Make sure to trim all sops data

If implemented this fixes #2363 and make sure we can build with sops encrypted data Signed-off-by: Soule BA <soule@weave.works>
4 years ago · 997e6be3a2
parent 51af4bbf52
commit 997e6be3a2
2 changed files with 62 additions and 8 deletions
--- a/internal/build/build.go
+++ b/internal/build/build.go
@ -36,6 +36,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 const (
@ -262,17 +263,31 @@ func trimSopsData(res *resource.Resource) error {

 	if res.GetKind() == "Secret" {
 		dataMap := res.GetDataMap()
-		for k, v := range dataMap {
-			data, err := base64.StdEncoding.DecodeString(v)
-			if err != nil {
-				if _, ok := err.(base64.CorruptInputError); ok {
-					return fmt.Errorf("failed to decode secret data: %w", err)
-				}
-			}
+		asYaml, err := res.AsYAML()
+		if err != nil {
+			return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+		}

-			if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+		//delete any sops data as we don't want to expose it
+		if bytes.Contains(asYaml, []byte("sops:")) && bytes.Contains(asYaml, []byte("mac: ENC[")) {
+			res.PipeE(yaml.FieldClearer{Name: "sops"})
+			for k := range dataMap {
 				dataMap[k] = sopsMess
 			}
+
+		} else {
+			for k, v := range dataMap {
+				data, err := base64.StdEncoding.DecodeString(v)
+				if err != nil {
+					if _, ok := err.(base64.CorruptInputError); ok {
+						return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+					}
+				}
+
+				if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+					dataMap[k] = sopsMess
+				}
+			}
 		}

 		res.SetDataMap(dataMap)
--- a/internal/build/build_test.go
+++ b/internal/build/build_test.go
@ -91,6 +91,45 @@ kind: Secret
 metadata:
  name: secret-basic-auth
 type: kubernetes.io/basic-auth
+`,
+		},
+		{
+			name: "secret sops secret",
+			yamlStr: `apiVersion: v1
+data:
+  .dockercfg: ENC[AES256_GCM,data:KHCFH3hNnc+PMfWLFEPjebf3W4z4WXbGFAANRZyZC+07z7wlrTALJM6rn8YslW4tMAWCoAYxblC5WRCszTy0h9rw0U/RGOv5H0qCgnNg/FILFUqhwo9pNfrUH+MEP4M9qxxbLKZwObpHUE7DUsKx1JYAxsI=,iv:q48lqUbUQD+0cbYcjNMZMJLRdGHi78ZmDhNAT2th9tg=,tag:QRI2SZZXQrAcdql3R5AH2g==,type:str]
+kind: Secret
+metadata:
+  name: secret
+type: kubernetes.io/dockerconfigjson
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eU1CTEJhVXZ4eEVYYkVV
+        OU90TEcrR2pYckttN0pBanJoSUZWSW1RQXlRCkUydFJ3V1NZUTBuVFF0aC9GUEcw
+        bUdhNjJWTkoyL1FUVi9Dc1dxUDBkM0UKLS0tIE1sQXkwcWdGaEFuY0RHQTVXM0J6
+        dWpJcThEbW15V3dXYXpPZklBdW1Hd1kKoIAdmGNPrEctV8h1w8KuvQ5S+BGmgqN9
+        MgpNmUhJjWhgcQpb5BRYpQesBOgU5TBGK7j58A6DMDKlSiYZsdQchQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2022-02-03T16:03:17Z"
+  mac: ENC[AES256_GCM,data:AHdYSawajwgAFwlmDN1IPNmT9vWaYKzyVIra2d6sPcjTbZ8/p+VRSRpVm4XZFFsaNnW5AUJaouwXnKYDTmJDXKlr/rQcu9kXqsssQgdzcXaA6l5uJlgsnml8ba7J3OK+iEKMax23mwQEx2EUskCd9ENOwFDkunP02sxqDNOz20k=,iv:8F5OamHt3fAVorf6p+SoIrWoqkcATSGWVoM0EK87S4M=,tag:E1mxXnc7wWkEX5BxhpLtng==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.7.1
+`,
+			expected: `apiVersion: v1
+data:
+  .dockercfg: KipTT1BTKio=
+kind: Secret
+metadata:
+  name: secret
+type: kubernetes.io/dockerconfigjson
 `,
 		},
 	}