Add support to not decrypt encrypted objects

danhubern · danhubern · commit b32007d8ec6d · 2025-11-13T13:25:28.000+01:00
diff --git a/internal/controller/kustomization_controller.go b/internal/controller/kustomization_controller.go
@@ -890,7 +890,7 @@ func (r *KustomizationReconciler) apply(ctx context.Context,
 	}
 
 	for _, u := range objects {
-		if decryptor.IsEncryptedSecret(u) {
+		if decryptor.IsEncryptedSecret(u) && !decryptor.IsDecryptionDisabled(u.GetAnnotations()) {
 			return false, nil,
 				fmt.Errorf("%s is SOPS encrypted, configuring decryption is required for this secret to be reconciled",
 					ssautil.FmtUnstructured(u))
diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go
@@ -187,6 +187,14 @@ func New(client client.Client, kustomization *kustomizev1.Kustomization, opts ..
 	return d, cleanup, nil
 }
 
+// IsDecryptionDisabled checks if the given object has the decrypt: disabled annotation set
+func IsDecryptionDisabled(annotations map[string]string) bool {
+	if annotations != nil && annotations[fmt.Sprintf("%s/decrypt", kustomizev1.GroupVersion.Group)] == kustomizev1.DisabledValue {
+		return true
+	}
+	return false
+}
+
 // IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted
 // with Mozilla SOPS.
 func IsEncryptedSecret(object *unstructured.Unstructured) bool {
@@ -436,7 +444,10 @@ func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat
 // while decrypting with DecryptionProviderSOPS, to allow individual data entries
 // injected by e.g. a Kustomize secret generator to be decrypted
 func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource, error) {
-	if res == nil || d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.Provider == "" {
+	if res == nil ||
+		d.kustomization.Spec.Decryption == nil ||
+		d.kustomization.Spec.Decryption.Provider == "" ||
+		IsDecryptionDisabled(res.GetAnnotations()) {
 		return nil, nil
 	}
 
diff --git a/internal/decryptor/decryptor_test.go b/internal/decryptor/decryptor_test.go
@@ -632,8 +632,18 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 		g.Expect(secret.UnmarshalJSON(encData)).To(Succeed())
 		g.Expect(isSOPSEncryptedResource(secret)).To(BeTrue())
 
+		secret.SetAnnotations(map[string]string{
+			"kustomize.toolkit.fluxcd.io/decrypt": "disabled",
+		})
+
 		got, err := d.DecryptResource(secret)
 		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(got).To(BeNil())
+
+		secret.SetAnnotations(map[string]string{})
+
+		got, err = d.DecryptResource(secret)
+		g.Expect(err).ToNot(HaveOccurred())
 		g.Expect(got).ToNot(BeNil())
 		g.Expect(got.MarshalJSON()).To(Equal(secretData))
 	})

Original file line number	Diff line number	Diff line change
`@@ -890,7 +890,7 @@ func (r *KustomizationReconciler) apply(ctx context.Context,`
`890`	`890`	`}`
`891`	`891`
`892`	`892`	`for _, u := range objects {`
`893`		`- if decryptor.IsEncryptedSecret(u) {`
	`893`	`+ if decryptor.IsEncryptedSecret(u) && !decryptor.IsDecryptionDisabled(u.GetAnnotations()) {`
`894`	`894`	`return false, nil,`
`895`	`895`	`fmt.Errorf("%s is SOPS encrypted, configuring decryption is required for this secret to be reconciled",`
`896`	`896`	`ssautil.FmtUnstructured(u))`