Global configuration of SOPS Age key

[LittleFox94]

Hi,

we are using SOPS to encrypt our secrets for various people who are allowed to see them and a single key per target environment. With this usage, it's a bit tedious to add this snippet to every single flux kustomization:

spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-key

The kustomize-controller already knows when something is encrypted with SOPS (

kustomize-controller/controllers/kustomization_controller.go

Lines 726 to 730 in e383818

	if IsEncryptedSecret(u) {
	return false, nil,
	fmt.Errorf("%s is SOPS encrypted, configuring decryption is required for this secret to be reconciled",
	ssa.FmtUnstructured(u))
	}

), practically eliminating the need for .spec.decryption.provider. If the kustomize-controller could add keys from a configured file (perhaps even using the environment variable SOPS_AGE_KEY_FILE), configuring this on every kustomization wouldn't be needed anymore.

All this could be added on top of the current API, so no breaking change and specifying another decryption provider or an additional key source would still be possible.

Thanks for making Flux :)

[stefanprodan]

In the cluster dir where all the Flux Kustomization are, you can write a patch that adds decryption to all Flux Kustomization that have a common label. This is how it can be done, using a patch in clusters/my-cluster/kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - flux-system # this must be included otherwise Flux will delete itself
  - flux-kustomization-app1.yaml
  - flux-kustomization-app2.yaml
patches:
  - patch: |
        apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
        kind: Kustomization
        metadata:
          name: all
        spec: 
          decryption:
            provider: sops
            secretRef:
              name: sops-key
    target:
      kind: Kustomization
      labelSelector: app.kubernetes.io/sops=enabled

[LittleFox94]

Oh, interesting, thank you, we will test this :)

[LittleFox94]

Somehow I never replied to this, sorry!

This works fine for us, many thanks :)

[michaeljfazio]

I think there is still a valuable use case for being able to load keys such as sop agekey directly on the controller pod in a multi-tenant environment with namespace isolation. This would allow a cluster administrator to configure sop private key in a infrastructure namespace where the controller is deployed to allow cluster-wide decryption with a single key whilst not needing to expose it to tenant namespaces directly using secrets replication mechanisms. Thus, tenants can simply encrypt using a single global public key whilst not compromising the security of the private key and avoiding the need to configure sops decryption on each kustomize instance with patches and without needing to manage service account impersonation. Not sure if this is already possible with a well crafted volume mount on the controller already @stefanprodan ?

[ondrejkolin]

Just a small reminder (for internet travelers), that patches are not "inherited" and don't propagate (#1000) on nested resources (kustomizations in this case) Which I think make the workaround not fully working

In the cluster dir where all the Flux Kustomization are, you can write a patch that adds decryption to all Flux Kustomization that have a common label. This is how it can be done, using a patch in clusters/my-cluster/kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:

• flux-system # this must be included otherwise Flux will delete itself
• flux-kustomization-app1.yaml
• flux-kustomization-app2.yaml
  patches:
• patch: |
  apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
  kind: Kustomization
  metadata:
  name: all
  spec:
  decryption:
  provider: sops
  secretRef:
  name: sops-key
  target:
  kind: Kustomization
  labelSelector: app.kubernetes.io/sops=enabled

[stefanprodan]

For future internet travellers 😄 Age decryption can be enabled at controller level starting with Flux 2.7 (schedule for release in Q3 2025).

• Controller-level decryption for Age Keys #1465
• Introduce SOPS Age secret flag for kustomize-controller website#2287

[ondrejkolin]

I am always late to a party! Thanks Stefan for another great feature! 😆

[onedr0p]

@stefanprodan this PR can be closed #918