.github/workflows/e2e.yaml

@@ -68,7 +68,8 @@ jobs:
           make docker-build IMG=test/kustomize-controller:latest \
             BUILD_PLATFORMS=linux/amd64 \
             BUILD_ARGS="--cache-from=type=local,src=/tmp/.buildx-cache \
-              --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max"
+              --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \
+              --load"
       - # Temp fix
         # https://github.com/docker/build-push-action/issues/252
         # https://github.com/moby/buildkit/issues/1896

CHANGELOG.md

@@ -2,11 +2,33 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.22.2
+
+**Release date:** 2022-03-25
+
+This prerelease fixes a regression bug where the SOPS keyservice would not
+properly fall back to the default server for Azure Key Vault decryption
+requests.
+
+In addition, Kustomize has been updated to `v4.5.3` to address an issue with
+YAML anchors.
+
+Improvements:
+- Update Kustomize to v4.5.3
+  [#594](https://github.com/fluxcd/kustomize-controller/pull/597)
+- Update source-controller API to v0.22.3
+  [#596](https://github.com/fluxcd/kustomize-controller/pull/596)
+
+Fixes:
+- sops/keyservice: properly fallback to default
+  [#597](https://github.com/fluxcd/kustomize-controller/pull/597)
+
 ## 0.22.1
 
 **Release date:** 2022-03-24
 
-This prerelease fixes a regression bug where alerts are sent for every reconciliation run.
+This prerelease fixes a regression bug where alerts are sent for every
+reconciliation run.
 
 Fixes:
 - Ensure event annotations are prefixed with Group FQDN

Makefile

@@ -2,7 +2,7 @@
 IMG ?= fluxcd/kustomize-controller:latest
 # Produce CRDs that work back to Kubernetes 1.16
 CRD_OPTIONS ?= crd:crdVersions=v1
-SOURCE_VER ?= v0.22.0
+SOURCE_VER ?= v0.22.3
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -12,7 +12,7 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
-BUILD_ARGS ?=
+BUILD_ARGS ?= --load
 # Architectures to build images for.
 BUILD_PLATFORMS ?= linux/amd64
 
@@ -106,7 +106,6 @@ docker-build:
 	docker buildx build \
 	--platform=$(BUILD_PLATFORMS) \
 	-t ${IMG} \
-	--load \
 	${BUILD_ARGS} .
 
 # Push the docker image

config/default/kustomization.yaml

@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kustomize-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.22.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.22.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.22.3/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.22.3/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.22.1
+    newTag: v0.22.2

controllers/kustomization_decryptor.go

@@ -160,14 +160,6 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 		var ageIdentities []string
 		var vaultToken string
 		for name, value := range secret.Data {
-			if name == DecryptionAzureAuthFile {
-				azureConf := azkv.AADConfig{}
-				if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
-					return err
-				}
-				kd.azureAADConfig = &azureConf
-				continue
-			}
 			switch filepath.Ext(name) {
 			case ".asc":
 				keyPath, err := securejoin.SecureJoin(tmpDir, name)
@@ -182,13 +174,22 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 				}
 			case ".agekey":
 				ageIdentities = append(ageIdentities, string(value))
-			case ".vault-token":
-				// Make sure we have the absolute file name
+			case filepath.Ext(DecryptionVaultTokenFileName):
+				// Make sure we have the absolute name
 				if name == DecryptionVaultTokenFileName {
 					token := string(value)
 					token = strings.Trim(strings.TrimSpace(token), "\n")
 					vaultToken = token
 				}
+			case filepath.Ext(DecryptionAzureAuthFile):
+				// Make sure we have the absolute name
+				if name == DecryptionAzureAuthFile {
+					azureConf := azkv.AADConfig{}
+					if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
+						return err
+					}
+					kd.azureAADConfig = &azureConf
+				}
 			}
 		}
 

go.mod

@@ -13,15 +13,15 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/dimchansky/utfbom v1.1.1
 	github.com/drone/envsubst v1.0.3
-	github.com/fluxcd/kustomize-controller/api v0.22.1
+	github.com/fluxcd/kustomize-controller/api v0.22.2
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.2
 	github.com/fluxcd/pkg/apis/meta v0.12.1
 	github.com/fluxcd/pkg/runtime v0.13.2
 	github.com/fluxcd/pkg/ssa v0.15.1
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0
-	github.com/fluxcd/source-controller/api v0.22.0
+	github.com/fluxcd/source-controller/api v0.22.3
 	github.com/hashicorp/go-retryablehttp v0.7.0
 	github.com/hashicorp/vault/api v1.4.1
 	github.com/onsi/gomega v1.18.1
@@ -36,11 +36,26 @@ require (
 	k8s.io/client-go v0.23.4
 	sigs.k8s.io/cli-utils v0.29.3
 	sigs.k8s.io/controller-runtime v0.11.1
-	sigs.k8s.io/kustomize/api v0.11.2
-	sigs.k8s.io/kustomize/kyaml v0.13.3
+	sigs.k8s.io/kustomize/api v0.11.3
+	sigs.k8s.io/kustomize/kyaml v0.13.4
 	sigs.k8s.io/yaml v1.3.0
 )
 
+// Pin kustomize to v4.5.3
+replace (
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.11.3
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.4
+)
+
+// Fix CVE-2021-30465
+// Fix CVE-2021-43784
+// Fix GO-2021-0085
+// Fix GO-2021-0087
+replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
+
+// Fix CVE-2021-41190
+replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
+
 require (
 	cloud.google.com/go v0.99.0 // indirect
 	github.com/Azure/azure-sdk-for-go v31.2.0+incompatible // indirect
@@ -193,18 +208,3 @@ require (
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
-
-// pin kustomize to v4.5.2
-replace (
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
-)
-
-// Fix CVE-2021-30465
-// Fix CVE-2021-43784
-// Fix GO-2021-0085
-// Fix GO-2021-0087
-replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
-
-// Fix CVE-2021-41190
-replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2

go.sum

@@ -286,8 +286,8 @@ github.com/fluxcd/pkg/testserver v0.2.0 h1:Mj0TapmKaywI6Fi5wvt1LAZpakUHmtzWQpJNK
 github.com/fluxcd/pkg/testserver v0.2.0/go.mod h1:bgjjydkXsZTeFzjz9Cr4heGANr41uTB1Aj1Q5qzuYVk=
 github.com/fluxcd/pkg/untar v0.1.0 h1:k97V/xV5hFrAkIkVPuv5AVhyxh1ZzzAKba/lbDfGo6o=
 github.com/fluxcd/pkg/untar v0.1.0/go.mod h1:aGswNyzB1mlz/T/kpOS58mITBMxMKc9tlJBH037A2HY=
-github.com/fluxcd/source-controller/api v0.22.0 h1:WF0xsrlyUaRLWS4u5un3yfzlvER86sZx/qiV6l7Ay6Q=
-github.com/fluxcd/source-controller/api v0.22.0/go.mod h1:Vb13q9Pq+1IW/sJUZn/RSb7IU5WT86Er6uCFPCFm9L4=
+github.com/fluxcd/source-controller/api v0.22.3 h1:HnpSnCtIytwSGSz2qu+GJwyZRmD5UXZL5oOQapiQOtk=
+github.com/fluxcd/source-controller/api v0.22.3/go.mod h1:Vb13q9Pq+1IW/sJUZn/RSb7IU5WT86Er6uCFPCFm9L4=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@@ -1489,12 +1489,12 @@ sigs.k8s.io/controller-runtime v0.11.1/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eM
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
-sigs.k8s.io/kustomize/api v0.10.1 h1:KgU7hfYoscuqag84kxtzKdEC3mKMb99DPI3a0eaV1d0=
-sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8=
+sigs.k8s.io/kustomize/api v0.11.3 h1:zSfqBnm2eWKtBt1bJdeb8vdFn6RCACjkJBJXD4ewT2A=
+sigs.k8s.io/kustomize/api v0.11.3/go.mod h1:+pqeIrqlbShZpegTsFiJtZ6aI8awf8D+9CeO7k7iSFQ=
 sigs.k8s.io/kustomize/cmd/config v0.10.2/go.mod h1:K2aW7nXJ0AaT+VA/eO0/dzFLxmpFcTzudmAgDwPY1HQ=
 sigs.k8s.io/kustomize/kustomize/v4 v4.4.1/go.mod h1:qOKJMMz2mBP+vcS7vK+mNz4HBLjaQSWRY22EF6Tb7Io=
-sigs.k8s.io/kustomize/kyaml v0.13.0 h1:9c+ETyNfSrVhxvphs+K2dzT3dh5oVPPEqPOE/cUpScY=
-sigs.k8s.io/kustomize/kyaml v0.13.0/go.mod h1:FTJxEZ86ScK184NpGSAQcfEqee0nul8oLCK30D47m4E=
+sigs.k8s.io/kustomize/kyaml v0.13.4 h1:UP4niyzHP8yBDZTJu3OyZMCbJUfT6PIj0fJZFcn8gQw=
+sigs.k8s.io/kustomize/kyaml v0.13.4/go.mod h1:/ya3Gk4diiQzlE4mBh7wykyLRFZNvqlbh+JnwQ9Vhrc=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=

internal/sops/keyservice/server.go

@@ -165,8 +165,9 @@ func (ks Server) Encrypt(ctx context.Context,
 		// Fallback to default server if no custom settings are configured
 		// to ensure backwards compatibility with global configurations
 		if ks.AzureAADConfig == nil {
-			return ks.Encrypt(ctx, req)
+			return ks.DefaultServer.Encrypt(ctx, req)
 		}
+
 		ciphertext, err := ks.encryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Plaintext)
 		if err != nil {
 			return nil, err
@@ -252,8 +253,9 @@ func (ks Server) Decrypt(ctx context.Context,
 		// Fallback to default server if no custom settings are configured
 		// to ensure backwards compatibility with global configurations
 		if ks.AzureAADConfig == nil {
-			return ks.Decrypt(ctx, req)
+			return ks.DefaultServer.Decrypt(ctx, req)
 		}
+
 		plaintext, err := ks.decryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Ciphertext)
 		if err != nil {
 			return nil, err