Documentation
¶
Index ¶
- Constants
- func IsEncryptedSecret(object *unstructured.Unstructured) bool
- type Decryptor
- func (d *Decryptor) AddAwsWebIdentity(roleARN string, token string) error
- func (d *Decryptor) DecryptEnvSources(path string) error
- func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource, error)
- func (d *Decryptor) ImportKeys(ctx context.Context) error
- func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error)
Constants ¶
const ( // DecryptionProviderSOPS is the SOPS provider name. DecryptionProviderSOPS = "sops" // DecryptionPGPExt is the extension of the file containing an armored PGP // key. DecryptionPGPExt = ".asc" // DecryptionAgeExt is the extension of the file containing an age key // file. DecryptionAgeExt = ".agekey" // DecryptionVaultTokenFileName is the name of the file containing the // Hashicorp Vault token. DecryptionVaultTokenFileName = "sops.vault-token" // DecryptionAWSKmsFile is the name of the file containing the AWS KMS // credentials. DecryptionAWSKmsFile = "sops.aws-kms" // DecryptionAzureAuthFile is the name of the file containing the Azure // credentials. DecryptionAzureAuthFile = "sops.azure-kv" // DecryptionGCPCredsFile is the name of the file containing the GCP // credentials. DecryptionGCPCredsFile = "sops.gcp-kms" )
Variables ¶
This section is empty.
Functions ¶
func IsEncryptedSecret ¶
func IsEncryptedSecret(object *unstructured.Unstructured) bool
IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted with Mozilla SOPS.
Types ¶
type Decryptor ¶
type Decryptor struct {
// contains filtered or unexported fields
}
Decryptor performs decryption operations for a kluctlv1.KluctlDeployment. The only supported decryption provider at present is DecryptionProviderSOPS.
func NewDecryptor ¶
func NewDecryptor(root string, client client.Client, kluctlDeployment *kluctlv1.KluctlDeployment, maxFileSize int64, gnuPGHome string) *Decryptor
NewDecryptor creates a new Decryptor for the given kluctlDeployment. gnuPGHome can be empty, in which case the systems' keyring is used.
func NewTempDecryptor ¶
func NewTempDecryptor(root string, client client.Client, kluctlDeployment *kluctlv1.KluctlDeployment) (*Decryptor, func(), error)
NewTempDecryptor creates a new Decryptor, with a temporary GnuPG home directory to Decryptor.ImportKeys() into.
func (*Decryptor) AddAwsWebIdentity ¶
func (*Decryptor) DecryptEnvSources ¶
DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and EnvSources a Kustomization file in the directory at the provided path refers to, before walking recursively over all other resources it refers to. It ignores resource references which refer to absolute or relative paths outside the working directory of the decryptor, but returns any decryption error.
func (*Decryptor) DecryptResource ¶
DecryptResource attempts to decrypt the provided resource with the decryption provider specified on the KluctlDeployment, overwriting the resource with the decrypted data. It has special support for Kubernetes Secrets with encrypted data entries while decrypting with DecryptionProviderSOPS, to allow individual data entries injected by e.g. a Kustomize secret generator to be decrypted
func (*Decryptor) ImportKeys ¶
ImportKeys imports the DecryptionProviderSOPS keys from the data values of the Secret referenced in the kluctlDeployment's v1beta2.Decryption spec. It returns an error if the Secret cannot be retrieved, or if one of the imports fails. Imports do not have an effect after the first call to SopsDecryptWithFormat(), which initializes and caches SOPS' (local) key service server. For the import of PGP keys, the Decryptor must be configured with an absolute GnuPG home directory path.
func (*Decryptor) SopsDecryptWithFormat ¶
func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error)
SopsDecryptWithFormat attempts to load a SOPS encrypted file using the store for the input format, gathers the data key for it from the key service, and then decrypts the file data with the retrieved data key. It returns the decrypted bytes in the provided output format, or an error.
Source Files