isindir · isindir · Jun 12, 2024 · Jun 12, 2024 · Jun 12, 2024 · Jun 12, 2024
@@ -1,7 +1,7 @@
 # UPDATE_HERE
 # !!!!!!! NOTE: GOEXPERIMENT=nocoverageredesign is temp until 1.23.x
 GO := GOEXPERIMENT=nocoverageredesign GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.13.0
+SOPS_SEC_OPERATOR_VERSION := 0.13.1
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.15.0"

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.30.x | v3.8.1 | 0.19.0 | 0.13.0 |
+| v1.30.x | v3.8.1 | 0.19.1 | 0.13.1 |
 | v1.29.x | v3.8.1 | 0.18.6 | 0.12.6 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |
 | v1.27.x | v3.7.3 | 0.15.5 | 0.9.5 |
@@ -281,6 +281,69 @@ metadata:
 > previously not managed secret will be replaced by `SopsSecret` owned at the next rescheduled
   reconciliation event.
 
+## Enforcing decryption to one namespace
+
+To enforce decryption and kubernetes `Secrets` creation only to specific `Namespace`, it is possible to
+configure two additional parameters and encrypt in a specific way `SopsSecret` resource, example snippet of
+the raw `SopsSecret` resource:
+
+```yaml
+apiVersion: isindir.github.com/v1alpha3
+kind: SopsSecret
+metadata:
+  name: example-sopssecret
+  namespace: "cicd"
+spec:
+  enforceNamespace: true                   # must be set to true for enforcement to work
+  secretTemplatesEnforcedNamespace: "cicd" # must match to in cluster namespace of the sops.metadata.namespace
+  suspend: false
+  secretTemplates:
+    - name: jenkins-secret
+      labels:
+...
+```
+
+encrypt this file using example command:
+
+```sh
+sops -e --age ${SOPS_AGE_RECIPIENTS} --encrypted-regex secretTemplates jenkins-secrets.yaml > jenkins-secrets.enc.yaml
+```
+> it will encrypt all the fields which contain `secretTemplates` and as both - `secretTemplates` and `secretTemplatesEnforcedNamespace`
+  contain it, bot will be encrypted. The rest of the spec stays untouched - significantly both boolean fields.
+
+Resulting file snippet must look similar to example below:
+
+```yaml
+apiVersion: isindir.github.com/v1alpha3
+kind: SopsSecret
+metadata:
+    name: example-sopssecret
+    namespace: "cicd"
+spec:
+    enforceNamespace: true
+    secretTemplatesEnforcedNamespace: ENC[AES256_GCM,data:AwmSftNeUA==,iv:JtfLsw++XnhS0pHzbuCS9Bi1AY87yDQ+NTZchzYe/Q0=,tag:n2ve4QExIGww0rTNbEdhvQ==,type:str]
+    suspend: false
+    secretTemplates:
+        - name: ENC[AES256_GCM,data:tYU/qdyidyc2/B97nEI=,iv:UQHAVxRWvcBSwGU88ZNF++BbAIpGESsyRvJvCG6VQBA=,tag:Rep2dhnzEYT3+ZWrQpqENQ==,type:str]
+          labels:
+...
+```
+
+if there was attempt to copy secret to another namespace, following log message can be observered:
+
+```
+INFO    controllers.SopsSecret  New child secret creation error {"sopssecret": {"name":"example-sopssecret","namespace":"abc"}, "error": "createKubeSecretFromTemplate(): secret template enforced namespace must be the same as the sopssecret namespace"}
+```
+
+and the status will be as follows:
+
+```
+% kc get sops -A
+NAMESPACE   NAME                 STATUS
+abc         example-sopssecret   New child secret creation error
+cicd        example-sopssecret   Healthy
+```
+
 ## Example procedure to upgrade from one `SopsSecret` API version to another
 
 Please see document here: [SopsSecret API and Operator Upgrade](docs/api_upgrade_example/README.md)

@@ -22,11 +22,21 @@ type SopsSecretSpec struct {
 	// Secrets template is a list of definitions to create Kubernetes Secrets
 	//+kubebuilder:validation:MinItems=1
 	//+required
-	SecretsTemplate []SopsSecretTemplate `json:"secretTemplates"`
+	SecretTemplates []SopsSecretTemplate `json:"secretTemplates"`
 
 	// This flag tells the controller to suspend the reconciliation of this source.
 	//+optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// EnforceNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
+	// Must be used together with Spec.SecretTemplatesEnforcedNamespace
+	//+optional
+	EnforceNamespace bool `json:"enforceNamespace,omitempty"`
+
+	// SecretTemplatesEnforcedNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
+	// Must have same value as the SopsSecret resource namespace and EnforceNamespace must be set to true.
+	//+optional
+	SecretTemplatesEnforcedNamespace string `json:"secretTemplatesEnforcedNamespace,omitempty"`
 }
 
 // SopsSecretTemplate defines the map of secrets to create

@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.19.0
-appVersion: 0.13.0
+version: 0.19.1
+appVersion: 0.13.1
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

@@ -134,7 +134,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.13.0"` | Operator image tag |
+| image.tag | string | `"0.13.1"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |

@@ -31,8 +31,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.13.0
-            helm.sh/chart: sops-secrets-operator-0.19.0
+            app.kubernetes.io/version: 0.13.1
+            helm.sh/chart: sops-secrets-operator-0.19.1
 
   # custom name
   - it: should correctly render custome name
@@ -170,7 +170,7 @@ tests:
       # UPDATE_HERE
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.13.0
+          value: isindir/sops-secrets-operator:0.13.1
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

@@ -13,7 +13,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.13.0
+  tag: 0.13.1
   # -- Operator image pull policy
   pullPolicy: Always
 

@@ -535,6 +535,11 @@ spec:
           spec:
             description: SopsSecret Spec definition
             properties:
+              enforceNamespace:
+                description: |-
+                  EnforceNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
+                  Must be used together with Spec.SecretTemplatesEnforcedNamespace
+                type: boolean
               secretTemplates:
                 description: Secrets template is a list of definitions to create Kubernetes
                   Secrets
@@ -580,6 +585,11 @@ spec:
                   type: object
                 minItems: 1
                 type: array
+              secretTemplatesEnforcedNamespace:
+                description: |-
+                  SecretTemplatesEnforcedNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
+                  Must have same value as the SopsSecret resource namespace and EnforceNamespace must be set to true.
+                type: string
               suspend:
                 description: This flag tells the controller to suspend the reconciliation
                   of this source.