Today I learned why FluxCD doesn’t validate the MAC provided by SOPS during secret decryption. In general SOPS not only provides secrecy for encrypted files but also integrity. This is done by hashing the content and signing this hash with a secret used for decryption. However, it became obvious to me that FluxCD doesn’t care about the integrity of the encrypted files as files would easily apply to the cluster even when locally they required --ignore-mac to decrypt successfully. The reason this is necessary turns out to be the order in which FluxCD merges kustomize resources. It merges/processes the manifests first, then decrypts the values. As a result the MAC would always fail.

decryption failed for 'example': failed to decrypt and format 'example-ns/example' Ingress data: error decrypting sops tree: Error walking tree: Could not decrypt value: Input string https://$host/oauth2/auth does not match sops' data format

I came across then when seeing the error message above while experimenting with kustomize components in combination with the experience of flux not caring about failed integrity checks after renovate updates in encrypted files. The issue could have only appeared when the component was merged into the manifest before the decryption took place, as the field causing the error doesn’t exist in the encrypted file.