decryptor: improve detection of in and out formats for Secret data fields #644
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hiddeco
added
bug
This ensures the Secret field gets formatted back into JSON, instead of it being detected as binary output. Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
decryptor-detect-dockercfg
branch
from
551c831
to
a7639c6
Compare
hiddeco
changed the title
hiddeco
force-pushed
the
decryptor-detect-dockercfg
branch
from
ca69fb6
to
83e3e33
Compare
seh
reviewed
Apr 29, 2022
seh
reviewed
Apr 29, 2022
seh
reviewed
Apr 29, 2022
Comment on lines
+740
to
+742
| case strings.HasSuffix(path, corev1.DockerConfigJsonKey): | ||
| return formats.Json |
There was a problem hiding this comment.
Perhaps we should only look for this key when the Secret's "type" field is "kubernetes.io/dockerconfigjson."
There was a problem hiding this comment.
Think that with the current approach, it gives people some flexibility to e.g. have opaque Secrets with multiple .dockerconfigjson files, for whatever reason that may be required. In addition to simplifying the code :-).
hiddeco
force-pushed
the
decryptor-detect-dockercfg
branch
from
83e3e33
to
ddb277d
Compare
seh
approved these changes
Apr 29, 2022
There was a problem hiding this comment.
Modulo the switch from var to const, this would have helped me when encrypting my Docker credentials. I used sops --encrypt --input-type=json first, but found that Flux couldn't interpret the decrypted content correctly. With this patch, it looks like that would have worked as expected.
hiddeco
force-pushed
the
decryptor-detect-dockercfg
branch
from
ddb277d
to
3516d3f
Compare
This checks the base64 decoded bytes from a Secret field for any of the marker bytes, thereby allowing data to be encrypted into any format. Instead of the previous behavior which assumed it to either be YAML or JSON. Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
decryptor-detect-dockercfg
branch
from
3516d3f
to
36df540
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR improves two things:
.dockerconfigjsonfield gets formatted back into JSON, instead of it being detected as binary output.Test image (multi-arch):
docker.io/hiddeco/kustomize-controller:decryptor-detect-dockercfg-83e3e33@sha256:08016777ad75813681a3