0

I have configured Flux to use SOPS to decrypt. Here's a brief highlight of what I did. In the gotk-sync.yaml file I have added the decryption property.

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 10m0s
  path: ./clusters/my-cluster
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
  decryption:
    provider: sops
    secretRef:
      name: my-private-key

The secret my-private-key is created correctly and has the private key.

I have pushed the file and the change has taken effect.

In my application repo I have a secret file.

apiVersion: v1
kind: Secret
metadata:
    name: mysqlcreds
type: Opaque
data: null
stringData:
    DB_USER: bugs
    DB_PASSWORD: bunny

I'm encrypting this file with SOPS and pushing it. Flux picks up the change and reconciles. But the stringData values remain encrypted. My application gets these values from the environment variable and they show up encrypted like this:

ENC[AES256_GCM,data:PdU1ex4H,iv:p5u11vsmHc/tBVGV2g9kTsMSFvQDiYNEwFVeEeMg/pY=,tag:/JTTNNRnYh076EPAd8c/LA==,type:str]

I can't figure out why Flux is not decrypting the data. How do I debug this? flux logs shows nothing wrong.

RajV
  • 6,860
  • 8
  • 44
  • 62

1 Answers1

0

I was enabling SOPS for the wrong Git repo. I had to do that for my application git repo's Kustomization.

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: my-demo-webapp
  namespace: flux-system
spec:
  interval: 5m0s
  path: ./flux-config
  prune: true
  sourceRef:
    kind: GitRepository
    name: my-demo-webapp
  targetNamespace: default
  decryption:
    provider: sops
    secretRef:
      name: my-private-key

After that decryption worked fine.

RajV
  • 6,860
  • 8
  • 44
  • 62