Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #189: allows secret generation from literals #236

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix #189: allows secret generation from literals #236

wants to merge 2 commits into from

Conversation

JoelDimbernat
Copy link

@JoelDimbernat JoelDimbernat commented Mar 27, 2024
edited by devstein
Loading

Fixes #189

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. kind:enhancement New feature or request labels Mar 27, 2024
@JoelDimbernat
Copy link
Author

Anything missing for someone to review this PR?

@devstein
Copy link
Collaborator

Anything missing for someone to review this PR?

@JoelDimbernat just forgot to assign me 😁

@devstein devstein self-requested a review May 31, 2024 22:16
devstein
devstein reviewed May 31, 2024
View reviewed changes
Copy link
Collaborator

@devstein devstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for contributing! Code looks good to me, but

  1. What is the motivation/use-case for this?
  2. Can you add documentation to the README

@JoelDimbernat
Copy link
Author

I'm trying to fix issue #189

The main use case I see is when you want to mix non encrypted literals with an encrypted file in the same resulting secret.

I can't remember my exact use case, but I remember I looked for how to do it and stumbled on that issue. Maybe @blinkeye could tell us more.

@devstein devstein mentioned this pull request Jun 17, 2024
Open
@reneleonhardt
Copy link

Hello @blinkeye does this fix your problem?

@albundy83
Copy link

albundy83 commented Oct 17, 2024
edited
Loading

Hello,
I think the use case is to be able to replace easily the classic secretGenerator when used with literals syntaxe.

Here a kustomize.yaml without ksops:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - deployment.yaml
  - service.yaml

secretGenerator:
  - name: cloudnative-pg-s3
    literals:
      - ACCESS_KEY_ID=yyyyyyyyyyyyyyyyyyyy
      - ACCESS_SECRET_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

generatorOptions:
  labels:
    app: frankenphp
  annotations:
    argocd.argoproj.io/sync-wave: '0'

And with ksops and literals support kustomize.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - deployment.yaml
  - service.yaml

generators:
  - sops-secret-generator.yaml

and of course sops-secret-generator.yaml file:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: ksops-secret-from-generator
  annotations:
    config.kubernetes.io/function: "exec:\n  # if the binary is your PATH, you can do \n  path: ksops\n  # otherwise, path should be relative to manifest files, like\n  # path: ../../../ksops\n"
secretFrom:
  - metadata:
      name: cloudnative-pg-s3
      annotations:
        argocd.argoproj.io/sync-wave: '0'
      labels:
        app: frankenphp
    literals:
      - ENC[AES256_GCM,data:koqsnfF4DJs1q5tmnEQhZN3YMZ5SPVSZfn6/DcoT6Nhyyw==,iv:70Io/WBio9EgjdKCHmW2MDILfoc7pZHlQWkzDhKoBhw=,tag:Jnj7H6ClJhwmFuDdRGw5KA==,type:str]
      - ENC[AES256_GCM,data:4c5PLLjChVXcR8eMMa+SG+HogafhQp8Q89iS4OJs1NhbqEpHbe57vZPtNqNNLkD4yxw=,iv:fN/3ylxK3aKhwIMvUuCWXL/BkJmwhIQ98htEXU8EH7M=,tag:u0c7zdvPife7XpYvPCJNXQ==,type:str]
sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1z9zm8evxf6yczcyc976srtjvhsxpxhme6w94jmurdnx7a38a3f9q3ywu2d
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVE5xbERaaWJiemhoNEVj
        NkFXNUdMc3lhdEpWOGk3NWswYnVvSmhxUkRjCkJFVVNpbExrYzdLL0VlakhwR0xX
        S2h0SVZiVmp2MWh2NXFrbVRuRUNlMTQKLS0tIHVYQ3NDNm1PN3I5Z2laS2NYem9K
        c3JCcUxEcGpxanowWjc0djJyaGYvQlUKFgnuyZPyLjemfnFA8Z8eqBAtAbjN21fS
        vIHrqEu1dCoGWsxEBg9lbo11rR4MToLRElcw6SAuyRFR8KVdDUHZag==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: '2024-10-17T17:09:16Z'
  mac: ENC[AES256_GCM,data:t1CyTgqyRIc2mBAb8DhYNDKXEUjL1Us8hbPLIMLrUQsWqspHEN1kDjUck4aRTYveyfsoMFk5exQD+owKXiOtLGMybBe3UhIeQu/Bwh1c7ZfqWmgy92Z0TrCpO9XWCEj8FfVDr954ryEsmtJQO+KrqHtj5KPlkkIs93KdSiKIInc=,iv:dC02lVAokp63qcxaOMMM+at9GMvYCfFaonqbA++Zook=,tag:mKEnTDscJ9Hi4kKxamw9vQ==,type:str]
  pgp: []
  unencrypted_regex: ^(apiVersion|metadata|kind|type)$
  version: 3.9.1

I have tried with current version of ksops (v4.3.2), I don't have any error but Secret does not contain ACCESS_KEY_ID and ACCESS_SECRET_KEY:

apiVersion: v1
kind: Secret
metadata:
  name: cloudnative-pg-s3
  namespace: default
  labels:
    app: frankenphp
    argocd.argoproj.io/instance: frankenphp
  annotations:
    argocd.argoproj.io/sync-wave: '0'
type: Opaque

@albundy83
Copy link

Is it something that could be merged ?
I could create another PR to improve README.md if you want

@albundy83
Copy link

@devstein is it something that could be merged ?

@devstein
Copy link
Collaborator

Hi @albundy83 I'll take a look this weekend. Yes feel free to create a separate PR, thanks.

@JoelDimbernat doesn't appear to be active

@albundy83
Copy link

I have tried again but now, all I have is is this error:

one or more objects failed to apply, reason: Secret "cloudnative-pg-s3" is invalid: [data[ENC[AES256_GCM,data:F/E2wQFSCeUxE+KGBxVoZQUCDb36dtsDTznrCptcXAHVwB1c642TKfOuxlT85lsMZys]: Invalid value: "ENC[AES256_GCM,data:F/E2wQFSCeUxE+KGBxVoZQUCDb36dtsDTznrCptcXAHVwB1c642TKfOuxlT85lsMZys": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+'), data[ENC[AES256_GCM,data:vcDxFMp1VzRnM2B+/jVnL5Y+nycVU9c68Jcp9M6b2JOQ,iv:vykYhvnw+u5950S8AxFSn48BSH0RLtbrFSRs4gpyOSQ]: Invalid value: "ENC[AES256_GCM,data:vcDxFMp1VzRnM2B+/jVnL5Y+nycVU9c68Jcp9M6b2JOQ,iv:vykYhvnw+u5950S8AxFSn48BSH0RLtbrFSRs4gpyOSQ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')]

I don't understand how I achieve to make it works once ... :(

@albundy83
Copy link

I think the code can't work like this as others functions are decrypting from file and not directly from the current file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devstein devstein devstein left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@JoelDimbernat JoelDimbernat

Labels
kind:enhancement New feature or request size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow secret generation from literals (currently silently ignored)
4 participants
@JoelDimbernat @devstein @reneleonhardt @albundy83