Mask dockerconfigjson secret types and support StringData secrets

If implemented, flux diff kustomization will managed correctly sops managed dockerconfigjson secrets. Sops encrypted secret with stringData maps are supported too. Signed-off-by: Soule BA <soule@weave.works>
2026-02-13 13:06:56 +00:00 · 2022-02-06 00:28:37 +01:00
parent cf3f729f98
commit 2e9fd33ce5
19 changed files with 281 additions and 24 deletions
--- a/internal/build/diff.go
+++ b/internal/build/diff.go
@@ -199,17 +199,31 @@ func diff(liveFile, mergedFile string, output io.Writer) error {
 }

 func diffSopsSecret(obj, liveObject, mergedObject *unstructured.Unstructured, change *ssa.ChangeSetEntry) {
-	data := obj.Object["data"]
-	for _, v := range data.(map[string]interface{}) {
+	// get both data and stringdata maps
+	data := obj.Object[dataField]
+	stringData := obj.Object[stringDataField]
+
+	if m, ok := data.(map[string]interface{}); ok && m != nil {
+		applySopsDiff(m, liveObject, mergedObject, change)
+	}
+
+	if m, ok := stringData.(map[string]interface{}); ok && m != nil {
+		applySopsDiff(m, liveObject, mergedObject, change)
+	}
+}
+
+func applySopsDiff(data map[string]interface{}, liveObject, mergedObject *unstructured.Unstructured, change *ssa.ChangeSetEntry) {
+	for _, v := range data {
 		v, err := base64.StdEncoding.DecodeString(v.(string))
 		if err != nil {
 			fmt.Println(err)
 		}
+
 		if bytes.Contains(v, []byte(mask)) {
 			if liveObject != nil && mergedObject != nil {
 				change.Action = string(ssa.UnchangedAction)
-				dataLive := liveObject.Object["data"].(map[string]interface{})
-				dataMerged := mergedObject.Object["data"].(map[string]interface{})
+				dataLive := liveObject.Object[dataField].(map[string]interface{})
+				dataMerged := mergedObject.Object[dataField].(map[string]interface{})
 				if cmp.Diff(keys(dataLive), keys(dataMerged)) != "" {
 					change.Action = string(ssa.ConfiguredAction)
 				}