From 997e6be3a2b5b9e6bd78d181f53e07a6389ea0a6 Mon Sep 17 00:00:00 2001 From: Soule BA Date: Thu, 3 Feb 2022 18:02:06 +0100 Subject: [PATCH] Make sure to trim all sops data If implemented this fixes #2363 and make sure we can build with sops encrypted data Signed-off-by: Soule BA --- internal/build/build.go | 31 ++++++++++++++++++++-------- internal/build/build_test.go | 39 ++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 8 deletions(-) diff --git a/internal/build/build.go b/internal/build/build.go index 416c2b0b..923852d5 100644 --- a/internal/build/build.go +++ b/internal/build/build.go @@ -36,6 +36,7 @@ import ( "sigs.k8s.io/kustomize/api/resmap" "sigs.k8s.io/kustomize/api/resource" "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/yaml" ) const ( @@ -262,17 +263,31 @@ func trimSopsData(res *resource.Resource) error { if res.GetKind() == "Secret" { dataMap := res.GetDataMap() - for k, v := range dataMap { - data, err := base64.StdEncoding.DecodeString(v) - if err != nil { - if _, ok := err.(base64.CorruptInputError); ok { - return fmt.Errorf("failed to decode secret data: %w", err) - } - } + asYaml, err := res.AsYAML() + if err != nil { + return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err) + } - if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) { + //delete any sops data as we don't want to expose it + if bytes.Contains(asYaml, []byte("sops:")) && bytes.Contains(asYaml, []byte("mac: ENC[")) { + res.PipeE(yaml.FieldClearer{Name: "sops"}) + for k := range dataMap { dataMap[k] = sopsMess } + + } else { + for k, v := range dataMap { + data, err := base64.StdEncoding.DecodeString(v) + if err != nil { + if _, ok := err.(base64.CorruptInputError); ok { + return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err) + } + } + + if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) { + dataMap[k] = sopsMess + } + } } res.SetDataMap(dataMap) diff --git a/internal/build/build_test.go b/internal/build/build_test.go index ffda319e..17b2cf39 100644 --- a/internal/build/build_test.go +++ b/internal/build/build_test.go @@ -91,6 +91,45 @@ kind: Secret metadata: name: secret-basic-auth type: kubernetes.io/basic-auth +`, + }, + { + name: "secret sops secret", + yamlStr: `apiVersion: v1 +data: + .dockercfg: ENC[AES256_GCM,data:KHCFH3hNnc+PMfWLFEPjebf3W4z4WXbGFAANRZyZC+07z7wlrTALJM6rn8YslW4tMAWCoAYxblC5WRCszTy0h9rw0U/RGOv5H0qCgnNg/FILFUqhwo9pNfrUH+MEP4M9qxxbLKZwObpHUE7DUsKx1JYAxsI=,iv:q48lqUbUQD+0cbYcjNMZMJLRdGHi78ZmDhNAT2th9tg=,tag:QRI2SZZXQrAcdql3R5AH2g==,type:str] +kind: Secret +metadata: + name: secret +type: kubernetes.io/dockerconfigjson +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eU1CTEJhVXZ4eEVYYkVV + OU90TEcrR2pYckttN0pBanJoSUZWSW1RQXlRCkUydFJ3V1NZUTBuVFF0aC9GUEcw + bUdhNjJWTkoyL1FUVi9Dc1dxUDBkM0UKLS0tIE1sQXkwcWdGaEFuY0RHQTVXM0J6 + dWpJcThEbW15V3dXYXpPZklBdW1Hd1kKoIAdmGNPrEctV8h1w8KuvQ5S+BGmgqN9 + MgpNmUhJjWhgcQpb5BRYpQesBOgU5TBGK7j58A6DMDKlSiYZsdQchQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-02-03T16:03:17Z" + mac: ENC[AES256_GCM,data:AHdYSawajwgAFwlmDN1IPNmT9vWaYKzyVIra2d6sPcjTbZ8/p+VRSRpVm4XZFFsaNnW5AUJaouwXnKYDTmJDXKlr/rQcu9kXqsssQgdzcXaA6l5uJlgsnml8ba7J3OK+iEKMax23mwQEx2EUskCd9ENOwFDkunP02sxqDNOz20k=,iv:8F5OamHt3fAVorf6p+SoIrWoqkcATSGWVoM0EK87S4M=,tag:E1mxXnc7wWkEX5BxhpLtng==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 +`, + expected: `apiVersion: v1 +data: + .dockercfg: KipTT1BTKio= +kind: Secret +metadata: + name: secret +type: kubernetes.io/dockerconfigjson `, }, }