Make sure to trim all sops data

If implemented this fixes #2363 and make sure we can build with sops encrypted data Signed-off-by: Soule BA <soule@weave.works>
2026-02-13 13:06:56 +00:00 · 2022-02-03 18:02:06 +01:00
parent 51af4bbf52
commit 997e6be3a2
2 changed files with 62 additions and 8 deletions
--- a/internal/build/build.go
+++ b/internal/build/build.go
@@ -36,6 +36,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 const (
@@ -262,16 +263,30 @@ func trimSopsData(res *resource.Resource) error {

 	if res.GetKind() == "Secret" {
 		dataMap := res.GetDataMap()
-		for k, v := range dataMap {
-			data, err := base64.StdEncoding.DecodeString(v)
-			if err != nil {
-				if _, ok := err.(base64.CorruptInputError); ok {
-					return fmt.Errorf("failed to decode secret data: %w", err)
-				}
+		asYaml, err := res.AsYAML()
+		if err != nil {
+			return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+		}
+
+		//delete any sops data as we don't want to expose it
+		if bytes.Contains(asYaml, []byte("sops:")) && bytes.Contains(asYaml, []byte("mac: ENC[")) {
+			res.PipeE(yaml.FieldClearer{Name: "sops"})
+			for k := range dataMap {
+				dataMap[k] = sopsMess
 			}

-			if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
-				dataMap[k] = sopsMess
+		} else {
+			for k, v := range dataMap {
+				data, err := base64.StdEncoding.DecodeString(v)
+				if err != nil {
+					if _, ok := err.(base64.CorruptInputError); ok {
+						return fmt.Errorf("failed to decode secret %s data: %w", res.GetName(), err)
+					}
+				}
+
+				if bytes.Contains(data, []byte("sops")) && bytes.Contains(data, []byte("ENC[")) {
+					dataMap[k] = sopsMess
+				}
 			}
 		}