Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR will add
--decrypt-secrets
flag to decrypt SOPS secrets in diff command so the changes could be detected also in values:Changes in metadata like replicator annotations, etc are also detected since decrypted secrets are compared in full and not only by keys. The output of diff command is still being sanitized by
ssa
package, so the actual values are not shown. Build command is not affected and it still masks secrets in the output.It uses the key from decryption.secretRef of the Kustomization and depends on
decrypt
package fromkustomize-controller
being exported or maybe moved topkg
repo? So till then it won't compile.I've tried it with age, gpg and hcvault keys/tokens. Currently diff command will give an error if
--decrypt-secrets
flag is used but SOPS secret cannot be decrypted. This could be changed to still pass encrypted secret with addition of another flag like--strict-decrypt
to control the behavior.There is potential issue with GPG keys since they are being imported into temporary directory on disk and if application is killed the key may remain there. I can think of two options to approach this. First is to add HasGPG() function that will return true if there is GPG key in SOPS secret and then application will refuse to proceed with
--decrypt-secrets
flag. Or add an option to filter out GPG keys in decryptor.ImportKeys() before calling d.gnuPGHome.Import().WDYT?