Skip to content

Introduce global decryption for SOPS age keys #1481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 7, 2025
Merged

Introduce global decryption for SOPS age keys #1481

merged 1 commit into from
Jul 7, 2025

Conversation

@matheuscscp
Copy link
Member

@matheuscscp matheuscscp commented Jul 6, 2025

Closes: #1465

@matheuscscp matheuscscp force-pushed the global-secret-based-decryption branch 5 times, most recently from 32501c9 to 296f534 Compare July 6, 2025 16:21
matheuscscp
matheuscscp commented Jul 6, 2025
View reviewed changes
internal/decryptor/decryptor.go
Comment on lines +221 to +225
// We handle the SOPS age global decryption separately, as most of the other
// decryption providers already support global decryption in other ways, and
// we don't want to introduce duplicate methods of achieving the same.
// Furthermore, allowing e.g. cloud provider credentials to be fetched
// from this global secret would prevent workload identity from working.
Copy link
Member Author

@matheuscscp matheuscscp Jul 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Emphasis on this comment. I considered making the controller flag more generic and cover the other SOPS decryption providers, but that's not a good idea after all.

@matheuscscp matheuscscp force-pushed the global-secret-based-decryption branch from 296f534 to 30275f2 Compare July 6, 2025 18:24
@matheuscscp matheuscscp marked this pull request as ready for review July 6, 2025 18:37
@matheuscscp matheuscscp requested a review from stefanprodan July 6, 2025 18:37
stefanprodan
stefanprodan approved these changes Jul 7, 2025
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @matheuscscp please also add the flag to the docs website.

@stefanprodan stefanprodan added enhancement New feature or request area/sops SOPS related issues and pull requests labels Jul 7, 2025
@matheuscscp matheuscscp merged commit 5703d47 into main Jul 7, 2025
7 checks passed
@matheuscscp matheuscscp deleted the global-secret-based-decryption branch July 7, 2025 10:25
@matheuscscp
Copy link
Member Author

matheuscscp commented Jul 7, 2025

Website PR here: fluxcd/website#2287

@stealthybox stealthybox mentioned this pull request Aug 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

No one assigned

Labels

area/sops SOPS related issues and pull requests enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Controller-level decryption for Age Keys

3 participants

@matheuscscp @stefanprodan