Proposal: spec.decryption.failurePolicy to tolerate individual SOPS decrypt errors #5797

moritzschmitz-oviva · 2026-03-30T11:23:52Z

moritzschmitz-oviva
Mar 30, 2026

Problem

When a Kustomization with spec.decryption.provider: sops reconciles a directory containing many independent applications, a single corrupted SOPS file fails the entire Kustomization. No resources are applied — even those with valid secrets.

We reconcile ~70 independent services per environment through one Kustomization:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: apps
spec:
  path: ./hb/prod/apps
  decryption:
    provider: sops

Each service has its own secrets.yaml encrypted with SOPS + GCP KMS. When one file becomes corrupted (bad merge, partial edit), reconciliation halts for all 70 services until the broken file is fixed.

Proposed solution

Add a spec.decryption.failurePolicy field:

spec:
  decryption:
    provider: sops
    failurePolicy: skip

Value	Behavior
`fail`	Current behavior (default). Any decrypt error fails the Kustomization.
`skip`	Log a warning event, skip the undecryptable resource, continue reconciling. Set a status condition (e.g. `DecryptionDegraded: True`) for observability.

Workaround

Split every application into its own Kustomization. For platforms with 60–80 services across multiple environments this means managing 200+ Kustomization CRDs instead of ~5, adding significant operational overhead.

Additional context

Encryption backend: GCP KMS (HSM-backed keys)
Error observed: Could not decrypt with AES_GCM: cipher: message authentication failed
Corruption was caused by a bad merge on a single secrets.yaml
Detected via a pre-flight sops decrypt check across all secrets files

Answered by stefanprodan

Mar 30, 2026

Flux is not meant to do partial applies. The recommended way is to have a dedicated Flux Kustomization per app.

PS. You can easily generate a Flux Kustomization per app with a single ResourceSet. Docs here:

View full answer

stefanprodan · 2026-03-30T11:37:45Z

stefanprodan
Mar 30, 2026
Maintainer

Flux is not meant to do partial applies. The recommended way is to have a dedicated Flux Kustomization per app.

PS. You can easily generate a Flux Kustomization per app with a single ResourceSet. Docs here:

0 replies

moritzschmitz-oviva · 2026-03-31T12:16:04Z

moritzschmitz-oviva
Mar 31, 2026
Author

Appreciate the response, @stefanprodan! Unfortunately, we are not running Fluxoperator at the moment.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proposal: spec.decryption.failurePolicy to tolerate individual SOPS decrypt errors #5797

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Proposal: spec.decryption.failurePolicy to tolerate individual SOPS decrypt errors #5797

Uh oh!

moritzschmitz-oviva Mar 30, 2026

Problem

Proposed solution

Workaround

Additional context

Replies: 2 comments

Uh oh!

Uh oh!

stefanprodan Mar 30, 2026 Maintainer

Uh oh!

Uh oh!

moritzschmitz-oviva Mar 31, 2026 Author

moritzschmitz-oviva
Mar 30, 2026

stefanprodan
Mar 30, 2026
Maintainer

moritzschmitz-oviva
Mar 31, 2026
Author