kustomize controller is confused when it encounters SOPS masked data.

[anoland]

Describe the bug

I was figuring out how to use SOPS and encountered this issue. When trying to verify that the data was getting set I used flux build to recreate the secret. I checked in and pushed the generated yaml

data:
  password: KipTT1BTKio=
  user: KipTT1BTKio=
kind: Secret
metadata:
  creationTimestamp: null
  labels:
    kustomize.toolkit.fluxcd.io/name: age-secrets
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: basic-auth2
  namespace: default

I didn't quite realize the string "KipTT1BTKio" wasn't what I really wanted.
echo -n "KipTT1BTKio=" | base64 -d
SOPS

Kustomization shows this ambigious error.
kustomization/flux-system main/6880a19b0498c578b263432a0061bf213d391fef False False Secret/flux-system/basic-auth2 validation error: error decoding from json: illegal base64 data at input byte 3

Steps to reproduce

Try to create a secret with invalid JSON data.

Expected behavior

My silly mistake aside, could there be a more helpful error message describing what it encountered and why it is refusing to continue?

If reconciliation didn't fail and applied the "SOPS" value I would be able to see my problem sooner.

Thanks.

Screenshots and recordings

No response

OS / Distro

Ubuntu 20.04 LTS

Flux version

flux: v0.29.3

Flux check

► checking prerequisites
✗ flux 0.29.3 <0.29.5 (new version is available, please upgrade)
✔ Kubernetes 1.22.8+rke2r1 >=1.20.6-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.20.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.24.3
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.23.4
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.24.1
✔ all checks passed

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[anoland]

FWIW,
This is inconsistent with running them by hand.

$ flux build ks age-secrets --path ./
apiVersion: v1
data:
  password: KipTT1BTKio=
  user: KipTT1BTKio=
kind: Secret
metadata:
  creationTimestamp: null
  labels:
    kustomize.toolkit.fluxcd.io/name: age-secrets
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: basic-auth2
  namespace: default

$ flux build ks age-secrets --path ./ | kubectl apply -f -
secret/basic-auth2 configured

$ kubectl get secrets basic-auth2 -o yaml
apiVersion: v1
data:
  password: KipTT1BTKio=
  user: KipTT1BTKio=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"KipTT1BTKio=","user":"KipTT1BTKio="},"kind":"Secret","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"kustomize.toolkit.fluxcd.io/name":"age-secrets","kustomize.toolkit.fluxcd.io/namespace":"flux-system"},"name":"basic-auth2","namespace":"default"}}
  creationTimestamp: "2022-04-28T15:50:46Z"
  labels:
    kustomize.toolkit.fluxcd.io/name: age-secrets
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: basic-auth2
  namespace: default
  resourceVersion: "5815435"
  uid: 92b64854-68e0-4091-a192-130fca4064ab
type: Opaque

[hiddeco]

I expect this to be solved if you update to Flux v0.29.5 released today, which includes fluxcd/kustomize-controller#636.

[anoland]

Yup.

$ flux build ks age-secrets --path ./ > basic-auth.yaml.tmp
$ mv basic-auth.yaml.tmp basic-auth.yaml
$ sops -i -e basic-auth.yaml 
$ git add basic-auth.yaml 
$ git commit -m'checking 2.95 fix'
[main 45baa75] checking 2.95 fix
 1 file changed, 25 insertions(+), 2 deletions(-)

$ git push
Enumerating objects: 11, done.
Counting objects: 100% (11/11), done.
Delta compression using up to 2 threads
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 1.50 KiB | 1.50 MiB/s, done.
Total 6 (delta 1), reused 0 (delta 0)
remote: . Processing 1 references
remote: Processed 1 references in total
To https://codeberg.org/jude-project/flux-test
   0973c6b..45baa75  main -> main

$ flux reconcile kustomization flux-system 
► annotating Kustomization flux-system in flux-system namespace
✔ Kustomization annotated
◎ waiting for Kustomization reconciliation
✔ applied revision main/0973c6b2479df4c074e88ca729ca181437d77999

$ kubectl get secrets basic-auth2 -o yaml
apiVersion: v1
data:
  password: KipTT1BTKio=
  user: KipTT1BTKio=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"KipTT1BTKio=","user":"KipTT1BTKio="},"kind":"Secret","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"kustomize.toolkit.fluxcd.io/name":"age-secrets","kustomize.toolkit.fluxcd.io/namespace":"flux-system"},"name":"basic-auth2","namespace":"default"}}
  creationTimestamp: "2022-04-28T15:50:46Z"
  labels:
    kustomize.toolkit.fluxcd.io/name: age-secrets
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: basic-auth2
  namespace: default
  resourceVersion: "5815435"
  uid: 92b64854-68e0-4091-a192-130fca4064ab
type: Opaque

[5cat]

I faced this issue today as well until i realized i just put the decryption on the wrong kustomization object.
having the error as error decoding from json: illegal base64 data at input byte 3 made me question whether the secrets where encoded correctly.
It would be very thoughtful to have some helpful error message.

[NikoKS]

for me, I got the same error because I use data: instead of stringData: