Skip to content

Additional documentation on kustomize patches with sops #1394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Additional documentation on kustomize patches with sops #1394

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions docs/spec/v1/kustomizations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1649,6 +1649,69 @@ secretGenerator:
- .dockerconfigjson=ghcr.dockerconfigjson.encrypted
```

### SOPS Encrypted Kustomize patches

SOPS-encrypted data can be stored as [Kustomize `patches`](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) as long as they're in separate files, not inlined in `kustomization.yaml`. The kustomize-controller decrypts these before executing kustomization pipeline, allowing for adding secret data to resources or merging Secrets. For example:

```yaml
# patch1.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
stringData:
secretConfig: "my-secret-configuration"
```

```yaml
# patch2.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
stringData:
secretToken: "my-secret-token"
```

```yaml
# base.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
stringData:
publicConifg: "my-public-config"
Copy link
Member

@stefanprodan stefanprodan Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think Flux docs should tell users to leave Secrets in plain text in the repo. I think the base Secret should contain no keys.

Copy link
Author

@nagygergo nagygergo Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does that apply to the "Kustomize secretGenerator" chapter as well?

Copy link
Member

@stefanprodan stefanprodan Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we tell people to leave secrets in plain text in that chapter?

Copy link
Author

@nagygergo nagygergo Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, put the comment in the wrong place... My question was directed at this comment.

A better place for this documentation is here: https://fluxcd.io/flux/guides/mozilla-sops/
@nagygergo please copy the section from this PR into https://github.com/fluxcd/website/edit/main/content/en/flux/guides/mozilla-sops.md

```

```yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- base.yaml
patches:
- path: patch1.yaml
- path: patch2.yaml
```

```sh
sops -e --input-type=yaml patch1.yaml
sops -e --input-type=yaml patch2.yaml
```

After kustomize-controller does the reconciliation of `kustomization.yaml`, the following secret will be generated in the cluster:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
stringData:
publicConifg: "my-public-config"
secretToken: "my-secret-token"
secretConfig: "my-secret-configuration"
```

### Post build substitution of numbers and booleans

When using [variable substitution](#post-build-variable-substitution) with values
Expand Down
Loading