Flux decrypts SOPS for resources that come from Kustomization, but not from Component

[vlasov-y]

Describe the bug

It is possible to create resources from both Kustomization and Component stacks, but in the second case, secrets are left encrypted.

Steps to reproduce

Create kustomize.toolkit.fluxcd.io/v1 Kustomization that read sources with files like below.

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: cluster
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age
...

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
secretGenerator:
  - name: token
    envs:
    - token.sops.env
    options:
      disableNameSuffixHash: true

token=ENC[AES256_GCM,data:pNbegN0N...G6t2KUo=,tag:...,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_0__map_recipient=age1knuvddndz...
sops_age__list_1__map_enc=-----BEGIN AGE ENCRY...
sops_age__list_1__map_recipient=age1vmk6z84kf...
sops_lastmodified=2024-08-22T07:26:35Z
sops_mac=...
sops_unencrypted_suffix=_unencrypted
sops_version=3.9.0

Expected behavior

Secret with decryped token. But receive a secret with all fields straight from env file

Screenshots and recordings

No response

OS / Distro

EKS 1.30.2

Flux version

2.3.0

Flux check

► checking prerequisites
✔ Kubernetes 1.30.2-eks-db838b0 >=1.28.0-0
► checking version in cluster
✔ distribution: flux-2.3.0
✔ bootstrapped: false
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.0.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.3.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.3.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.3.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

Git provider

GitLab

Container Registry provider

ECR

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[stefanprodan]

To support this, the discovery mechanism for generators needs to be extended to components. Similar to:

kustomize-controller/internal/decryptor/decryptor.go

Lines 659 to 663 in 6c91a19

	// recurseKustomizationFiles attempts to recursively load and visit
	// Kustomization files.
	// The provided path is allowed to be relative, in which case it is safely
	// joined with root. When absolute, it must be inside root.
	func recurseKustomizationFiles(root, path string, visit visitKustomization, visited map[string]struct{}) error {