Request for skipping keys in YAML that match encrypted_regex but are in plaintext

[vlasov-y]

Hi! Issue comes from Flux
SOPS fails if we have keys with plain text, but those keys match encrypted_regex.
Can you please make SOPS to ignore fields if they are not acttualy encrypted?

Example manifest:

apiVersion: v1
kind: Pod
metadata:
  name: pod
spec:
  containers:
    - name: main
      image: nginx:stable-alpine
      env:
        - name: ENC[AES256_GCM,data:...
          value: ENC[AES256_GCM,data:...
      resources:
        limits:
          memory: 50Mi
          cpu: 50m
    - name: patched
      image: nginx:stable-alpine
      env:
        - name: MainEnvValueIsEncrypted
          value: but this one is not
sops:
  ...
  encrypted_regex: ^env$ # There it is
  ...

[felixfontein]

This can only happen if you manually edit files after encrypting them with SOPS. Why do you want to do this? Generally I think it is good if SOPS reports errors for such broken files.

[vlasov-y]

That is a core flux functionality - to merge manifests. Basically it works fine and SOPS can decrypt such modified files, except if the issue case.

[vlasov-y]

This can only happen if you manually edit files after encrypting them with SOPS. Why do you want to do this? Generally I think it is good if SOPS reports errors for such broken files.

If SOPS starts reporting mixed files instead of decrypting them, that will be a catastrophic for Flux, please, do not do that.

[felixfontein]

SOPS does support mixed files, as long as they stick to the rules.

If you want to encrypt some env entries but not others, then maybe using encrypted_comment_regex (with appropriate comments in the right places) instead of encrypted_regex would be the better choice?

[vlasov-y]

I did not know about this way. Will think about that. Please, do not change default behaviour, let it continue decrypt modified files for us.

[felixfontein]

We try to avoid breaking changes; and changing default behavior is generally a breaking change.