Create a Kubernetes Secret from an encrypted dotenv file results in stringData instead of data

[tomklapka]

Create a Kubernetes Secret from an encrypted dotenv file ganerates a secret with stringData content e.g.:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: secret-generator
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ksops
secretFrom:
  - metadata:
      name: xyz-secrets
      annotations:
        kustomize.config.k8s.io/behavior: merge
        kustomize.config.k8s.io/needs-hash: "true"
    envs:
      - .secrets.enc.env

But Kustomize SecretGenerator generates secret with data content:
Also in Kustomize doc (https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/) is a following note: The stringData field for a Secret does not work well with server-side apply.

It makes sense to me keeping up with Kustomize.

kustomize v5.3.0
kops v4.3.2

[dosubot]

Hey @tomklapka! I'm here to help you with any bugs, questions, or contributions you have. Let's tackle this together!

To ensure that the generated Kubernetes Secret from an encrypted dotenv file uses data instead of stringData when using Kustomize SecretGenerator with KSOPS, you can use the secretFrom field in your secret-generator.yaml configuration. Here is an example configuration:

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: example-secret-generator
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ksops
secretFrom:
- metadata:
    name: secret-name
  envs:
  - ./secret.enc.env

This configuration will generate a Kubernetes Secret using the data field instead of stringData ^[1][2].

To continue talking to Dosu, mention @dosu.

[tomklapka]

@dosu It's not true, check my secret generator code once again

[devstein]

Hey @tomklapka is this still an issue? Happy to help with workarounds

[luong-komorebi]

I can confirm that this issue is still there

@devstein may I ask what the work around would be ?