.github/workflows/e2e.yaml

@@ -54,7 +54,19 @@ jobs:
           version: 1.21.2
       - name: Setup SOPS
         uses: fluxcd/pkg/actions/sops@main
+      - name: Enable integration tests
+        # Only run integration tests for main branch
+        if: github.ref == 'refs/heads/main'
+        run: |
+          echo 'GO_TEST_ARGS=-tags integration' >> $GITHUB_ENV
       - name: Run controller tests
+        env:
+          TEST_AZURE_CLIENT_ID: ${{ secrets.TEST_AZURE_CLIENT_ID }}
+          TEST_AZURE_TENANT_ID: ${{ secrets.TEST_AZURE_TENANT_ID }}
+          TEST_AZURE_CLIENT_SECRET: ${{ secrets.TEST_AZURE_CLIENT_SECRET }}
+          TEST_AZURE_VAULT_URL: ${{ secrets.TEST_AZURE_VAULT_URL }}
+          TEST_AZURE_VAULT_KEY_NAME: ${{ secrets.TEST_AZURE_VAULT_KEY_NAME }}
+          TEST_AZURE_VAULT_KEY_VERSION: ${{ secrets.TEST_AZURE_VAULT_KEY_VERSION }}
         run: make test
       - name: Check if working tree is dirty
         run: |

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.22.3
+
+**Release date:** 2022-03-29
+
+This prerelease fixes a compatability issue between SOPS' Azure Key Vault
+integration, and the controller's. In addition, Kustomize has been updated
+to [`v4.5.4`](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.4)
+to address an issue with ConfigMap and Secret generators.
+
+Fixes:
+- sops/azkv: ensure compatibility with upstream
+  [#604](https://github.com/fluxcd/kustomize-controller/pull/604)
+- Update Kustomize to v4.5.4
+  [#606](https://github.com/fluxcd/kustomize-controller/pull/606)
+
 ## 0.22.2
 
 **Release date:** 2022-03-25
@@ -15,7 +30,7 @@ YAML anchors.
 
 Improvements:
 - Update Kustomize to v4.5.3
-  [#594](https://github.com/fluxcd/kustomize-controller/pull/597)
+  [#594](https://github.com/fluxcd/kustomize-controller/pull/594)
 - Update source-controller API to v0.22.3
   [#596](https://github.com/fluxcd/kustomize-controller/pull/596)
 

Makefile

@@ -11,6 +11,9 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+# Allows for defining additional Go test args, e.g. '-tags integration'.
+GO_TEST_ARGS ?=
+
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
 BUILD_ARGS ?= --load
 # Architectures to build images for.
@@ -31,7 +34,7 @@ install-envtest: setup-envtest
 # Run controller tests
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: tidy generate fmt vet manifests api-docs download-crd-deps install-envtest
-	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./controllers/...  -v -coverprofile cover.out
+	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... $(GO_TEST_ARGS) -v -coverprofile cover.out
 
 # Build manager binary
 manager: generate fmt vet

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.22.2
+    newTag: v0.22.3

docs/spec/v1beta2/kustomization.md

@@ -242,6 +242,51 @@ const (
 )
 ```
 
+## Recommended settings
+
+When deploying applications to production environments,
+it is recommended to configure the following fields,
+while adjusting them to your desires for responsiveness:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: webapp
+  namespace: apps
+spec:
+  interval: 1m0s # check for new commits every minute and apply changes
+  url: https://github.com/org/webapp # clone over HTTPS 
+  secretRef: # use token auth 
+    name: webapp-git-token # Flux user PAT (read-only access)
+  ref:
+    branch: main
+  ignore: |
+    # exclude all
+    /*
+    # include deploy dir
+    !/deploy
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: webapp
+  namespace: apps
+spec:
+  interval: 60m0s # detect drift and undo kubectl edits every hour
+  wait: true # wait for all applied resources to become ready
+  timeout: 3m0s # give up waiting after three minutes
+  retryInterval: 2m0s # retry every two minutes on apply or waiting failures
+  prune: true # remove stale resources from cluster
+  force: true # recreate resources on immutable fields changes
+  targetNamespace: apps # set the namespace for all resources
+  sourceRef:
+    kind: GitRepository
+    name: webapp
+    namspace: apps
+  path: "./deploy/production"
+```
+
 ## Source reference
 
 The Kustomization `spec.sourceRef` is a reference to an object managed by

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/dimchansky/utfbom v1.1.1
 	github.com/drone/envsubst v1.0.3
-	github.com/fluxcd/kustomize-controller/api v0.22.2
+	github.com/fluxcd/kustomize-controller/api v0.22.3
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.2
 	github.com/fluxcd/pkg/apis/meta v0.12.1
@@ -36,15 +36,15 @@ require (
 	k8s.io/client-go v0.23.4
 	sigs.k8s.io/cli-utils v0.29.3
 	sigs.k8s.io/controller-runtime v0.11.1
-	sigs.k8s.io/kustomize/api v0.11.3
-	sigs.k8s.io/kustomize/kyaml v0.13.4
+	sigs.k8s.io/kustomize/api v0.11.4
+	sigs.k8s.io/kustomize/kyaml v0.13.6
 	sigs.k8s.io/yaml v1.3.0
 )
 
-// Pin kustomize to v4.5.3
+// Pin kustomize to v4.5.4
 replace (
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.11.3
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.4
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.11.4
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.6
 )
 
 // Fix CVE-2021-30465

go.sum

@@ -393,6 +393,8 @@ github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/cel-go v0.9.0/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w=
 github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA=
+github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
+github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -1489,12 +1491,12 @@ sigs.k8s.io/controller-runtime v0.11.1/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eM
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
-sigs.k8s.io/kustomize/api v0.11.3 h1:zSfqBnm2eWKtBt1bJdeb8vdFn6RCACjkJBJXD4ewT2A=
-sigs.k8s.io/kustomize/api v0.11.3/go.mod h1:+pqeIrqlbShZpegTsFiJtZ6aI8awf8D+9CeO7k7iSFQ=
+sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo=
+sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI=
 sigs.k8s.io/kustomize/cmd/config v0.10.2/go.mod h1:K2aW7nXJ0AaT+VA/eO0/dzFLxmpFcTzudmAgDwPY1HQ=
 sigs.k8s.io/kustomize/kustomize/v4 v4.4.1/go.mod h1:qOKJMMz2mBP+vcS7vK+mNz4HBLjaQSWRY22EF6Tb7Io=
-sigs.k8s.io/kustomize/kyaml v0.13.4 h1:UP4niyzHP8yBDZTJu3OyZMCbJUfT6PIj0fJZFcn8gQw=
-sigs.k8s.io/kustomize/kyaml v0.13.4/go.mod h1:/ya3Gk4diiQzlE4mBh7wykyLRFZNvqlbh+JnwQ9Vhrc=
+sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs=
+sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=

internal/sops/azkv/keysource.go

@@ -7,6 +7,7 @@ package azkv
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 	"io/ioutil"
@@ -150,7 +151,11 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	if err != nil {
 		return fmt.Errorf("failed to encrypt data: %w", err)
 	}
-	key.EncryptedKey = string(resp.Result)
+	// This is for compatibility between the SOPS upstream which uses
+	// a much older Azure SDK, and our implementation which is up-to-date
+	// with the latest.
+	encodedEncryptedKey := base64.RawURLEncoding.EncodeToString(resp.Result)
+	key.SetEncryptedDataKey([]byte(encodedEncryptedKey))
 	return nil
 }
 
@@ -168,7 +173,14 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to construct client to decrypt data: %w", err)
 	}
-	resp, err := c.Decrypt(context.Background(), crypto.EncryptionAlgorithmRSAOAEP256, []byte(key.EncryptedKey), nil)
+	// This is for compatibility between the SOPS upstream which uses
+	// a much older Azure SDK, and our implementation which is up-to-date
+	// with the latest.
+	rawEncryptedKey, err := base64.RawURLEncoding.DecodeString(key.EncryptedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encrypted key: %w", err)
+	}
+	resp, err := c.Decrypt(context.Background(), crypto.EncryptionAlgorithmRSAOAEP256, rawEncryptedKey, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt data: %w", err)
 	}

internal/sops/azkv/keysource_integration_test.go

@@ -0,0 +1,159 @@
+// +tag integration
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package azkv
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+	"go.mozilla.org/sops/v3/azkv"
+)
+
+// The following values should be created based on the instructions in:
+// https://github.com/mozilla/sops#encrypting-using-azure-key-vault
+var (
+	testVaultURL        = os.Getenv("TEST_AZURE_VAULT_URL")
+	testVaultKeyName    = os.Getenv("TEST_AZURE_VAULT_KEY_NAME")
+	testVaultKeyVersion = os.Getenv("TEST_AZURE_VAULT_KEY_VERSION")
+	testAADConfig       = AADConfig{
+		TenantID:     os.Getenv("TEST_AZURE_TENANT_ID"),
+		ClientID:     os.Getenv("TEST_AZURE_CLIENT_ID"),
+		ClientSecret: os.Getenv("TEST_AZURE_CLIENT_SECRET"),
+	}
+)
+
+func TestMasterKey_Encrypt(t *testing.T) {
+	g := NewWithT(t)
+
+	key := &MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		CreationDate: time.Now(),
+	}
+
+	g.Expect(testAADConfig.SetToken(key)).To(Succeed())
+
+	g.Expect(key.Encrypt([]byte("foo"))).To(Succeed())
+	g.Expect(key.EncryptedDataKey()).ToNot(BeEmpty())
+}
+
+func TestMasterKey_Decrypt(t *testing.T) {
+	g := NewWithT(t)
+
+	key := &MasterKey{
+		VaultURL: testVaultURL,
+		Name:     testVaultKeyName,
+		Version:  testVaultKeyVersion,
+		// EncryptedKey equals "foo" in bytes
+		EncryptedKey: "AdvS9HGJG7thHiUAisVJ8XqZiKfTjjbMETl5pIUBcOiHhMS6nLJpqeHcoKFUX6T4HFNT5o9tUXJsVprkkXzaL0Fyd01gef-eF4lTKsKl3EAn2hPAbfT-HTiuOnXzm4Zmvb4S-Ef3loOgLuoIH8Ks7SzSGhy6U9qvRk4Y4IZjzHCtUHaGE5utuTTy9lff8h4HCzgCp92ots2PPXD4dGHN_yXs-EpARXGPR2RbWWnj4P3Pu8xeMBk7hDCa51ZweJ_xQBRvXHmSy0PkauDUbr4dlUf6QQa8RxSPsOSaVT8dtVIURZ9YP1p69ajSo98aHXqSBAouZGWkrWgmQsleNrSGcg",
+		CreationDate: time.Now(),
+	}
+
+	g.Expect(testAADConfig.SetToken(key)).To(Succeed())
+
+	got, err := key.Decrypt()
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(got).To(Equal([]byte("foo")))
+}
+
+func TestMasterKey_EncryptDecrypt_RoundTrip(t *testing.T) {
+	g := NewWithT(t)
+
+	key := &MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		CreationDate: time.Now(),
+	}
+
+	g.Expect(testAADConfig.SetToken(key)).To(Succeed())
+
+	dataKey := []byte("some-data-that-should-be-secret")
+
+	g.Expect(key.Encrypt(dataKey)).To(Succeed())
+	g.Expect(key.EncryptedDataKey()).ToNot(BeEmpty())
+
+	dec, err := key.Decrypt()
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(dec).To(Equal(dataKey))
+}
+
+func TestMasterKey_Encrypt_SOPS_Compat(t *testing.T) {
+	g := NewWithT(t)
+
+	encryptKey := &MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		CreationDate: time.Now(),
+	}
+	g.Expect(testAADConfig.SetToken(encryptKey)).To(Succeed())
+
+	dataKey := []byte("foo")
+	g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())
+
+	t.Setenv("AZURE_CLIENT_ID", testAADConfig.ClientID)
+	t.Setenv("AZURE_TENANT_ID", testAADConfig.TenantID)
+	t.Setenv("AZURE_CLIENT_SECRET", testAADConfig.ClientSecret)
+
+	decryptKey := &azkv.MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		EncryptedKey: encryptKey.EncryptedKey,
+		CreationDate: time.Now(),
+	}
+
+	dec, err := decryptKey.Decrypt()
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(dec).To(Equal(dataKey))
+}
+
+func TestMasterKey_Decrypt_SOPS_Compat(t *testing.T) {
+	g := NewWithT(t)
+
+	t.Setenv("AZURE_CLIENT_ID", testAADConfig.ClientID)
+	t.Setenv("AZURE_TENANT_ID", testAADConfig.TenantID)
+	t.Setenv("AZURE_CLIENT_SECRET", testAADConfig.ClientSecret)
+
+	dataKey := []byte("foo")
+
+	encryptKey := &azkv.MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		CreationDate: time.Now(),
+	}
+	g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())
+
+	decryptKey := &MasterKey{
+		VaultURL:     testVaultURL,
+		Name:         testVaultKeyName,
+		Version:      testVaultKeyVersion,
+		EncryptedKey: encryptKey.EncryptedKey,
+		CreationDate: time.Now(),
+	}
+	g.Expect(testAADConfig.SetToken(decryptKey)).To(Succeed())
+
+	dec, err := decryptKey.Decrypt()
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(dec).To(Equal(dataKey))
+}

tests/fuzz/oss_fuzz_build.sh

@@ -22,7 +22,7 @@ PROJECT_PATH="github.com/fluxcd/kustomize-controller"
 
 cd "${GO_SRC}"
 
-# Move fuzzer to their respective directories. 
+# Move fuzzer to their respective directories.
 # This removes dependency noises from the modules' go.mod and go.sum files.
 mv "${PROJECT_PATH}/tests/fuzz/age_fuzzer.go" "${PROJECT_PATH}/internal/sops/age/"
 mv "${PROJECT_PATH}/tests/fuzz/pgp_fuzzer.go" "${PROJECT_PATH}/internal/sops/pgp/"
@@ -38,7 +38,7 @@ sed -i 's;import (;import(\n	abc "github.com/fluxcd/kustomize-controller/control
 
 pushd "${PROJECT_PATH}"
 
-go mod tidy
+go get -d github.com/AdaLogics/go-fuzz-headers
 
 compile_go_fuzzer "${PROJECT_PATH}/internal/sops/age/" FuzzAge fuzz_age
 compile_go_fuzzer "${PROJECT_PATH}/internal/sops/pgp/" FuzzPgp fuzz_pgp