Use Secret generator keys for SOPS format hint #636
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
seh
commented
Apr 26, 2022
| @@ -68,7 +67,6 @@ var ( | |||
| k8sClient client.Client | |||
| testEnv *testenv.Environment | |||
| testServer *testserver.ArtifactServer | |||
| testEventsH kuberecorder.EventRecorder | |||
There was a problem hiding this comment.
staticcheck suggested that I remove this.
Comment on lines
-1162
to
+1172
| g.Expect(bytes.Compare(f.data, b) == 0).To(Equal(f.expectData)) | ||
| g.Expect(bytes.Equal(f.data, b)).To(Equal(f.expectData)) |
There was a problem hiding this comment.
staticcheck suggested this change.
| @@ -877,13 +882,13 @@ func TestKustomizeDecryptor_decryptKustomizationEnvSources(t *testing.T) { | |||
| GeneratorArgs: kustypes.GeneratorArgs{ | |||
| Name: "envSecret", | |||
| KvPairSources: kustypes.KvPairSources{ | |||
| FileSources: []string{"file.txt"}, | |||
| EnvSources: []string{"app.env", "key=../secret.env"}, | |||
There was a problem hiding this comment.
Note that kustomize doesn't split the "EnvSources" field's values on an equals sign; it assumes that the whole value is always a file path.
seh
force-pushed
the
revise-sops-format-detection-for-generated-secrets
branch
from
27d6f00 to
b78b26e
Compare
Rather than inspecting the source file name supplied to kustomize's Secret generator to determine the format of the SOPS-encrypted file content, instead inspect the Secret key (when supplied separately from the source file name) as a more reliable heuristic. Doing so allows kustomization authors to name their SOPS-encrypted output files with a ".json" extension accurately reflecting the format in which SOPS writes its encrypted output, even if the encrypted content itself is not in JSON format. Signed-off-by: Steven E. Harris <seh@panix.com>
Signed-off-by: Steven E. Harris <seh@panix.com>
Signed-off-by: Steven E. Harris <seh@panix.com>
seh
force-pushed
the
revise-sops-format-detection-for-generated-secrets
branch
from
b78b26e to
e6beca1
Compare
hiddeco
added
enhancement
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Rather than inspecting the source file name supplied to kustomize's Secret generator to determine the format of the SOPS-encrypted file content, instead inspect the Secret key—when supplied separately from the source file name—as a more reliable heuristic.
Doing so allows kustomization authors to name their SOPS-encrypted output files with a ".json" extension accurately reflecting the format in which SOPS writes its encrypted output, even if the encrypted content itself is not in JSON format.
See preceding discussion in the "flux" channel of the CNCF Slack workspace for the circuitous path I took to diagnose this change in behavior, with @hiddeco's help in pointing me to his recent #619 and suggesting the idea for the fix.