New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decrypt secret/configmap generators inputs encrypted with AGE #3313
Conversation
Hi @sylr. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sylr The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@sylr we have a PLUGIN that may decrypt yamls encrypted by SOPS. And it can be used with kustomize starting 3.8.1 without modification of the code. I guess if possible, it's better to avoid including direct dependencies on the tools like AGE, SOPS, and etc, but instead make plugins that would allow kustomize to decrypt the documents. Also SOPS allows to use not only pgp keys, but a broader set of backends in addition to it: AWS KMS, GCP KMS, Azure Key Vault. [1] the easiest way to create encrypted documents that will work with kustomize is - with flag Note: kustomize changes the order of fields and sops doesn't like it during decryption. there are 2 options how to workaround:
|
Hi @aodinokov 👋 Thank you for your feedback. I did consider I believe that adding a light encryption/decryption layer to kustomize would be an improvement. As you may note, this PR is not that big and should not come with a high maintenance cost.
Regards. |
Just a little comment on this based on my experience.
That's why I tried to pay your attention to the newest feature in sops 3.6.1: |
0685471
to
8ffa2fd
Compare
Hi @monopole 👋 I was wondering if I could get your opinion about this feature. Thank you. |
I like the idea of "age" as "light encryption/decryption layer to kustomize". Its "modern" but it is also ChaCha_poly20 vs. AES. And it's simple encrypted string in/out (without metadata needed) alike sops. The concept of generator is bit obstacle (more files, more configuration which is always pain). Nothing against current PR. however as "light encryption" I envision:
now:
|
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
@epcim this PR supports AGE encrypted input for literals: ---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configMapGenerator:
- name: myconfig-env
literals:
- |-
FOO.age=-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5T0lxeXRwU21WaktmL0tE
dlJXenFwN2ZxcFhJaStybFp2TXNiWHZaTVFjCkI0U21oaHB5TnQ5RkZqbzVDaThi
VVl3d2V6TW91SEovRUNvbkZ5VW82UmMKLS0tIEpYNmhhMis5cmRrd0l0ZXNDN3hq
aC85RC9rbWVOVTBXSDAzRTh0RkdVcUUKYwFjbXl9uM03A4dBTYXphD2x2Ex0ZqjQ
aqK+72Hpx1BoL2mJ5ncG7u/XjcTxGvivmQ==
-----END AGE ENCRYPTED FILE-----
ageIdentities:
- ./age.key Outputs: apiVersion: v1
data:
FOO: ThisIsAnEnvSecret
kind: ConfigMap
metadata:
name: myconfig-env-b7dk5f5dft |
Then all fine, it makes things really simple and one can work with secrets as they would really be encrypted secret "strings". vs SOPS (Nothing to blame, it fits better with kms/aks etc quite sure) Btw how it works with multiple identities, may I use two (ie: 2nd is for CICD) so I encrypt with mine but CICD can decrypt? The MR is here for a while. |
You'll need to encrypt each "secrets" with all the public keys of the identities which will be used to decrypt. |
@sylr: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
JFYI: sops 3.7.1 supports AGE to some extent (https://github.com/mozilla/sops#encrypting-using-age).
it's necessary to pass the decryption key as env var SOPS_IMPORT_AGE and kustomize will decrypt this on the spot. [1] |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR implements
AGE
data decryption for secret/configmap generator inputs.age
which stands for "actually good encryption" is a "simple, modern and secure file encryption tool, format, and library.".I made a repo with kustomize binaries built with this patch and a demo
kustomization.yaml
: https://github.com/sylr/kustomize-ageLet me know what you think.