isindir / sops-secrets-operator Goto Github PK
View Code? Open in Web Editor NEWKubernetes SOPS secrets operator
License: Mozilla Public License 2.0
Kubernetes SOPS secrets operator
License: Mozilla Public License 2.0
If I remove a data key from a secret template, the key does not seem to be removed from an already existing secret.
SopsSecret
with a template with 2 keys
secretTemplates:
- name: example
data:
foo: bar
bif: baz
bif: baz
from SopsSecret
Data keys removed from SopsSecret
are also removed from generated Secret
s
Hello,
Loving this operator, works great on our clusters.
I was just having some trouble creating a secret to mount our samba/cifs shared network drive.
It requires a secret with type "fstab/cifs".
Unfortunately the operator only seems to allow the standard k8s types.
Not sure if it is best-practice to do things this way, but I did find this on the k8s docs:
You can define and use your own Secret type by assigning a non-empty string as the type value for a Secret object (an empty string is treated as an Opaque type).
Kubernetes doesn't impose any constraints on the type name. However, if you are using one of the built-in types, you must meet all the requirements defined for that type.
Anyway, I played around with some changes locally and I think I made the necessary changes to make it work for me.
I added some tests to validate, but I am by no means an experienced Go developer.
I'll try to PR/fork my changes so you can have a look at them.
Let me know if you have any questions / I can do anything else.
Thanks for the great work!
Hi there!
I tried to go to https://isindir.github.io/sops-secrets-operator but I've found a 404 file not found:
Might be related to today's release. JFYI
Maybe I didn't wait long enough, but when the secret already exists it seemed to stop attempting to manage it. I manually deleted the secret to let it take control/recreate but it seemed to be done messing with it.
Did I just not wait long enough or should the controller be updated to keep trying over time?
Following instructions from readme:
helm upgrade --install sops chart/helm3/sops-secrets-operator/ -n sops -f sops-values.yaml --debug
history.go:56: [debug] getting history for release sops
Release "sops" does not exist. Installing it now.
install.go:178: [debug] Original chart version: ""
Error: repo chart not found
helm.go:84: [debug] repo chart not found
helm.sh/helm/v3/pkg/downloader.pickChartRepositoryConfigByName
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:368
helm.sh/helm/v3/pkg/downloader.(*ChartDownloader).ResolveChartVersion
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:253
helm.sh/helm/v3/pkg/downloader.(*ChartDownloader).DownloadTo
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:90
helm.sh/helm/v3/pkg/action.(*ChartPathOptions).LocateChart
helm.sh/helm/v3/pkg/action/install.go:753
main.runInstall
helm.sh/helm/v3/cmd/helm/install.go:190
main.newUpgradeCmd.func2
helm.sh/helm/v3/cmd/helm/upgrade.go:121
github.com/spf13/cobra.(*Command).execute
github.com/spf13/[email protected]/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
github.com/spf13/[email protected]/command.go:974
github.com/spf13/cobra.(*Command).Execute
github.com/spf13/[email protected]/command.go:902
main.main
helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
runtime/proc.go:255
runtime.goexit
runtime/asm_arm64.s:1133
Using explicit version:
helm upgrade --install sops chart/helm3/sops-secrets-operator -n sops -f sops-values.yaml --debug --version 0.12.1
history.go:56: [debug] getting history for release sops
Release "sops" does not exist. Installing it now.
install.go:178: [debug] Original chart version: "0.12.1"
Error: repo chart not found
helm.go:84: [debug] repo chart not found
helm.sh/helm/v3/pkg/downloader.pickChartRepositoryConfigByName
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:368
helm.sh/helm/v3/pkg/downloader.(*ChartDownloader).ResolveChartVersion
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:253
helm.sh/helm/v3/pkg/downloader.(*ChartDownloader).DownloadTo
helm.sh/helm/v3/pkg/downloader/chart_downloader.go:90
helm.sh/helm/v3/pkg/action.(*ChartPathOptions).LocateChart
helm.sh/helm/v3/pkg/action/install.go:753
main.runInstall
helm.sh/helm/v3/cmd/helm/install.go:190
main.newUpgradeCmd.func2
helm.sh/helm/v3/cmd/helm/upgrade.go:121
github.com/spf13/cobra.(*Command).execute
github.com/spf13/[email protected]/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
github.com/spf13/[email protected]/command.go:974
github.com/spf13/cobra.(*Command).Execute
github.com/spf13/[email protected]/command.go:902
main.main
helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
runtime/proc.go:255
runtime.goexit
runtime/asm_arm64.s:1133
When applying the latest version of the helm chart (0.8.2) with the option securityContext.enabled: true
the generated configuration is not valid when applied with kubectl:
error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "allowPrivilegeEscalation" in io.k8s.api.core.v1.PodSecurityContext
#67 introduced a new field to the security context allowPrivilegeEscalation
on the pod securityContext - however I think this option is only valid on the container security context scope. See
Hi!
We are observing high volume of Decrypt messages sending from Sops operator to KMS In Kubernetes EKS 1.25 which shows up in Sops operator debug logs as below:
{"level":"info","ts":"2023-06-21T18:21:03Z","logger":"controllers.SopsSecret","msg":"Secret successfully refreshed","secret":"x","namespace":"x"}
Looking in the code, what triggers it the difference in secret objects:
We are in latest release of Sops-operator v0.9.0 as well.
Looking for any guidance or config changes would help, thank you!
Hi,
I'm getting the error below whilst reconciling a secret encrypted with AWS KMS on AWS EKS.
2020-08-21T10:09:30.712905125Z 2020-08-21T10:09:30.712Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": ":8080"}
2020-08-21T10:09:30.712994983Z 2020-08-21T10:09:30.712Z INFO setup starting manager
2020-08-21T10:09:30.713190740Z I0821 10:09:30.713121 1 leaderelection.go:242] attempting to acquire leader lease sops/ca57d051.github.com...
2020-08-21T10:09:30.713254686Z 2020-08-21T10:09:30.713Z INFO controller-runtime.manager starting metrics server {"path": "/metrics"}
2020-08-21T10:09:48.125626592Z I0821 10:09:48.125521 1 leaderelection.go:252] successfully acquired lease sops/ca57d051.github.com
2020-08-21T10:09:48.126085058Z 2020-08-21T10:09:48.125Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"ConfigMap","namespace":"sops","name":"ca57d051.github.com","uid":"561311e1-bca5-4ac7-bc98-ab430cd2ae6b","apiVersion":"v1","resourceVersion":"2399122"}, "reason": "LeaderElection", "message": "sops-secrets-operator-749d9cf67f-bxd2w_b0ba75d6-3cd6-4a3a-b774-70a78d21cacf became leader"}
2020-08-21T10:09:48.126385282Z 2020-08-21T10:09:48.126Z INFO controller-runtime.controller Starting EventSource {"controller": "sopssecret", "source": "kind source: /, Kind="}
2020-08-21T10:09:48.226947151Z 2020-08-21T10:09:48.226Z INFO controller-runtime.controller Starting Controller {"controller": "sopssecret"}
2020-08-21T10:09:48.226979105Z 2020-08-21T10:09:48.226Z INFO controller-runtime.controller Starting workers {"controller": "sopssecret", "worker count": 1}
2020-08-21T10:09:48.227042857Z 2020-08-21T10:09:48.226Z INFO controllers.SopsSecret Reconciling SopsSecret
2020-08-21T10:09:48.227915583Z 2020-08-21T10:09:48.227Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance.
2020-08-21T10:09:48.227931973Z 2020-08-21T10:09:48.227Z INFO controllers.SopsSecret Decryption error.
2020-08-21T10:09:48.227999845Z 2020-08-21T10:09:48.227Z ERROR controller-runtime.controller Reconciler error {"controller": "sopssecret", "request": "sops/example-sopssecret", "error": "Error getting data key: 0 successful groups required, got 0"}
2020-08-21T10:09:48.228011217Z github.com/go-logr/zapr.(*zapLogger).Error
2020-08-21T10:09:48.228014966Z /go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
2020-08-21T10:09:48.228018656Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
2020-08-21T10:09:48.228022300Z /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258
2020-08-21T10:09:48.228026016Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
2020-08-21T10:09:48.228029555Z /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
2020-08-21T10:09:48.228032976Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
2020-08-21T10:09:48.228036456Z /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
2020-08-21T10:09:48.228065480Z k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
2020-08-21T10:09:48.228070288Z /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
2020-08-21T10:09:48.228073825Z k8s.io/apimachinery/pkg/util/wait.JitterUntil
2020-08-21T10:09:48.228077153Z /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
2020-08-21T10:09:48.228080670Z k8s.io/apimachinery/pkg/util/wait.Until
2020-08-21T10:09:48.228084019Z /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
My kubernetes configuration is:
---
apiVersion: v1
kind: Namespace
metadata:
labels:
name: sops
name: sops
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
name: sopssecrets.isindir.github.com
spec:
additionalPrinterColumns:
- JSONPath: .status.msg
name: Status
type: string
group: isindir.github.com
names:
kind: SopsSecret
listKind: SopsSecretList
plural: sopssecrets
shortNames:
- sops
singular: sopssecret
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: SopsSecret is the Schema for the sopssecrets API
properties:
apiVersion:
description:
'APIVersion defines the versioned schema of this representation of an object. Servers should convert
recognized schemas to the latest internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description:
'Kind is a string value representing the REST resource this object represents. Servers may infer this from
the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
sops:
description: SopsMetadata defines the encryption details
properties:
azure_kv:
description: AzureKms configuration
items:
description: AzureKmsItem defines Azure Keyvault Key specific encryption details
properties:
created_at:
type: string
enc:
type: string
name:
type: string
vault_url:
type: string
version:
type: string
type: object
type: array
encrypted_suffix:
description: EncryptedSuffix - sops setting
type: string
gcp_kms:
description: GcpKms configuration
items:
description: GcpKmsDataItem defines GCP KMS Key specific encryption details
properties:
created_at:
type: string
enc:
type: string
resource_id:
type: string
type: object
type: array
kms:
description: AwsKms configuration
items:
description: KmsDataItem defines AWS KMS specific encryption details
properties:
arn:
description: Arn - KMS key ARN to use
type: string
aws_profile:
type: string
created_at:
type: string
enc:
type: string
type: object
type: array
lastmodified:
description: LastModified - sops setting
type: string
mac:
description: Mac - sops setting
type: string
pgp:
description: Pgp configuration
items:
description: PgpDataItem defines PGP specific encryption details
properties:
created_at:
type: string
enc:
type: string
fp:
description: FingerPrint - PGP FingerPrint to encrypt for
type: string
type: object
type: array
version:
description: Version - sops setting
type: string
type: object
spec:
description: SopsSecretSpec defines the desired state of SopsSecret
properties:
secretTemplates:
description: SecretsTemplate is a list of secret templates to create Kubernetes Secrets
items:
description: SopsSecretTemplate defines the map of secrets to create
properties:
annotations:
additionalProperties:
type: string
type: object
data:
additionalProperties:
type: string
description: Data is data map to use in Kubernetes secret
type: object
labels:
additionalProperties:
type: string
description: Labels to apply to Kubernetes secret
type: object
name:
description: Name is a name of the Kubernetes secret to create
type: string
type:
description: Kubernetes secret type
type: string
required:
- data
- name
type: object
minItems: 1
type: array
required:
- secretTemplates
type: object
status:
description: SopsSecretStatus defines the observed state of SopsSecret
properties:
msg:
description: Message - SopsSecret status message
type: string
type: object
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
status:
acceptedNames:
kind: ''
plural: ''
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
name: sops-secrets-operator
name: sops-secrets-operator
namespace: sops
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sops-secrets-operator
labels:
name: sops-secrets-operator
rules:
- apiGroups:
- ''
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- sops-secrets-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- apiGroups:
- isindir.github.com
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sops-secrets-operator
labels:
name: sops-secrets-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sops-secrets-operator
subjects:
- kind: ServiceAccount
name: sops-secrets-operator
namespace: sops
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sops-secrets-operator
namespace: sops
labels:
name: sops-secrets-operator
spec:
replicas: 1
selector:
matchLabels:
name: sops-secrets-operator
template:
metadata:
labels:
name: sops-secrets-operator
spec:
serviceAccountName: sops-secrets-operator
containers:
- name: sops-secrets-operator
image: 'isindir/sops-secrets-operator:0.1.0'
imagePullPolicy: Always
command:
- /usr/local/bin/manager
args:
#- "--metrics-addr=127.0.0.1:8080"
- '--enable-leader-election'
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
To give permissions to AWS EKS to be able to decrypt the secret I have created the policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:<awsRegion>:<organsiationId>:key/<kmsKeyId>"
}
]
}
And given kubernetes permission by doing the following
eksctl utils associate-iam-oidc-provider --cluster=<clusterName>
eksctl create iamserviceaccount --cluster=<clusterName> --name=sops-secrets-operator --namespace=sops --attach-policy-arn=arn:aws:iam::<organsiationId>:policy/<policyName>
Doing some testing I have managed to get it to decrypt the secret by updating the Docker image to include the package "ca-certificates" package and removing the "nonroot" user and group and running the container as "root". The Dockerfile that is working for me is below.
# Build the manager binary
FROM golang:1.14.7 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
# Copy the go source
COPY main.go main.go
COPY api/ api/
COPY controllers/ controllers/
# Build
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM debian:buster
RUN apt-get -y update \
&& apt-get -y upgrade \
&& apt-get -y install --no-install-recommends gnupg2 ca-certificates \
&& apt-get clean && rm -rf /var/lib/apt/lists/*
WORKDIR /usr/local/bin
COPY --from=builder /workspace/manager .
ENTRYPOINT ["/usr/local/bin/manager"
Hi,
Just wondering if you can help advise how I may be able to deploy 'SopsSecret' kind resource from other projects / helm charts.
In helm I get:
Error: unable to build kubernetes objects from release manifest: unable to recognize "": no matches for kind "SopsSecret" in version "isindir.github.com/v1alpha2"
helm.go:81: [debug] unable to recognize "": no matches for kind "SopsSecret" in version "isindir.github.com/v1alpha2"
I was hoping I can just bootstrap the clusters and then use helm to package up secrets per project.
Maybe I'm going about this the wrong way, could you help advise?
Many Thanks
Hi,
I am constantly seeing this error msg (sops data mismatch) when kubectl logs operator container
2020-12-09T02:25:56.930Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": ":8080"}
2020-12-09T02:25:56.932Z INFO setup starting manager
I1209 02:25:56.932320 1 leaderelection.go:242] attempting to acquire leader lease flux-system/ca57d051.github.com...
2020-12-09T02:25:56.932Z INFO controller-runtime.manager starting metrics server {"path": "/metrics"}
I1209 02:26:14.346076 1 leaderelection.go:252] successfully acquired lease flux-system/ca57d051.github.com
2020-12-09T02:26:14.346Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"ConfigMap","namespace":"flux-system","name":"ca57d051.github.com","uid":"24602b8e-8562-41d1-bdfe-4997b7d7b173","apiVersion":"v1","resourceVersion":"7050842"}, "reason": "LeaderElection", "message": "flux-system-sops-operator-sops-secrets-operator-66b5fbf6b7q7gbf_4b8152bb-a517-4ddf-bb73-2b8b594be3f6 became leader"}
2020-12-09T02:26:14.346Z INFO controller-runtime.controller Starting EventSource {"controller": "sopssecret", "source": "kind source: /, Kind="}
E1209 02:26:14.347790 1 event.go:263] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"ca57d051.github.com.164eeb3f5a2aa04e", GenerateName:"", Namespace:"flux-system", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ConfigMap", Namespace:"flux-system", Name:"ca57d051.github.com", UID:"24602b8e-8562-41d1-bdfe-4997b7d7b173", APIVersion:"v1", ResourceVersion:"7050842", FieldPath:""}, Reason:"LeaderElection", Message:"flux-system-sops-operator-sops-secrets-operator-66b5fbf6b7q7gbf_4b8152bb-a517-4ddf-bb73-2b8b594be3f6 became leader", Source:v1.EventSource{Component:"flux-system-sops-operator-sops-secrets-operator-66b5fbf6b7q7gbf_4b8152bb-a517-4ddf-bb73-2b8b594be3f6", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbfec2b5194a0644e, ext:17985204738, loc:(*time.Location)(0x2b482c0)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbfec2b5194a0644e, ext:17985204738, loc:(*time.Location)(0x2b482c0)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:flux-system:flux-system-sops-operator-sops-secrets-operator" cannot create resource "events" in API group "" in the namespace "flux-system"' (will not retry!)
2020-12-09T02:26:14.447Z INFO controller-runtime.controller Starting EventSource {"controller": "sopssecret", "source": "kind source: /, Kind="}
2020-12-09T02:26:14.547Z INFO controller-runtime.controller Starting Controller {"controller": "sopssecret"}
2020-12-09T02:26:14.547Z INFO controller-runtime.controller Starting workers {"controller": "sopssecret", "worker count": 1}
2020-12-09T02:26:14.547Z INFO controllers.SopsSecret Reconciling {"sopssecret": "flux-system/jfrog-sops-secret"}
2020-12-09T02:26:14.957Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "flux-system/jfrog-sops-secret", "error": "Error walking tree: Could not decrypt value: Input string SopsSecret does not match sops' data format"}
2020-12-09T02:26:14.970Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "sopssecret", "request": "flux-system/jfrog-sops-secret"}
2020-12-09T02:26:14.970Z INFO controllers.SopsSecret Reconciling {"sopssecret": "flux-system/jfrog-sops-secret"}
2020-12-09T02:26:14.993Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "flux-system/jfrog-sops-secret", "error": "Error walking tree: Could not decrypt value: Input string SopsSecret does not match sops' data format"}
2020-12-09T02:26:15.001Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "sopssecret", "request": "flux-system/jfrog-sops-secret"}
I have installed 0.1.8 version via helm3 chart and configured the aws role (policy and all that) and passed pod annotation and service account annontation to utilize it.
podAnnotations:
eks.amazonaws.com/role-arn: arn:aws:iam::acctnum:role/rolename
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::acctnum:role/rolename
securityContext:
enabled: true
extraEnv: # passing this to see if it might be doing something
- name: AWS_SDK_LOAD_CONFIG
value: "1"
this is my raw SopsSecret file (replaced actual values to some dumb strings)
apiVersion: isindir.github.com/v1alpha2
kind: SopsSecret
metadata:
name: sops-secret
namespace: flux-system
spec:
secretTemplates:
- name: sops-secret
data:
artifactory_masterKey: key1
artifactory_joinKey: key2
database_url: some-db-url
database_user: usernamerandom
database_password: crazypw
and i encrypt this file locally with sops --encrypt
command and kubectl apply -f outputfile.yaml
to the cluster.
Then, the operator is giving me above err msgs and kubectl get sops -A
tells decryption error.
However, when I locally decrypt the outputful.yaml, I can decrypt just fine.
I am unsure what I misconfigured, any guidance would be helpful
Thanks!
Currently if the sops-operator attempts to decrypt a secret encrypted via KMS when it does not have sufficient IAM privileges to assume the role required for decryption it will output a message like:
{"error": "Error getting data key: 0 successful groups required, got 0"}
This error comes from the error output by the sops GetDataKey
method. When the same error is hit using the sops CLI, extra information is added by sops by using the UserError
method. By performing a type assertion it should be possible to add the same additional information to help with debugging.
A minimal example would be to just re-use the UserError
method (although this is optimized for CLI output not structured logging).
key, err := tree.Metadata.GetDataKey()
if userErr, ok := err.(sops.UserError); ok {
err = fmt.Errorf(userErr.UserError())
}
This produces an error message like:
{"error": "Failed to get the data key required to decrypt the SOPS file.\n\nGroup 0: FAILED\n arn:aws:kms:xxxxxxx FAILED\n - | Error decrypting key: WebIdentityErr: failed to retrieve\n | credentials\n | caused by: AccessDenied: Not authorized to perform\n | sts:AssumeRoleWithWebIdentity\n | \tstatus code: 403, request id:\n | bxxxxx \n\nRecovery failed because no master key was able to decrypt the file. In\norder for SOPS to recover the file, at least one key has to be successful,\nbut none were."}
Rename template secret field data and add stringData to match k8s secret
v1alpha2
version of SopsSecret
uses data
field to map to stringData
while creating k8s Secret
object. Create new v1alpha3
and map SopsSecret:data
to Secret:data
and SopsSeceret:stringData
to Secret:stringData
.
Add a check for all names being unique - fail reconciliation if that is not the case (do not reschedule reconsile loop, user must fix the secret).
Hello, good afternoon.
It's posibble to set different Service Account by every KMS? Our client is multitenant.
Thank you for all.
Hi there, the README states that the enc
field is not used/managed due to the way Kubernetes manages objects.
sops-secrets-operator is not using standard sops library decryption interface function, modified upstream function is used to decrypt data which ignores enc signature field in sops metadata. This is due to the fact that when Kubernetes resource is applied it is always mutated by Kubernetes, for example resource version is generated and added to the resource. But any mutation invalidates sops metadata enc field and standard decryption function fails.
Is this still the case? If so, can you please provide the link of the modified upstream function?
Is there an example of using the operator with vault transit engine ?
https://github.com/getsops/sops#encrypting-using-hashicorp-vault
What I tried:
sops-secrets-operator
- SopsSecret went into Decryption error
statusWhat I expected to happen:
What actually happened:
I believe this is related to #42, from which I understand that this behavior may be intentional (in particular, because of the comment saying "don't fail controller as it will not help"). If this is the intended behavior, could you help me understand why the controller shouldn't try again if there are decryption errors?
Hello,
This is not really an issue but more question, I've been using sops-secrets-operator for some days and seems to fit pretty well my needs to decrypt sops secrets, however I can't seem to find a way to use it with kustomize, I've been looking on the source code and wondered if anyone has already successfully created a plugin to be use with kustomize, I looked in the issues and can't find anything related, I've tried to use other kustomize plugins for sops but still I get this error:
Error: loading generator plugins: expected file with Go object code at: /root/.config/kustomize/plugin/isindir.github.com/v1alpha3/sopssecret/SopsSecret.so
So any hints and help on this topic its greatly appreciated.
I run this operator (thanks, it's great!) as a fairly integral part of the over-arching process to manage a fleet of clusters covering various environments (dev/test/prod/etc). Most of the cluster creation is automated and the ongoing maintenance is automated by gitops (ArgoCD
atm). Moving between CRD versions will be quite painful without a seamless experience (I do recognize it's currently an alpha version of the CRD so while it would be great to support this for the existing versions, it's more generally about the longer term play) for not only the cluster admins but also the various groups/users that install apps/etc to the clusters.
For example I have several teams deploying disperse apps (most of them via gitops as well) and trying to coordinate the upgrading of all their assets in git/etc will prove quite difficult.
Thanks!
The solution is generic, but the main reason I ran into for wanting/needing
it was the ability to make this work in EKS with IAM authentication.
Due to a bug somewhere in go-aws-sdk, one needs to set AWS_SDK_LOAD_CONFIG=1
to allow for the magical EKS/IAM authentication to work correctly.
Hi I want to use this great SOPS operator, but we are a sysadmin team and every sysadmin has their own Private Keys (and the public keys of all the team).
How can I add these privates keys to this operator to allow SOPS to decrypt the secret?
Hello,
It would be nice to pass labels from SopsSecret to generated kubernetes secret.
Thx
Hi everybody,
As I notice it takes about 4 minutes from deployment to real secret creation. Is it possible to reduce this time? In logs I saw that
sops-secrets-operator refresh secret state once per 2 minutes, can I reduce this interval?
Example
Deployment time -
Sun 14 May 2023 03:31:31 PM UTC
Simple bash loop -
while true; do date; k get secrets; sleep 5; done
Sun 14 May 2023 03:31:43 PM UTC
No resources found in grafana namespace.
...
...
Sun 14 May 2023 03:33:23 PM UTC <-- 2 minutes after deployment
NAME TYPE DATA AGE
grafana-ini Opaque 0 0s <--Why zero secrets???
...
...
Sun 14 May 2023 03:35:24 PM UTC <-- 4 minutes after deployment
NAME TYPE DATA AGE
grafana-ini Opaque 1 2m1s <--secret is created! But after 4 minutes(
Hi !
I'm struggling with that one, all my secrets are maintained with SOPS operator, recently I had to integrate a binary file as a secret but I can't seem to make it work...
I can update in place the binary file but I can't integrate it in a template...
Anyone has a method to achieve that ?
Thanks !!
Document safe procedure of upgrading from sops-secrets-operator
api version v1alpha1
to v1alpha3
for example, so that there is no downtime and secrets are not deleted. This will be quite general guidance, specifics will be up to the reader - the procedure was tested to migrade from 0.0.9 to 0.3.0 on kind cluster using AWS credentials only.
Hello,
I'm using latest helm chart with helm3. GPG 2.2.25, k8s v1.19.2
Secrets has content like this:
secrets:
CONFIG_KEY: ENC[AES256_GCM,data:koMdngiyIaa64omP487UzA==,iv:HA0vIok1wOUtG8Hz0wci88v3QzAH8ZrbqzrbPpnEnk4=,tag:zj/GZPo0DGQ6Em3mpbacwA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-02-18T10:28:23Z'
mac: ENC[AES256_GCM,data:QEMV3wOONStf9ExIPtx2OrI2iUPsusJERv4QIBMWNb7fCYF6Zr2D46bNYrYM4VsuKcCRbwuww9ldYA6Jfv/gREMyACOZtrgrZUuOgHDluSTauKaLaVS6Ob+H5F+zDk8IrW+qK7egEBPHLVW57xSgeSx8A39M5JVQgQKRj8EEeUA=,iv:UII+Yip2ablFrBLOhVUREeRJ823Pz3PO6PKfYs0hZ9g=,tag:A7iskK9Kny1aAjq19GD3mw==,type:str]
pgp:
- created_at: '2021-02-18T10:29:23Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA7HheIU4ngyFAQv/QB6Prajc/h7Y/uMtnR+WkiGbb0ajVNoC63s85trhevwt
+OqZiXF8Mh+2Z+V1Nh9GXF67VF8UtT/IxWkzhhPg7NVP56+Vi0ax8W7hdYssvVyX
cnDX25iglbeGvpZle6nBRLbrW+dBmkJ+huM/e17uv3twMZr+4HD0bU0ge3EKAMiD
i0HMW/1rWIvNFS1Iem2oy5j33+gKicnnUpLcuHsOMn3+lFrxw1pP06PQWjd8Ndnj
gqy96WQabQMHrhelJYHlIxglY7P3MStWShY9vHuwjXAyF35RtHSw9CiF9sG2vmS9
r4cLSCaAZMvTmLXfTOcIuwceuvpj7V11fd0Efo3PEoOy1U+ZRVdAOK00rb2XcpAn
RIDTUuFZTAKs/aAK8Cg1NILBjL1HuspULQpB/gYpzXre06fnIhcS6v4m2sJcdQw5
6vszC080ecgPVl5TRFsebblFySwfUPob1Ml2wB+DpHivzGXsyzHtu47W+iHFmGdq
HdWdzKvMi29feIM/j8c80l4BXx0rN11dlBT6yH3u3LCVZbl8mTqnPGwpBpllaaUv
Kf5ycxaDzjOd0iXuaeieWmF0boGuL39K14jpXdZpn7M3mL6VqpaoU++OqhFhGUSg
0hDXiUwroiCoUQfZhaz+
=qtV/
-----END PGP MESSAGE-----
fp: 73E9CB276D6E2AE9A5C72334B8C69D58290456B0
- created_at: '2021-02-18T10:29:23Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA0nuUKst/ka3AQv/bGmbUkaCZ0dp1wQescOTqH3CdWs0XdJczTajZaQmM9rQ
z0Rq1SbprWDk07ZrpfEoJFNklgsNkytpT4YLrFUy2cvDSkDDAf9F93j3b+Ulbsiv
0BlPiB3LlnxDD4Rdk8+OIc2iSEXJ+UrPzdLINSaYuaF+QbPHalkjfeLiNeF1rUS/
y8xcARGnn+4GVDZMEDa/NHE8qhrQ5VlE6acjoxGx5vqGPLScbs62MFas6A9CMDAV
xeNxjtvbOT7FN5z8uJnRu8UOaqfuOr77vegSg5rQKbTU3/YR/1k2VygXKDfdFV3y
twy1lppTNvRpjNRUoOL5mb7Z48htytm3t29nVfnAdyx1UralzM9xncjEoFP7fUYj
r6CryZk7z2QilgAwir5VXJQNSnHCnxpiXlkONMYujY9ozN3COZC50OzbehC8mKso
8WX8KjCeM4V4ALaNEiOpMYsaozgAi2ZD4gtcfyVasIWoN8WA4i9CcRsnk0IuI34I
u4yq7kTEPFkXb1e0yY9Q0l4BQeekKWFj4XLan1ymhR+gJdlXH67RF2vLsvqMoExt
3x6f0dF0BibM7pXcJEG4APseHBbFRRlPbb5fxqhVyu5Ba4knwIP7GaI26R7NaKJD
Zb2d1XeYlhSGiqIxEI9y
=Eetj
-----END PGP MESSAGE-----
fp: 798A2FB39145DED05340F20D5D56AAA377501A7A
unencrypted_suffix: _unencrypted
version: 3.6.1
This error shown in sops pod when it tries to decrypt keys
2021-02-18T12:15:57.622Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "sopssecret", "request": "dev-02/web-k8s-secret"}
2021-02-18T12:16:42.175Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:16:42.176Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "dev-02/web-k8s-secret", "error": "parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\""}
2021-02-18T12:16:42.190Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:16:42.190Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "dev-02/web-k8s-secret", "error": "parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\""}
2021-02-18T12:18:07.404Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:18:07.404Z INFO controllers.SopsSecret Request object not found, could have been deleted after reconcile request {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:18:07.404Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "sopssecret", "request": "dev-02/web-k8s-secret"}
2021-02-18T12:19:14.574Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:19:14.574Z INFO controllers.SopsSecret Request object not found, could have been deleted after reconcile request {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:19:14.574Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "sopssecret", "request": "dev-02/web-k8s-secret"}
2021-02-18T12:21:21.914Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:21:21.914Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "dev-02/web-k8s-secret", "error": "parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\""}
2021-02-18T12:21:21.928Z INFO controllers.SopsSecret Reconciling {"sopssecret": "dev-02/web-k8s-secret"}
2021-02-18T12:21:21.928Z INFO controllers.SopsSecret Failed to Decrypt encrypted sops secret instance {"sopssecret": "dev-02/web-k8s-secret", "error": "parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\""}
Please let me know if it needs more info for fix it.
Hey there ๐ been loving using this sops-secrets-operator. Our Cyber team are getting alerts via their security scanners and we wondering whether the following security settings below are supported via the operator and whether they can be added in to the helm chart.
Any advice would be appreciated ๐ thanks!
Bitnami's sealed-secrets-controller allows to annotate existing secrets (that are generated by some other means) with an annotation that allows the controller to update them, overriding them
"sealedsecrets.bitnami.com/managed": "true"
AFAICT, the only way to achieve this with sops-secrets-operator is to configure the ownership of the secret to the sopsecret in charge of managing it, but it's not as easy as a fixed label.
I'm able to workaround this (my situation is not ideal to begin with) but perhaps it's a use case that can be useful to others.
Feel free to close this issue if you think it's not something worth having.
I accidentally found that if there are 2 SopsSecrets generating the same secrets "weird" things happen, or at least the error message in the logs is misleading:
2020-11-05T15:52:13.908Z ERROR controller-runtime.controller Reconciler error {"controller": "sopssecret", "request": "sops/example-sopssecret-single2", "error": "secret/jenkins-secret-single in sops isn't currently owned by sops-secrets-operator"}
After this the operator enters a loop, which continuously tries to reconcile (with a backoff as it seems as intervals are getting longer):
github.com/go-logr/zapr.(*zapLogger).Error
/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
2020-11-05T15:52:14.908Z INFO controllers.SopsSecret Reconciling {"sopssecret": "sops/example-sopssecret-single2"}
[AZKV] time="2020-11-05T15:52:15Z" level=info msg="Decryption succeeded" key=XXXXXXXX version=XXXXXXXXX
[SOPS] time="2020-11-05T15:52:15Z" level=info msg="Data key recovered successfully"
2020-11-05T15:52:15.027Z INFO controllers.SopsSecret Entering template data loop {"sopssecret": "sops/example-sopssecret-single2"}
2020-11-05T15:52:15.027Z INFO controllers.SopsSecret Processing {"sopssecret": "SopsSecret.isindir.github.com/v1alpha2.example-sopssecret-single2", "type": "", "namespace": "sops", "templateItem": "secret/jenkins-secret-single"}
2020-11-05T15:52:15.036Z ERROR controller-runtime.controller Reconciler error {"controller": "sopssecret", "request": "sops/example-sopssecret-single2", "error": "secret/jenkins-secret-single in sops isn't currently owned by sops-secrets-operator"}
When one generates secrets from a SopsSecret CR and then deletes the resulting secret, the deleted secret is not recreated by the operator. In my view this is unexpected as most (all?) other generated resources are reinstated/recreated after their deletion (think: deleting a Pod from a Deployment immediately recreates the Pod).
To reproduce:
Result:
Secret is deleted and remains deleted and is not recreated
Expected Result: Secret is recreated from SopsSecret.
This operator is fantastic. My team and I have used it on a few different projects with a lot of success. Now that SOPS is a part of the CNCF and they have their own org @getsops, is there any intention to move this project there where it could get more visibility / official support?
On errors sops code only logs with info level and there is a way to put sops logging level from outside.
I will submit a PR for this enhancement.
I don't understand how to use your tool.
How encoded SopsSecrets CR have to be loaded in cluster?
Seems the manager deploy manifest has wrong entrypoint:
Normal Pulled 11s (x2 over 12s) kubelet, ... Container image "isindir/sops-secrets-operator:0.1.9" already present on machine
Normal Created 11s (x2 over 12s) kubelet, ... Created container manager
Warning Failed 10s (x2 over 12s) kubelet, ... Error: failed to start container "manager": Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: exec: "/manager": stat /manager: no such file or directory: unknown
Fix for 0.1.9
:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: isindir/sops-secrets-operator
newTag: 0.1.9
namespace: sops-secrets-operator-system
bases:
- github.com/isindir/sops-secrets-operator/config/default/?ref=0.1.9
patches:
- target:
kind: Deployment
name: sops-secrets-operator-controller-manager
patch: |-
- op: replace
path: /spec/template/spec/containers/1/command
value: [ /usr/local/bin/manager ]
When deploying the operator from the chart with helm 3 :
helm template sops-secrets-operator sops/sops-secrets-operator --namespace=${SOPS_NAMESPACE} --set image.tag=0.2.0
a pod called sops-secrets-operator-test-connection
is created from this template but always failed because it is base on a busybox image and launches the kubectl
binary which is missing.
Is this test is meant to work as is ... ?
Apparently, one can pass the --no-hooks
option to skip deploying the templates located in the tests folder.
Do you think the installation instruction could be updated with this information ?
helm template sops-secrets-operator sops/sops-secrets-operator --namespace=${SOPS_NAMESPACE} --set image.tag=0.2.0 --no-hooks
The current cluster role allows unrestricted access to resources such as pods, services, pvc, events, secrets, configmaps and deployments among others. While I understand the need to create and modify secrets in all namespaces I was wondering if a less permissive cluster role would be possible, particularly for resources like pods and deployments etc?
This could be in the form of restricting access to the minimum required verbs for each of these resources or perhaps creating a separate role & role binding to namespace some of the permissions which don't need to be cluster-wide.
Hi
Is there a possibility to create SopsSecret object that would be possible to decrypt into a Secret object only in a specific namespace? Similar to 'strict' scope in Bitnami Sealed Secrets.
strict (default): the secret must be sealed with exactly the same name and namespace. These attributes become part of the encrypted data and thus changing name and/or namespace would lead to "decryption error".
I'd like to avoid having cluster-wide secrets so that not everyone who has access to the SopsSecret object (in a git repo) is able to decrypt it in his own namespace.
I was trying out this operator today and I get a validation error when I apply. Here are the steps I took.
apiVersion: isindir.github.com/v1alpha3
kind: SopsSecret
metadata:
name: example-sopssecret
spec:
# suspend reconciliation of the sops secret object
suspend: false
secretTemplates:
- name: my-secret-name-1
labels:
label1: value1
annotations:
key1: value1
stringData:
data-name0: data-value0
data:
data-name1: ZGF0YS12YWx1ZTE=
- name: jenkins-secret
labels:
jenkins.io/credentials-type: usernamePassword
annotations:
jenkins.io/credentials-description: credentials from Kubernetes
stingData:
username: myUsername
password: Pa$$word
- name: some-token
stringData:
token: Wb4ziZdELkdUf6m6KtNd7iRjjQRvSeJno5meH4NAGHFmpqJyEsekZ2WjX232s4Gj
- name: docker-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"[email protected]","auth":"aW15dXNlcjpteXBhc3M="}}}'
> sops -e -i --encrypted-suffix='Data' Secret3.yaml
apiVersion: isindir.github.com/v1alpha3
kind: SopsSecret
metadata:
name: example-sopssecret
spec:
# suspend reconciliation of the sops secret object
suspend: false
secretTemplates:
- name: my-secret-name-1
labels:
label1: value1
annotations:
key1: value1
stringData:
data-name0: ENC[AES256_GCM,data:4o1Xc+++OWwtHAY=,iv:UsMW/iPGTY5reLzp8Jhzgv5Gwi8XFuPro1eMyVZShc8=,tag:WbRAUcchnPM6Qvlle9B7FA==,type:str]
data:
data-name1: ZGF0YS12YWx1ZTE=
- name: jenkins-secret
labels:
jenkins.io/credentials-type: usernamePassword
annotations:
jenkins.io/credentials-description: credentials from Kubernetes
stingData:
username: ENC[AES256_GCM,data:CEgSYbYpdvikoQ==,iv:EJjsdWpFNq+75GhA/RDh6kfQUVL78VGKscLH9RdS9gg=,tag:SycroJf/kPtspAvxWI/LkA==,type:str]
password: ENC[AES256_GCM,data:OYpFzJvNcys=,iv:1lo55np8EWledb32UqtEnpgI2mZpgjVPgl9+c24Egy8=,tag:cRroYKkgt3+h+PDyI2dGLg==,type:str]
- name: some-token
stringData:
token: ENC[AES256_GCM,data:Xt8mAuqc+mGQegoMeyo6zD95FIB955uB6Hzd4XKUnoVe3LuyXhczR9JcAT/L2AHWqyzrDzEokNlmmyB3yjfLgg==,iv:mqh+t36KOKcvtHnmd0PyrLQHWbFgAmCPYrywFGZ41VQ=,tag:qRip2eqUtvF86nfkwhLYbw==,type:str]
- name: docker-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: ENC[AES256_GCM,data:BNCHUQj4sPETQYJj1ES7+u5PzG9cmv0y7J9mnftsjOcnF9pat25V7A2JuHtCZUHEP3wgY9l/2zKmOBgAncUcTzfKpRFOUxJJmOrwkROMtV5Q0p4X47BBWt/4XrkqWjHZUEQ2D2V4M/ALDO0cUmDxQZwCO+snDDjn5XZPognSVg==,iv:U1ig1YJ21FX2zHV2TLQV0d0ydMUSoz+11IftB/aAxsg=,tag:hQDnu89gPO5mn0X81y4V/w==,type:str]
sops:
kms:
- arn: arn:aws:kms:us-east-1:878788551012:key/284bf172-5a83-47a7-9ab6-d40f3e261b34
role: arn:aws:iam::878788551012:role/sops
created_at: "2021-11-24T19:59:39Z"
enc: AQICAHivP1FSTpPIgf1yuRF2Q0j1SvqpBAgYtWSJZkc9vkpYeQGAOcoIsUMuUKSCLdx+ejVcAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMeszeo69SvoNQyy9GAgEQgDsSO4W5r6UfuVa4NfwAlLAiBRbcSCR5cbci55VzPjHExzbN8QO1KIWes6b1cfInfR9AM0QQ2sBIkmxuPw==
aws_profile: ""
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-11-24T19:59:39Z"
mac: ENC[AES256_GCM,data:4ZQ/ctpMBqrv+GUEGT+7zFlmxpclHCIvT1swOTUrdN4KVQ62RbNZvEZYHAUu4Gy5tNMrTiK4OObAmv0bzvV1ZtS4VRFEdSglDmaxKonejcbklI+IuhykPXP7y+KkjMfwyVXYP2Ms1CJtKluhWLmfJ5NF3RfYYpBULypc794d3MY=,iv:8Ac93UK8p61dZd8hauuXA8g4krLhOKlYVrkD6ofUI7w=,tag:OsP7j/gXPVigMr3ox4fNpA==,type:str]
pgp: []
encrypted_suffix: Data
version: 3.7.1
kc apply -f Secret3.yaml
error: error validating "Secret3.yaml": error validating data: ValidationError(SopsSecret.spec.secretTemplates[1]): unknown field "stingData" in com.github.isindir.v1alpha3.SopsSecret.spec.secretTemplates; if you choose to ignore these errors, turn validation off with --validate=false
If I include the --validate=false it applies successfully and the operator works and the secrets are created. But I really shouldn't need to include --validate=false should I?
Please setup the security policy for this repository so that we can report the security issues in secured manner not as a generic issue.
It would be nice to have only the secret data fields encrypted, so secret names and annotations/labels can be easily diff'ed and verified.
Possible to use encrypted_regex
in place of encrypted_suffix
when encrypting files?
# .sops.yaml
creation_rules:
- path_regex: sops-secret.yaml$
encrypted_regex: ^(data|stringData)$
kms: arn:aws:...
E0514 21:55:17.927234 1 leaderelection.go:325] error initially creating leader election record: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:operators:sops-operator-sops-secrets-operator" cannot create resource "leases" in API group "coordination.k8s.io" in the namespace "operators"
Is the capabilities NET_BIND_SERVICE needed?
To pass the pod security policy
kubectl label --dry-run=server --overwrite ns sops \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest
I would like to change the security context to
capabilities:
drop:
- all
vs
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
Does anyone succeed using work identity fedaration? I have created service account with kms admin role and attached related annotations to serviceaccount in cluster. But still facing 403 in sops secrets operator
{"level":"info","ts":1655284751.5652802,"logger":"controllers.SopsSecret","msg":"Failed to Decrypt encrypted sops secret instance","sopssecret":"metrics/kube-prometheus-stack-credentials","error":"Failed to get the data key required to decrypt the SOPS file.\n\nGroup 0: FAILED\n projects/<REDACTED>/locations/global/keyRings/<REDACTED>/cryptoKeys/<REDACTED>: FAILED\n - | Error decrypting key: googleapi: Error 403: Permission\n | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource\n | 'projects/analysis-ml-services-244107/locations/global/keyRings/ml-services-sops/cryptoKeys/ml-services-sops-key'\n | (or it may not exist)., forbidden\n\nRecovery failed because no master key was able to decrypt the file. In\norder for SOPS to recover the file, at least one key has to be successful,\nbut none were."}
Hi,
I am running into issues when I define imagePullSecrets
using sops-secrets-operator. Even though I have defined a sopssecret of type kubernetes.io/dockerconfigjson
, the kubelet on the cluster errors out saying it does not have permissions to pull images from the private registry. To verify its not an issue with the permissions, I directly created a K8s secret on the cluster(bypassing the sops secret operator) using kubectl and it seemed to pull the images just fine. I also noticed when the operator decrypts the secret into the cluster, it does not create a secret of type kubernetes.io/dockerconfig.json
, instead it creates of type Opaque
. Could this be an issue ?
Any plans to publish on github.io or any other helm repo?
Hi,
I've followed the instructions on how to set up the sops operator and CRDs, generated a GPG key using The documentation on how to use PGP keys, but I run into an issue: when I apply the SopsSecret object, the Operator errors out with the following stacktrace:
{
"level": "error",
"ts": 1583166999.4617608,
"logger": "controller-runtime.controller",
"msg": "Reconciler error",
"controller": "sopssecret-controller",
"request": "sops/example-sopssecret",
"error": "Error getting data key: 0 successful groups required, got 0",
"stacktrace": "github.com/go-logr/zapr.(*zapLogger).Error
sops-secrets-operator/vendor/github.com/go-logr/zapr/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
sops-secrets-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:258
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
sops-secrets-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
sops-secrets-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
sops-secrets-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
sops-secrets-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
sops-secrets-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"
}
I've already tried to delete and redeploy the GPG secrets, but the error remains.
This would helpful for step-ca integration and allow for more automation.
Using 0.7.3
chart version I get the below (k8s 1.19)..
E0426 14:41:24.121724 1 event.go:263] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"ca57d051.github.com.16796f73c9c2cd26", GenerateName:"", Namespace:"operators", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ConfigMap", Namespace:"operators", Name:"ca57d051.github.com", UID:"c17dade8-afab-432f-9f70-b2a9692b61c5", APIVersion:"v1", ResourceVersion:"191769763", FieldPath:""}, Reason:"LeaderElection", Message:"sops-operator-sops-secrets-operator-b95df6656-kxtpx_9be23d5e-a82a-48aa-98e9-2b527548b12c became leader", Source:v1.EventSource{Component:"sops-operator-sops-secrets-operator-b95df6656-kxtpx_9be23d5e-a82a-48aa-98e9-2b527548b12c", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xc019d22506c10526, ext:21593718825, loc:(*time.Location)(0x2a15da0)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xc019d22506c10526, ext:21593718825, loc:(*time.Location)(0x2a15da0)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:operators:sops-operator-sops-secrets-operator" cannot create resource "events" in API group "" in the namespace "operators"' (will not retry!)
rbac shows this:
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- '*'
Should we add the ""
apiGroup
in there as well?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.