e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 4 deletions.
diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
@@ -25,6 +25,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"go.mozilla.org/sops/v3"
@@ -216,19 +217,25 @@ func (kd *KustomizeDecryptor) decryptDotEnvFiles(dirpath string) error {
 	secretGens := kus.SecretGenerator
 	for _, gen := range secretGens {
 		for _, envFile := range gen.EnvSources {
-			filepath := filepath.Join(dirpath, envFile)
-			data, err := ioutil.ReadFile(filepath)
+
+			envFileParts := strings.Split(envFile, "=")
+			if len(envFileParts) > 1 {
+				envFile = envFileParts[1]
+			}
+
+			envPath := filepath.Join(dirpath, envFile)
+			data, err := ioutil.ReadFile(envPath)
 			if err != nil {
 				return err
 			}
 
 			if bytes.Contains(data, []byte("sops_mac=ENC[")) {
 				out, err := kd.DataWithFormat(data, formats.Dotenv, formats.Dotenv)
 				if err != nil {
-					return nil
+					return err
 				}
 
-				err = ioutil.WriteFile(filepath, out, 0644)
+				err = ioutil.WriteFile(envPath, out, 0644)
 				if err != nil {
 					return fmt.Errorf("error writing to file: %w", err)
 				}

diff --git a/docs/spec/v1beta2/kustomization.md b/docs/spec/v1beta2/kustomization.md
@@ -994,6 +994,35 @@ The kustomize-controller scans the values of Kubernetes Secrets, and when it
 detects that the values are SOPS encrypted, it decrypts them before applying 
 them on the cluster.
 
+For secrets in `.json`, `.yaml` and `.env` format, make sure you specify the input type when encrypting them with SOPS:
+
+```sh
+cat config.json | sops -e --input-type=json > config.json.encrypted
+cat config.yaml | sops -e --input-type=yaml > config.yaml.encrypted
+cat config.env | sops -e --input-type=env > config.env.encrypted
+```
+
+For kustomize-controller to be able to decrypt a JSON config, you need to set the file extension to `.json`:
+
+```yaml
+kind: Kustomization
+secretGenerator:
+  - name: config
+    files:
+      - config.json=config.json.encrypted
+```
+
+For dotenv files, use the `envs` directive:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+secretGenerator:
+  - name: config
+    envs:
+      - config.env.encrypted
+```
+
 ## Status
 
 When the controller completes a Kustomization apply, reports the result in the `status` sub-resource.