kustomize-controller does not work with sops encrypted_comment_regex

[fredgate]

Sops allow to encrypt only lines annotated with a comment matching a regex. This is very useful as manifests stored in the git repository are more readable : only sensible data are encrypted and others are clearly readable.

The .sops.yaml file can be configured like this :

creation_rules:
- path_regex: \.yaml$
  encrypted_comment_regex: "^ sops-encrypt"
  pgp: E38ACXXXXXXXXXXXXXXXXXXXXXXXXXX

So an HelmRelease can be stored like this :

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
    name: myapplication
    namespace: default
spec:
    chart:
        spec:
            chart: myapplication
            version: 1.x.x
            sourceRef:
                kind: HelmRepository
                name: helm
                namespace: flux-system
            interval: 2m
    interval: 3m
    values:
        image:
            repository: registry.contoso.com/contoso/myapplication
        rootUser: admin
        # sops-encrypt
        rootPassword: ENC[AES256_GCM,data:WTZcAXgmxZU3m6HtFukJvqGu,iv:k4WG13EBxvt+mkeimz9tpC/B/UyGSeJ9ygEyWtYcdBU=,tag:e9kam+6mR5WLb2UDVIjVPA==,type:str]
        foo: bar
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2025-03-31T08:29:21Z"
    mac: ENC[AES256_GCM,data:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,type:str]
    pgp:
        - created_at: "2025-03-31T08:29:21Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            -----END PGP MESSAGE-----
          fp: E38ACXXXXXXXXXXXXXXXXXXXXXXXXXX
    encrypted_comment_regex: ^ sops-encrypt
    version: 3.9.0

The problem is that the kustomize-controller marshall the ressource to JSON before to decrypt it, so it losts the comments and then it desops nothing : https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go#L346-L350.
The resource deployed in the cluster contains the encrypted string instead of the sensitive data :

kubectl get hr myapplication -o yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
    name: myapplication
    namespace: default
spec:
    chart:
        spec:
            chart: myapplication
            version: 1.x.x
            sourceRef:
                kind: HelmRepository
                name: helm
                namespace: flux-system
            interval: 2m
    interval: 3m
    values:
        image:
            repository: registry.contoso.com/contoso/myapplication
        rootUser: admin
        rootPassword: ENC[AES256_GCM,data:WTZcAXgmxZU3m6HtFukJvqGu,iv:k4WG13EBxvt+mkeimz9tpC/B/UyGSeJ9ygEyWtYcdBU=,tag:e9kam+6mR5WLb2UDVIjVPA==,type:str]
        foo: bar

[jkossis]

Ran into this issue today as well. Would be awesome for this to be supported.

[stefanprodan]

I suggest moving the secret values out of the HelmRelease into a Kubernetes Secret that's encrypted with SOPS. Then in the HelmRelease you would use valuesFrom. This is the recommend way to pass secret values in Flux, see the docs here: https://fluxcd.io/flux/guides/helmreleases/#refer-to-values-in-secret-generated-with-kustomize-and-sops