Secret merging of stringData vs data

Question

Secret merging of stringData vs data

alexknips opened this issue a year ago · comments

I might have found an issue with SOPS, kustomize or kustomize-sops. Unfortunately I don't know which tool is doing something wrong.

The issue.

Given a secret (decrypted)

apiVersion: v1
kind: Secret
metadata:
    name: demo-secrets
    annotations:
        kustomize.config.k8s.io/needs-hash: "true"
type: Opaque
stringData:
    Secret1: ABC
data:
    Secret3: ABC

and an overlayed secret

apiVersion: v1
kind: Secret
metadata:
    name: demo-secrets
    annotations:
        kustomize.config.k8s.io/needs-hash: "true"
        kustomize.config.k8s.io/behavior: merge
type: Opaque
stringData:
    Secret2: DEF
data:
    Secret4: DEF

that is merged

the output of
kubectl kustomize --enable-alpha-plugins demo/overlays

or kustomize build --enable-alpha-plugins demo/overlays

is

apiVersion: v1
data:
  Secret3: ABC
  Secret4: DEF
kind: Secret
metadata:
  name: demo-secrets-924gtdkd22
stringData:
  Secret2: DEF
type: Opaque

and stringData is not merged in the same manner as data.

I have tried this also with the newest version of KSOPS

kustomize build --enable-alpha-plugins --enable-exec demo-secret-merging/overlays

and the result is the same.

I attached my demo that one should extract into a folder demo to reproduce the issue.
demo.tar.gz

Best regards
Alexander

Devin Stein · Answer 1 · Fri Jan 27 2023 05:29:32 GMT+0800 (China Standard Time)

Hi @alexknips thanks for making a detailed issue! KSOPS relies on kustomize native functionality for merging secrets, so my intuition is that this is a bug with kustomize itself. I suggest making an issue in kustomize and see what they say.

What version of kustomize are you using? The output should look something like

➜  kustomize-sops git:(master) kustomize version
{Version:v4.5.7+ksops.db3793558eb04f893d41b5e94a2fab606a1b4017 GitCommit:v4@v4.5.7 BuildDate:2023-01-07T18:34:29Z GoOs:darwin GoArch:amd64}

Alexander Knips · Answer 2 · Sat Jan 28 2023 07:01:56 GMT+0800 (China Standard Time)

What version of kustomize are you using? The output should look something like

{Version:kustomize/v4.5.7 GitCommit:56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7 BuildDate:2022-08-02T16:28:01Z GoOs:darwin GoArch:arm64}

Devin Stein · Answer 3 · Fri Feb 10 2023 08:32:22 GMT+0800 (China Standard Time)

Hey @alexknips any luck with this issue? We're you able to get in touch with the kustomize folks?