-
Notifications
You must be signed in to change notification settings - Fork 835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elements in encrypted yaml are not ordered alphabetically #1445
Comments
SOPS generally preserves the YAML key order, appends the |
But even Inside the "sops:" part the elements are not arranged alphabetically, kms appears before age or azure_kv, can you explain this behaviour? |
I did:
The internal ordering is not alphabetical. Also: SOPS is not a K8S tool. |
I'm sorry for the misunderstanding, I understand that the internal order is not alphabetical what I meant to to ask was "why must it be like this?", is the change I'm requesting harmful to the process somehow? as a user of SOPS I would like it very much and it does not seem like a big hassle, what am I missing? |
It doesn't have to be like this for the I guess we could make it configurable, but that's something that needs to be implemented first. (It's also not that trivial since YAML keys don't have to be strings. So you need a total order that covers all possible key types.) |
I would have thought that having a fully symmetrical process would be a good solid reason, am I the only one who finds great value in being able to read the decrypted value straight from the K8S cluster without needing the original encrypted file that was applied? |
I guess you aren't the only one, but don't forget about non-K8S users which do not sort their YAML files alphabetically. |
I fail to see how non-K8S users would suffer from this change, all I see is benefit, maybe I'm missing something. |
When creating encrypted yaml the elements in the yaml created are not ordered alphabetically, so "spec" appears before "sops" and "gcp_kms" appears before "age".
When retrieving SopsSecret from K8S as yaml elements always ordered alphabetically.
So, if I encrypt a secret, apply the encrypted yaml to cluster, get it back from cluster via "kubectl get -o yaml", sanitise the yaml from from unwanted tags and try to decrypt it I will receive a MAC mismatch.
The text was updated successfully, but these errors were encountered: