Skip to content

Commit 3adfad4

Browse files
danhuberndanhubern
committed
Do not attempt to "decrypt: disabled" objects
1 parent a8c7cc1 commit 3adfad4

File tree

3 files changed

+7
-0
lines changed

3 files changed

+7
-0
lines changed

internal/controller/kustomization_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -827,6 +827,7 @@ func (r *KustomizationReconciler) apply(ctx context.Context,
827827
applyOpts.Force = obj.Spec.Force
828828
applyOpts.ExclusionSelector = map[string]string{
829829
fmt.Sprintf("%s/reconcile", kustomizev1.GroupVersion.Group): kustomizev1.DisabledValue,
830+
fmt.Sprintf("%s/decrypt", kustomizev1.GroupVersion.Group): kustomizev1.DisabledValue,
830831
fmt.Sprintf("%s/ssa", kustomizev1.GroupVersion.Group): kustomizev1.IgnoreValue,
831832
}
832833
applyOpts.IfNotPresentSelector = map[string]string{

internal/decryptor/decryptor.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,10 @@ func New(client client.Client, kustomization *kustomizev1.Kustomization, opts ..
190190
// IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted
191191
// with Mozilla SOPS.
192192
func IsEncryptedSecret(object *unstructured.Unstructured) bool {
193+
annotations := object.GetAnnotations()
194+
if annotations != nil && annotations[fmt.Sprintf("%s/decrypt", kustomizev1.GroupVersion.Group)] == kustomizev1.DisabledValue {
195+
return false
196+
}
193197
if object.GetKind() == "Secret" && object.GetAPIVersion() == "v1" {
194198
if _, found, _ := unstructured.NestedFieldNoCopy(object.Object, "sops"); found {
195199
return true

internal/decryptor/decryptor_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,8 @@ func TestIsEncryptedSecret(t *testing.T) {
5858
want gt.GomegaMatcher
5959
}{
6060
{name: "encrypted secret", object: []byte("apiVersion: v1\nkind: Secret\nsops: true\n"), want: BeTrue()},
61+
{name: "decryption disabled secret", object: []byte("apiVersion: v1\nkind: Secret\nmetadata:\n annotations:\n kustomize.toolkit.fluxcd.io/decrypt: disabled\nsops: true\n"), want: BeFalse()},
62+
{name: "decryption enabled secret", object: []byte("apiVersion: v1\nkind: Secret\nmetadata:\n annotations:\n kustomize.toolkit.fluxcd.io/decrypt: enabled\nsops: true\n"), want: BeTrue()},
6163
{name: "decrypted secret", object: []byte("apiVersion: v1\nkind: Secret\n"), want: BeFalse()},
6264
{name: "other resource", object: []byte("apiVersion: v1\nkind: Deployment\n"), want: BeFalse()},
6365
}

0 commit comments

Comments
 (0)