Problem
DecryptionConfig.Provider is an enum sops | age (apis/v1alpha1/types.go:28-34), but SOPS is the wrapping format and age is a key type. Conflating the two is confusing.
Meanwhile, SOPSDecrypt() sets only SOPS_AGE_KEY (internal/decrypt/decrypt.go:36-40) — PGP and KMS decryption technically work if the corresponding environment (e.g. ~/.gnupg, AWS_*, GOOGLE_APPLICATION_CREDENTIALS) happens to be present, but this is undocumented and unconfigurable via the CRD.
Impact
- Users with PGP or cloud-KMS SOPS workflows have no supported path.
- API semantics are unclear to consumers reading the CRD.
Suggested fix
Redesign DecryptionConfig:
- Rename
Provider → KeyType with values age | pgp | kms-aws | kms-gcp | kms-azure | kms-vault.
- For each key type, define what keys the referenced Secret must contain.
- Wire each type explicitly in
SOPSDecrypt instead of relying on env-var fallbacks.
This is a breaking API change, so pair with a CRD version bump or a conversion webhook.
Files
apis/v1alpha1/types.go:28-34internal/decrypt/decrypt.go:30-64internal/controller/remotecluster/remotecluster.go:325-338
Problem
DecryptionConfig.Provideris an enumsops | age(apis/v1alpha1/types.go:28-34), but SOPS is the wrapping format and age is a key type. Conflating the two is confusing.Meanwhile,
SOPSDecrypt()sets onlySOPS_AGE_KEY(internal/decrypt/decrypt.go:36-40) — PGP and KMS decryption technically work if the corresponding environment (e.g.~/.gnupg,AWS_*,GOOGLE_APPLICATION_CREDENTIALS) happens to be present, but this is undocumented and unconfigurable via the CRD.Impact
Suggested fix
Redesign
DecryptionConfig:Provider→KeyTypewith valuesage | pgp | kms-aws | kms-gcp | kms-azure | kms-vault.SOPSDecryptinstead of relying on env-var fallbacks.This is a breaking API change, so pair with a CRD version bump or a conversion webhook.
Files
apis/v1alpha1/types.go:28-34internal/decrypt/decrypt.go:30-64internal/controller/remotecluster/remotecluster.go:325-338