SOPs encrypted dockerconfigjson secret causes validation failure

[djh00t]

Describe the bug

This seems to be a reoccurrence of this issue:
#2392

Flux Version:

root@k8s01-gsw2:~/# flux -v
flux version 0.38.3
root@k8s01-gsw2:~/#

When pushing secrets containing dockerconfigjson flux fails on validation when using both data: and stringData: fields

Error when using data:
Secret/ntp-server/ghcr-secret validation error: error decoding from json: illegal base64 data at input byte 3

Error when using stringData:
Secret/ntp-server/ghcr-secret invalid, error: data values must be of type string

Example yaml:

apiVersion: v1
data:
    .dockerconfigjson: ENC[AES256_GCM,data:REMOVED,type:str]
kind: Secret
metadata:
    creationTimestamp: null
    name: ghcr-secret
    namespace: ntp-server
type: kubernetes.io/dockerconfigjson
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: REMOVED
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            REMOVED
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-01-30T01:02:12Z"
    mac: ENC[AES256_GCM,data:REMOVED,tag:REMOVED==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3

Steps to reproduce

Age encrypt a file with dockerconfigjson in it and push to a flux managed k8s install.

Expected behavior

File will be decrypted and secret will be applied.

Screenshots and recordings

No response

OS / Distro

Ubuntu 22.04

Flux version

0.38.3

Flux check

► checking prerequisites
✔ Kubernetes 1.25.4+k3s1 >=1.20.6-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.28.1
✔ image-automation-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.28.0
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.23.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.32.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.30.2
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.33.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta2
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1beta2
✔ helmcharts.source.toolkit.fluxcd.io/v1beta2
✔ helmreleases.helm.toolkit.fluxcd.io/v2beta1
✔ helmrepositories.source.toolkit.fluxcd.io/v1beta2
✔ imagepolicies.image.toolkit.fluxcd.io/v1beta1
✔ imagerepositories.image.toolkit.fluxcd.io/v1beta1
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1beta1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1beta2
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta2
✔ receivers.notification.toolkit.fluxcd.io/v1beta2
✔ all checks passed

Git provider

github

Container Registry provider

ghcr.io

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[stefanprodan]

See here how Flux works with dockerconfigjson: https://fluxcd.io/flux/components/kustomize/kustomization/#kustomize-secretgenerator