Wrong decrypt SOPS files

[aivanov-citc]

Hey! When switching from version flux 0.13.4 to 0.16.2, files encrypted with SOPs became incorrectly decrypted.

There is file realm.json

{
  "id": "example",
  "realm": "example",
  "notBefore": 0,
  "defaultSignatureAlgorithm": "RS256",
  "revokeRefreshToken": false,
...
}

encrypted by such command

cat realm.json | sops -e -p 565C51B96C276C5DF7C07CA782F13DCA5F7C4DF7 /dev/stdin > realm.json.encrypted

{
  "data": "ENC[AES256_GCM,data:L2g/kuDeWee+xJBF4tPMt7q ...
...
}

Kustomize secretGenerator

secretGenerator:
  - name: config-secret
    files:
    - realm.json=realm.json.encrypted

When decrypting on version flux 0.13.4, we get a correct contents of the secret

{
  "id": "example",
  "realm": "example",
  "notBefore": 0,
  "defaultSignatureAlgorithm": "RS256",
  "revokeRefreshToken": false,
...
}

on version flux 0.16.2 this is

{
  "data": "{\n  \"id\": \"example\",\n  \"realm\": \"example\",\n  \"notBefore\": 0,\n  \"defaultSignatureAlgorithm\": \"RS256\",\n  \"revokeRefreshToken\": false,\n ...
...
}

version sops - 3.7.1

[stefanprodan]

I tested this on my cluster and once the secret is mounted, the json is decoded correctly.

Create realm.json:

{
	"id": "example",
	"realm": "example",
	"notBefore": 0,
	"defaultSignatureAlgorithm": "RS256",
	"revokeRefreshToken": false
}

Encrypt it in-place:

sops --age=$AGEPUB --encrypt --in-place realm.json

Create a deployment that mounts the secret:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: podinfo
  namespace: default
spec:
  selector:
    matchLabels:
      app: podinfo
  template:
    metadata:
      labels:
        app: podinfo
    spec:
      containers:
      - name: podinfod
        image: ghcr.io/stefanprodan/podinfo:6.0.0
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 9898
          #protocol: TCP
        volumeMounts:
          - name: secrets
            mountPath: "/secrets"
            readOnly: true
      volumes:
        - name: secrets
          secret:
            secretName: json-secret

Create a kustomization that generates the Kubernetes secret:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
  - deployment.yaml
secretGenerator:
  - name: json-secret
    files:
      - realm.json=realm.json

Create a Flux kustomization to apply the above:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: secrets
  namespace: flux-system
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age
  interval: 1m0s
  path: ./secrets/test
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system

After Flux reconciles the above, exec into the podinfo pod and print the json:

~ $ cat /secrets/realm.json 
{
	"id": "example",
	"realm": "example",
	"notBefore": 0,
	"defaultSignatureAlgorithm": "RS256",
	"revokeRefreshToken": false
}

[stefanprodan]

@aivanov-citc the issue here is that you pipe the json into sops without telling SOPS what content type is it. So sops adds the data key as it thinks you are encrypting a binary file.

As I posted above you can encrypt in-place or add --input-type=json to your command like so:

cat realm.json | sops -e --input-type=json -p 565C51B96C276C5DF7C07CA782F13DCA5F7C4DF7 /dev/stdin > realm.json.encrypted

[aivanov-citc]

Yes indeed. When specifying the file type, it works in version 0.16.2, but does not work in version 0.13.4. We will have to update both the flux version and reencrypt the files at the same time. Thanks.

[stefanprodan]

@aivanov-citc please consider upgrading to latest Flux, see here the upgrade guide: fluxcd/flux2#1916