Merge pull request #1286 from vlasov-y/main
Added decryption of Kustomize patches and refactor SOPS tests
This commit is contained in:
Stefan Prodan
GitHub
commit
933ef1f1d7
|
|
@ -725,7 +725,7 @@ For more information, see [remote clusters/Cluster-API](#remote-clusterscluster-
|
|||
### Decryption
|
||||
|
||||
`.spec.decryption` is an optional field to specify the configuration to decrypt
|
||||
Secrets that are a part of the Kustomization.
|
||||
Secrets, ConfigMaps and patches that are a part of the Kustomization.
|
||||
|
||||
Since Secrets are either plain text or `base64` encoded, it's unsafe to store
|
||||
them in plain text in a public or private Git repository. In order to store
|
||||
|
|
@ -734,9 +734,11 @@ encrypt your Kubernetes Secret data with [age](https://age-encryption.org/v1/)
|
|||
and/or [OpenPGP](https://www.openpgp.org) keys, or with provider implementations
|
||||
like Azure Key Vault, GCP KMS or Hashicorp Vault.
|
||||
|
||||
**Note:** You should encrypt only the `data/stringData` section of the Kubernetes
|
||||
Secret, encrypting the `metadata`, `kind` or `apiVersion` fields is not supported.
|
||||
An easy way to do this is by appending `--encrypted-regex '^(data|stringData)$'`
|
||||
Also, you may want to encrypt some parts of resources as well. In order to do that,
|
||||
you may encrypt patches as well.
|
||||
|
||||
**Note:** You must leave `metadata`, `kind` or `apiVersion` in plain text.
|
||||
An easy way to do this is to limit encrypted keys by appending `--encrypted-regex '^(data|stringData)$'`
|
||||
to your `sops --encrypt` command.
|
||||
|
||||
It has two fields:
|
||||
|
|
|
|||
|
|
@ -599,8 +599,8 @@ func (r *KustomizationReconciler) build(ctx context.Context,
|
|||
}
|
||||
|
||||
// Decrypt Kustomize EnvSources files before build
|
||||
if err = dec.DecryptEnvSources(dirPath); err != nil {
|
||||
return nil, fmt.Errorf("error decrypting env sources: %w", err)
|
||||
if err = dec.DecryptSources(dirPath); err != nil {
|
||||
return nil, fmt.Errorf("error decrypting sources: %w", err)
|
||||
}
|
||||
|
||||
m, err := generator.SecureBuild(workDir, dirPath, !r.NoRemoteBases)
|
||||
|
|
|
|||
|
|
@ -43,18 +43,18 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
|
|||
g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client")
|
||||
|
||||
// create a master key on the vault transit engine
|
||||
path, data := "sops/keys/firstkey", map[string]interface{}{"type": "rsa-4096"}
|
||||
path, data := "sops/keys/vault", map[string]interface{}{"type": "rsa-4096"}
|
||||
_, err = cli.Logical().Write(path, data)
|
||||
g.Expect(err).NotTo(HaveOccurred(), "failed to write key")
|
||||
|
||||
// encrypt the testdata vault secret
|
||||
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/secret.vault.yaml")
|
||||
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/vault", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
|
||||
err = cmd.Run()
|
||||
g.Expect(err).NotTo(HaveOccurred(), "failed to encrypt file")
|
||||
|
||||
// defer the testdata vault secret decryption, to leave a clean testdata vault secret
|
||||
defer func() {
|
||||
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/secret.vault.yaml")
|
||||
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
|
||||
err = cmd.Run()
|
||||
}()
|
||||
|
||||
|
|
@ -70,36 +70,23 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
|
|||
artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops", artifactName)
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
overlayArtifactName := "sops-" + randStringRunes(5)
|
||||
overlayChecksum, err := testServer.ArtifactFromDir("testdata/test-dotenv", overlayArtifactName)
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
repositoryName := types.NamespacedName{
|
||||
Name: fmt.Sprintf("sops-%s", randStringRunes(5)),
|
||||
Namespace: id,
|
||||
}
|
||||
|
||||
overlayRepositoryName := types.NamespacedName{
|
||||
Name: fmt.Sprintf("sops-%s", randStringRunes(5)),
|
||||
Namespace: id,
|
||||
}
|
||||
|
||||
err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
|
||||
g.Expect(err).NotTo(HaveOccurred())
|
||||
|
||||
err = applyGitRepository(overlayRepositoryName, overlayArtifactName, "main/"+overlayChecksum)
|
||||
g.Expect(err).NotTo(HaveOccurred())
|
||||
|
||||
pgpKey, err := os.ReadFile("testdata/sops/pgp.asc")
|
||||
pgpKey, err := os.ReadFile("testdata/sops/keys/pgp.asc")
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
ageKey, err := os.ReadFile("testdata/sops/age.txt")
|
||||
ageKey, err := os.ReadFile("testdata/sops/keys/age.txt")
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
sopsSecretKey := types.NamespacedName{
|
||||
Name: "sops-" + randStringRunes(5),
|
||||
Namespace: id,
|
||||
}
|
||||
|
||||
sopsSecret := &corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: sopsSecretKey.Name,
|
||||
|
|
@ -153,64 +140,40 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
|
|||
return obj.Status.LastAppliedRevision == "main/"+artifactChecksum
|
||||
}, timeout, time.Second).Should(BeTrue())
|
||||
|
||||
overlayKustomizationName := fmt.Sprintf("sops-%s", randStringRunes(5))
|
||||
overlayKs := kustomization.DeepCopy()
|
||||
overlayKs.ResourceVersion = ""
|
||||
overlayKs.Name = overlayKustomizationName
|
||||
overlayKs.Spec.SourceRef.Name = overlayRepositoryName.Name
|
||||
overlayKs.Spec.SourceRef.Namespace = overlayRepositoryName.Namespace
|
||||
overlayKs.Spec.Path = "./testdata/test-dotenv/overlays"
|
||||
|
||||
g.Expect(k8sClient.Create(context.TODO(), overlayKs)).To(Succeed())
|
||||
|
||||
g.Eventually(func() bool {
|
||||
var obj kustomizev1.Kustomization
|
||||
_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(overlayKs), &obj)
|
||||
return obj.Status.LastAppliedRevision == "main/"+overlayChecksum
|
||||
}, timeout, time.Second).Should(BeTrue())
|
||||
|
||||
t.Run("decrypts SOPS secrets", func(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
|
||||
var pgpSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-pgp", Namespace: id}, &pgpSecret)).To(Succeed())
|
||||
g.Expect(pgpSecret.Data["secret"]).To(Equal([]byte(`my-sops-pgp-secret`)))
|
||||
secretNames := []string{
|
||||
"sops-algo-age",
|
||||
"sops-algo-pgp",
|
||||
"sops-algo-vault",
|
||||
"sops-component",
|
||||
"sops-envs-secret",
|
||||
"sops-files-secret",
|
||||
"sops-inside-secret",
|
||||
"sops-remote-secret",
|
||||
}
|
||||
for _, name := range secretNames {
|
||||
var secret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &secret)).To(Succeed())
|
||||
g.Expect(string(secret.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on secret %s", name))
|
||||
}
|
||||
|
||||
var ageSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-age", Namespace: id}, &ageSecret)).To(Succeed())
|
||||
g.Expect(ageSecret.Data["secret"]).To(Equal([]byte(`my-sops-age-secret`)))
|
||||
configMapNames := []string{
|
||||
"sops-envs-configmap",
|
||||
"sops-files-configmap",
|
||||
"sops-remote-configmap",
|
||||
}
|
||||
for _, name := range configMapNames {
|
||||
var configMap corev1.ConfigMap
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &configMap)).To(Succeed())
|
||||
g.Expect(string(configMap.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on configmap %s", name))
|
||||
}
|
||||
|
||||
var daySecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-day", Namespace: id}, &daySecret)).To(Succeed())
|
||||
g.Expect(string(daySecret.Data["secret"])).To(Equal("day=Tuesday\n"))
|
||||
|
||||
var yearSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year", Namespace: id}, &yearSecret)).To(Succeed())
|
||||
g.Expect(string(yearSecret.Data["year"])).To(Equal("2017"))
|
||||
|
||||
var unencryptedSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "unencrypted-sops-year", Namespace: id}, &unencryptedSecret)).To(Succeed())
|
||||
g.Expect(string(unencryptedSecret.Data["year"])).To(Equal("2021"))
|
||||
|
||||
var year1Secret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year1", Namespace: id}, &year1Secret)).To(Succeed())
|
||||
g.Expect(string(year1Secret.Data["year"])).To(Equal("year1"))
|
||||
|
||||
var year2Secret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year2", Namespace: id}, &year2Secret)).To(Succeed())
|
||||
g.Expect(string(year2Secret.Data["year"])).To(Equal("year2"))
|
||||
|
||||
var year3Secret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year3", Namespace: id}, &year3Secret)).To(Succeed())
|
||||
g.Expect(string(year3Secret.Data["year"])).To(Equal("year3"))
|
||||
|
||||
var encodedSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-month", Namespace: id}, &encodedSecret)).To(Succeed())
|
||||
g.Expect(string(encodedSecret.Data["month.yaml"])).To(Equal("month: May\n"))
|
||||
|
||||
var hcvaultSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-hcvault", Namespace: id}, &hcvaultSecret)).To(Succeed())
|
||||
g.Expect(string(hcvaultSecret.Data["secret"])).To(Equal("my-sops-vault-secret\n"))
|
||||
var patchedSecret corev1.Secret
|
||||
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-patches-secret", Namespace: id}, &patchedSecret)).To(Succeed())
|
||||
g.Expect(string(patchedSecret.Data["key"])).To(Equal("merge1"))
|
||||
g.Expect(string(patchedSecret.Data["merge2"])).To(Equal("merge2"))
|
||||
})
|
||||
|
||||
t.Run("does not emit change events for identical secrets", func(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -80,8 +80,8 @@ const vaultVersion = "1.13.2"
|
|||
const defaultBinVersion = "1.24"
|
||||
|
||||
//go:embed testdata/crd/*.yaml
|
||||
//go:embed testdata/sops/pgp.asc
|
||||
//go:embed testdata/sops/age.txt
|
||||
//go:embed testdata/sops/keys/pgp.asc
|
||||
//go:embed testdata/sops/keys/age.txt
|
||||
var testFiles embed.FS
|
||||
|
||||
// FuzzControllers implements a fuzzer that targets the Kustomize controller.
|
||||
|
|
@ -182,11 +182,11 @@ func Fuzz_Controllers(f *testing.F) {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
pgpKey, err := testFiles.ReadFile("testdata/sops/pgp.asc")
|
||||
pgpKey, err := testFiles.ReadFile("testdata/sops/keys/pgp.asc")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ageKey, err := testFiles.ReadFile("testdata/sops/age.txt")
|
||||
ageKey, err := testFiles.ReadFile("testdata/sops/keys/age.txt")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,30 @@
|
|||
stores:
|
||||
json:
|
||||
indent: 2
|
||||
yaml:
|
||||
indent: 2
|
||||
|
||||
# creation rules are evaluated sequentially, the first match wins
|
||||
creation_rules:
|
||||
# files using age
|
||||
- path_regex: \.age.yaml$
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
age: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
- path_regex: month.yaml$
|
||||
pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
# fallback to PGP
|
||||
- encrypted_regex: ^(data|stringData)$
|
||||
pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
# Testing PGP
|
||||
- path_regex: (inside|pgp)\.yaml$
|
||||
encrypted_regex: &encrypted_regex ^(data|stringData)$
|
||||
pgp: &pgp 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
|
||||
- path_regex: json\.yaml$
|
||||
encrypted_regex: ".*"
|
||||
age: &age age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
|
||||
- path_regex: \.yaml$
|
||||
encrypted_regex: *encrypted_regex
|
||||
age: *age
|
||||
|
||||
- path_regex: \.(env|txt)$
|
||||
age: *age
|
||||
|
||||
# Fallback
|
||||
- key_groups:
|
||||
- age:
|
||||
- *age
|
||||
- pgp:
|
||||
- *pgp
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: age
|
||||
stringData:
|
||||
key: ENC[AES256_GCM,data:mHeXsmQ=,iv:vUMpILz3xchORqkzDFvgwENY7EqIHHGJdEF6C8xqbFE=,tag:IroV7hykADvD0IUaq6kikA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeHVSdjJoY3ZSQjJzbk1q
|
||||
ZXFxMWJ5amkrN1VXeHI4QzQ5OHcwVGxDem1zCm8wQVEzNEUrOUhtRUFkVnFUY0tN
|
||||
aFgwaHNrWmVWY1RGWXI2YlpYbUhYMGMKLS0tIDBFSXo3cjRCMngvTXpldzhMRlVp
|
||||
TXk2d2ExSVZYNDVTV0xwVlZnQnpScG8KVpjffjtRTA7Z4Wf/l1VMLjcl16hOrRUv
|
||||
LKiZDcq+nqKDUI7owZ+xNs2w5SrQjEWVhDXRSeSSRiJrK/bCYKzRxA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-12T13:33:42Z"
|
||||
mac: ENC[AES256_GCM,data:vmrF+VgW3o8z4h/DOStCUNudz68yHEC8Mws+LPoKpM3Xc7GM0Z1CfX0TKwdLLjMuvyWa2Nx2NIxm0+MCbmR8+y2izn0hHPSWhNVCWSK+iW48M05vXhDCV0xNkqM7g0kLhQ3PiSrB69loQj8C590HIfEViEtyDCFUeynDgcC289Q=,iv:u5lhmtXMxyt+3Pw09wWvgBhmKLoOSpKNWUpu/LuCr3Y=,tag:Dg0HFdLgQltzPgnEmltAzQ==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.9.0
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namePrefix: algo-
|
||||
resources:
|
||||
- age.yaml
|
||||
- pgp.yaml
|
||||
- vault.yaml
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: pgp
|
||||
stringData:
|
||||
key: ENC[AES256_GCM,data:EJey73Q=,iv:QRdpZJ6WYi3fWpKwjl8ZiV+Wwq9qtYTpcMQ0j0OEa44=,tag:d1WlcRpwEJg1lk3X3ILDmA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-11-12T13:33:42Z"
|
||||
mac: ENC[AES256_GCM,data:25ERLClNe3o33jEo109QtmVH/qzl+e0pMRR1RDyQ4QHrVqYfMIvgUeYDHAIJ5WDwQaueON8nne1KIo+fcPYVBdHvTYvnZiicCUPA5/fpgbyts0u5CdUs31bltI/blnUlU8VbJfIk2Zjlj93erLw23sdzdo/0xsdDTrf3bYiS2CI=,iv:vxrgdyqIKRWGBA+dgrGbjGn7tkXEqbADayIxuzNwxp0=,tag:qWesJqClsLpZHY9UR7ptLQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-11-12T13:33:42Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA90SOJihaAjLARAAqSf7bnqHB0/gfh8CmweYr5cfUpH8aYg7B5QhsnD6nOok
|
||||
x0UIPtaxtfEBvuDsM9M678Gj/hTEzMv0FmDYRt88NAXm1+63HHnz0/0O3xXQ/DR6
|
||||
+1uEZruuyC23nyzjc1fefaqgZ1YJAnj5WCvcWaF12bXbIdFQpRhpVcoMMqWhQizF
|
||||
5QJFXjU3cnzIVtvcpMDD63NTpk8+hSTYJr5ZFODSMbQr+EPHvKPMrIx3LLcihkkS
|
||||
eyxvfLalj556f/3QVgGuOX6VX8lPIaUyIcmXyUkGsooEirOyhiZg2sk/QB6TYIa6
|
||||
Nm62hmeeXP01wyY6tax7l3LpAuda6CJRVg+Je1OkIjiuPMIBzHgtfhGFks8vgeTP
|
||||
xsHXKLKXlJAQyS4ewOItm9n9jc9Xdnwfli4HrGbHNzq7lgEyAOyZZtOifl4KqFbM
|
||||
0c3kGiP3ezycRrQGudvbdIZqGfeD+gKrBv6cV49Wgt7Nb1WJUKLcPv4PNtSlYzSu
|
||||
lGDM63bO+QBAKObc6MOvLnVXbFXrErLMqrexN9XFdjvvsmQAVr2z5phZk5fEk7kw
|
||||
j8CqyTuy2Dm+ChJwNEeqIY3BNHkvvWMLx8Cr7ZY6bO1BvOdp01mBf+XD/apeBBUe
|
||||
v2DT36mCehKZh5BHDYH7hKCNw+4PN2hzZd02zKMNzmARqLzQeseaTXti3Hyze23S
|
||||
XAG1ddNzKXsgbTwLog5EN7DTIQKR+uCIgHuK0DclyWvTiUK7P6HGepTE7byJnnpl
|
||||
jHtAVs8t+cYHBtY+gKFsstRGbJgAe8QfIt12/XMu9jcA/r8m7xdyNS5P9VZj
|
||||
=gXAv
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.9.0
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: vault
|
||||
stringData:
|
||||
key: value
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
key=ENC[AES256_GCM,data:HfbmmMU=,iv:nWWqqIzzutZJBzu5PbaTPBsqvszaz2/+58mYOK7hj9Q=,tag:b+VcateAccwdb7x2dmYDrQ==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsc0Vyd25KTE1sYWM1akFH\nTUFBeHBmSmdGMnY3ZFJvazRZMUtPMFpscmhBCnVsL2Y0cUd1Nkx1Z0Q1OWpHOG0w\nNnhXSmxjbzR5NVE1NGpjR3d2SHN6SzgKLS0tIG5tdXpXK0U2SUlsQlcvY0ZvRWJB\nS2N6MS9QRVR4K2toMEg1eDR3a3ZtdzAKiliurqchsdfT4XbttES0ohnuTMNKlZy9\nefqbQO2lTLw8wUsNUunTpJBEAx9MFZ+LFHE/EZfHZqYlzxCPzfhufA==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2024-11-12T13:33:42Z
|
||||
sops_mac=ENC[AES256_GCM,data:kPn8FhXF7UcPbkA7gjfjfYljawfT67SQBsYbnaAgtcFAtMWTryTHSDAASp2RZiClZiWnKgOgT8NeFUC+hUvjlz/Vj3pQxl6zY+3CmlrbBiqYUwd8ksXjps8UTqcioWKc7xULLqV5GMUHpoWnDWkkt0F6F10uCL78P0JoKmIeCXM=,iv:/G3GIGXriXuoS9OhfEazEYgVBbo+XvouTGYEi5XVYqQ=,tag:80P9IXhwJzoqJ43eK2W+4g==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.9.0
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1alpha1
|
||||
kind: Component
|
||||
secretGenerator:
|
||||
- name: sops-year3
|
||||
envs:
|
||||
- year3.env
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
secretGenerator:
|
||||
- name: component
|
||||
envs:
|
||||
- env.env
|
||||
|
|
@ -1 +0,0 @@
|
|||
day=Tuesday
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:YWPHPTVOCWivqZu0,iv:tLqbJD/KN2BchlAz1mnf4FtMY+SP5hiBYJP6dHy8gtc=,tag:Aj9T0Q7y9baA84EfEt8MfQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"lastmodified": "2021-04-27T20:27:20Z",
|
||||
"mac": "ENC[AES256_GCM,data:1OqDvIaUpOKFa1vsa6nc+GHIvsxwQ3JhJsDTp+Yl2r8y0+n0VUbCm9FyqVvq8ur3Y3NyZfX+7FL6HxgTN0RnSMdwK1X16ioGWBk4CM3K7W8tyY7gmhddsuJqSDZdV7Hr2s7FB6LZJAHWO9vTn9zXM75Ef0B5yuOgzp29LmIhCK4=,iv:8ozNZ7IgDub2vICSzHWcAdx7/sVEoe8YayXYrAkN0BM=,tag:UwE0b6eTpA9uir+4Mwed7g==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2021-04-27T20:27:20Z",
|
||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA90SOJihaAjLAQ//cd4d6zghXW7uJ8rk0PoWiCVy5BeYwnInJT4uqJ5uUY62\nFLlsM4ZJB2SSBHGcXdwkWqTXeLLmD8aEuAe0lfutcOYyMZVWeYY+wybyJ5TgBMAo\nvEJoY67felWRb4h0BzkHIG/ZLiuDTV020GJNH2tGgE/mXVPhYosQ+EmA5EF45vfj\nqx2LjZjsCg28FK2qkXnHHjOV/12OnGpR0y6t9GijBUtttyjYaXUpNUSUiHHMjXyL\nQnKlRPt9N2QF6oUQVEwr9plNYKTfmeqUwWh6wFAaWF/104oSOwXFA8ID5wF6de1j\ntnzVf+1Ld5WNmXGmrz/6ugWfcU/3147EuPodjTyQIFMTxA6V7Z7BORjhuxFpR/jS\noZJF/SS70fg9J7sdizWKFNkqS9pPasdNHcGuXU+KGkD2ya54WyUDE86gMq0xtEf3\nMmQJRnjHuriD5EvnKmDJ+QE9nU0ld0kyfVUueHQHCtuuw7yZGi8vlyyjOq4nqCGV\nZ4TJcmpt7pKoxEAnp2tImnos7DbEoQMl7RIYgrhxS7Nej9naYeadFz/G84uwjfm0\nBr5J3A+xtG37HXQWqtd7EXmy/I94okNVXeAZuuQFt/So78jJ4H9uQK1snukPNBhr\nG8aM8SfdrTbp4KZQpm2RJwNdhbHzHoz2M2Dc6Eo14FceW0R0jYDaKTwKeNIgH6jS\nXgGdX+eJRyC1yhp6HAXOaaR9MvXJ8xCi6clWRpI9h3wxnrZtg+pERFeHhp2Ldlww\nRTjw4g3Cp9GQJB/0aTkVVOPmZ4/jpCyUS6hiV3cEE4veuDYZ20evpgO4sld6Ve8=\n=1o9a\n-----END PGP MESSAGE-----\n",
|
||||
"fp": "35C1A64CD7FC0AB6EB66756B2445463C3234ECE1"
|
||||
}
|
||||
],
|
||||
"encrypted_regex": "^(data|stringData)$",
|
||||
"version": "3.6.0"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
key=ENC[AES256_GCM,data:3PTvx6o=,iv:74ni7B2QMB6aygdd3R7IEzNCwo1W+TpPWMJLfYCCG4U=,tag:mK2Tu7JWDdEmZUrXz3uRzw==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDhVTW1IenNXQmptWnha\nMjd1UWN3dHp0QXRkSnhUSjBHVFdKSmdXYzNNClVWeXVGWndJQ1RpRUlJRy9yeHJY\nb1VhbnR2TlovSUg1MlpZdkhWdkVHTG8KLS0tIHVOSEhOVVV2cXRUQUs2Sk15eU1a\nRW92L1BWQnhNbStFekZjVVRDUFJtaWsK+wPkQAtZtTbh2WHik1ovX61ZJPpkmwuO\nnUYAn37tZELXX/alrOORRwoq+0oBQO5pZYsJBi0fvijfm9VqR/4jKg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2024-11-12T13:33:42Z
|
||||
sops_mac=ENC[AES256_GCM,data:YQHMLRk85ozeuqIvNekLAVp2DFSj+VgDG2z70uQaeCA+uxFp3k/THlANAXx+GP1Oab923Q6nG5ItV9dcG1hTXpA/NRpbM02pfNe/iYnVL7AtcXqFg/jy2T4kkqx7cHAXJi9zd+ZrISIZCNWinLoFfaAo70+epsFumUmLUaDzUPQ=,iv:TdOIRoy6Wch1/x9GlEsmArA5g461ILJZUE7tIxi9G28=,tag:miip/H0SuHqvaoxGvzheIg==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.9.0
|
||||
|
|
@ -1,8 +1,13 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
secretGenerator:
|
||||
- name: sops-year2
|
||||
envs:
|
||||
- ./secrets/year2.txt
|
||||
namePrefix: envs-
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
secretGenerator:
|
||||
- name: secret
|
||||
envs:
|
||||
- env.env
|
||||
configMapGenerator:
|
||||
- name: configmap
|
||||
envs:
|
||||
- env.env
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:QNbPAYY=,iv:cMvqZZXqOFmH+bAFdzX+ORH3cnj2cgKX/f6+8q8bDlA=,tag:Pb5wsv4wq5mbccaUhjqQCA==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybkpYNFFjVFprQndmWklK\nVnpyVzFjRGZ5cU5IK1NHb2t6bjhKUnZVZ24wCnZFSjBrVEJ6RmpORGMrVHRWUXA5\nL1BMbk1jWXM2aGpVcTkzckdHYm14SmMKLS0tIDdBS2NGaWFWRlZvRktPYksvd0pa\nRzFBRWtHcXlWcVkvK0VKQVRPRGFlYXcKeSgCitkcDxVNZSxS/TsR72xVh6iPL4l5\nS+FP0R0wbo3LbunScvF168f4NhB5HRpS29a5onxH64HEiYdMitV8WA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-11-12T13:33:42Z",
|
||||
"mac": "ENC[AES256_GCM,data:8H24g0IjdODRma+52utYPlZnGEH+Oi3LiXel2JExHEd1YwbBL417lTbJpZVIfwk7+SYLWw6V4ZbPgHFUHchhRH5URNqb4I0m/FhTMyDW2h0Zm1kM1zMdE8AZTGUyNhmVkrlw7GnBwuGwWS6Usm9C9XD5O+/2Yn20YqmB2/T3a0o=,iv:0sclmOePSOpekgQLr/kNTM2xKdr7djHn2xYSNrFSGD4=,tag:6gvdsQKSqKafO6VrXqlaeA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.9.0"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,14 +1,13 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
secretGenerator:
|
||||
- name: sops-month
|
||||
files:
|
||||
- month.yaml
|
||||
- name: sops-year
|
||||
envs:
|
||||
- year.env
|
||||
- name: unencrypted-sops-year
|
||||
envs:
|
||||
- unencrypted-year.env
|
||||
namePrefix: files-
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
secretGenerator:
|
||||
- name: secret
|
||||
files:
|
||||
- key=file.txt
|
||||
configMapGenerator:
|
||||
- name: configmap
|
||||
files:
|
||||
- key=file.txt
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namePrefix: inside-
|
||||
resources:
|
||||
- secret.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret
|
||||
data:
|
||||
key: ewoJImRhdGEiOiAiRU5DW0FFUzI1Nl9HQ00sZGF0YTpySEx3RWdnPSxpdjo4eU1USXFyMnhYUTVZWXlxTm5PWGx6SDNJa0dpY2h5RFpCWlMxbS9EWitNPSx0YWc6eHpZQjUrYjlUSlcrdkpzU0xha1hwUT09LHR5cGU6c3RyXSIsCgkic29wcyI6IHsKCQkia21zIjogbnVsbCwKCQkiZ2NwX2ttcyI6IG51bGwsCgkJImF6dXJlX2t2IjogbnVsbCwKCQkiaGNfdmF1bHQiOiBudWxsLAoJCSJhZ2UiOiBbCgkJCXsKCQkJCSJyZWNpcGllbnQiOiAiYWdlMWw0NHhjbmc4ZHFqMzJubHY2ZDkzMHF2dnJueTA1aGdsemN2OXFwYzdreGpjNjkwMm1hNHF1ZnlzMjkiLAoJCQkJImVuYyI6ICItLS0tLUJFR0lOIEFHRSBFTkNSWVBURUQgRklMRS0tLS0tXG5ZV2RsTFdWdVkzSjVjSFJwYjI0dWIzSm5MM1l4Q2kwK0lGZ3lOVFV4T1NBelExVnJVek5UT1UxWU1VbzRNWHBxXG5NMHh4YUhOS2NqQlJOMlZxTUd0dE5HY3pVbUo1TVdwUGQxVXdDazAzYWxwdlNFY3haM0JOVkUxMlQwTTBNR3BFXG5hU3NyV0hsWVZsQkJUbGhzZFhkcVVrOVlVVGRDWjJjS0xTMHRJRGN3ZVZwbmF6ZFhORzlPVWxwSU1pdFVWMnBoXG5SRzExUkdsbWJTOU5aMGxETnpSNVdXNXVORTlITVc4S1FCSlJIRVlhSFphdlN1RUlCN3pDU3hCN0RSdkxoRW8xXG5vRlVVNjRWOW54RC80ZUQyVyswdWpFYnprbVJ1ZDhsdGo5clhSY1lyU3B3MVdXcTdRbjFlakE9PVxuLS0tLS1FTkQgQUdFIEVOQ1JZUFRFRCBGSUxFLS0tLS1cbiIKCQkJfQoJCV0sCgkJImxhc3Rtb2RpZmllZCI6ICIyMDI0LTExLTEyVDEzOjMyOjA0WiIsCgkJIm1hYyI6ICJFTkNbQUVTMjU2X0dDTSxkYXRhOjBLdzFwNmNPUFd2NTlvZXhRVTFVV0tMcjNvY3NLQ1dxWE1RUnFsMnlaazRiWGpvcm14NS9VcmNqbkF3NUZnRVQzWXRtT0p0cUpVWnRTUDRuRTkxMFUxZFd2bWhUL240cmRFMFpyYU5NQmpTbVMzUVVCcm1aeXJERDN0ODlhaUJBVE42MnlSZ0pVNmlWWU80bHdlb0VuWUQ0K09ZcWczWHBSNldUUjRkVEtwTT0saXY6aHliWHI2YVJIQWxTcFAwZXZQaEhaNWhpazlObGgvRFJEUEZRUklXTktyaz0sdGFnOjNybHhzbktuN08vM3RnalBNbm91bWc9PSx0eXBlOnN0cl0iLAoJCSJwZ3AiOiBudWxsLAoJCSJ1bmVuY3J5cHRlZF9zdWZmaXgiOiAiX3VuZW5jcnlwdGVkIiwKCQkidmVyc2lvbiI6ICIzLjkuMCIKCX0KfQ==
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namePrefix: sops-
|
||||
resources:
|
||||
- algorithms
|
||||
- envs
|
||||
- files
|
||||
- patches
|
||||
- inside
|
||||
- remote
|
||||
components:
|
||||
- ./component
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
month: ENC[AES256_GCM,data:9e+R,iv:EzJxah6sCY2D9L76l/CuVq6qVq2ncJDYphm9gXE/ZgM=,tag:r82agynzHp/aOTVo6Iu9wg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-05-31T11:27:34Z"
|
||||
mac: ENC[AES256_GCM,data:BV/jKqSzKr2sq/yA4HToFseOWOB04cYo+54Dby/Jp4ZuVwxNt1i02zncsvWyQZK5WFcvK47brvzN6fWJyyf5WnX+XISbuUDGMWjqNG/te3YKEY4ZqJUopDF/AxDZDkUC5KdnIln6RZqtHuJH18J35kakWFrg1YOJtI28ZVK5yBM=,iv:T6JJkYbfqpUz2AClToZtSsuVbUXcPD5nqaUhJJdH6Uc=,tag:jvmH8iyfivoGIt1k+Uodrg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-05-31T11:27:34Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA90SOJihaAjLAQ/9HYs2HyaYL9dOj8zIAr3JzqEFHlMX59Vw8kj9KxBQJXYQ
|
||||
N3mE/HHQVBWk/36Pq/14n0Eals8GwivDDiJmovfeRASmb0/LnGQDzMkDGEJvyu7N
|
||||
Q69rBjzVWbmMPgI0vQb0zTBRcUW+LnSijkv+H5mxuFnnZd8N3UeFLHX2oKNeA7O3
|
||||
pYjjK8vr6KaXJqYfH+bFs29cnk0+xZiThr21cz40yFZD7ynns4xjdVtqI5bvGk/F
|
||||
bDW7oGgJe+q/9OHKJaVESLrcZMe2lLxA7x821ssq6BlNzv9DHTc7PloVNepsze6d
|
||||
MBTgzAZoH04ENQSiL9qo24AVGaFhUXak7MslxE8nhjFJD6sfb0Q/LtlhOSpDw7NR
|
||||
gugPzQuQLGN9U54id0bql8CBi58g0wdxjo6kDlMYTEd9CZbugfM1pR1imknlgPLi
|
||||
7ODDrWTTxnZm4+hZRj7EjMGlRshavPgZ/rgT1tTnjNw9c+llgCWW8Ei8JOEvA86M
|
||||
DwsPzodesMO56yf3MJPAgakCapTH9VMad+E63yUMsNAX6+otrjgssvxg3j8KnjPp
|
||||
Z7593P7RGYrRR+YwEi5nTHmDL1H80vP6pNnBGd7wLa3TLzypkDiZSKY6vq6vSIwd
|
||||
QOpLX3VC2X53mtWmNm7oWxKLX3hKPrjTqBYE0EDK7Yc0q8rj++ygntOekI+WSm/S
|
||||
XAG4Ufue6i2MTvnZmK/Byt+E/zT4jRmjRQImGekHB+rLYfM3Z85i6ExH4OCCWNqC
|
||||
rg4DqrWTS8Nvt2PE5UC3Phqe51D4/ZrQPVPkFQftgQl44xECv4X8rI7RTux6
|
||||
=HE0m
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
||||
|
|
@ -1 +0,0 @@
|
|||
year=2021
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
year=ENC[AES256_GCM,data:EfNnlA==,iv:pBaHDmjQ1d6JrA0Rk19giCQon7CP37hZ0dEQTkJEw1U=,tag:J29CEN9S6pSie8tsAD2REA==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NHYyMHdNcXhMS2x6aXJq\nTHVhbUYrcW8waFduN1NoWUIyTWFuMmNEVGpzCjUxb05zUndSdnpiQng2VnZ2SkNF\nbnlzY0VmaVd1Z0xZR2FKdDRPQlhKSE0KLS0tIDlEaGgwT3VHcUg5QzFpenZNOTBk\nbUZ5QkRnY0kwMFpYanFLYTlvc0FXdXMKb32CnEO8yg91kkUMFXhBL5Sfz32dNOJT\ntNGdKcOGVBzOJVgU1RquB+5OcJdbuwdV7GCq8KvXqh5fypTI00hZeg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2021-10-14T15:35:45Z
|
||||
sops_mac=ENC[AES256_GCM,data:brSfy5j0wETn6YT7p8qoCSuI6bevGwrxBbtcqBSYRJ+GgLAr9a7rtwHK8/BnKCi1C1H/zGa1gEERqz2j6Zw0uS4V5lejvtDtfRn9DwYWQ2Aqo2zi4crfNhljerwQVa/Hy9pq2falIZyyhoDX30WOoLe+2eZWQXLtFlVkx4x7U1s=,iv:wr4szytKCN9j6dqccZZl0bkDUHsOtFSvDXjdpuZwTbA=,tag:N1uQ25uLS+E6yQPzXJRiNw==,type:str]
|
||||
sops_version=3.7.1
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../bases
|
||||
secretGenerator:
|
||||
- name: sops-year1
|
||||
envs:
|
||||
- year1.env
|
||||
namePrefix: patches-
|
||||
patches:
|
||||
- path: merge1.yaml
|
||||
- path: merge2.yaml
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
components:
|
||||
- component
|
||||
secretGenerator:
|
||||
- name: secret
|
||||
literals:
|
||||
- key=value
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret
|
||||
stringData:
|
||||
key: ENC[AES256_GCM,data:P7HTaDel,iv:YyIVQyWQpW5tEIGOsWRx6kFIP49Ciej60a5EccQg1us=,tag:Rg+MWSVit7f6dVSPLfoFOA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicityZGExUWdURjJmaUdY
|
||||
NDF1czNNZ1B0OWFPTGpGblNwZGpza2NPZ1RjCnhQcE55VDNOaVlCUG0reE5LeEtD
|
||||
TzZJR0o1dUJlb2dqV2YwaGhWZEdGYVEKLS0tIFJsc054RHJMQTUxdm9MNTJmb3o5
|
||||
QVd5VkxJam5RT3RjNzdaN3NzYWtGV1kKaaKPbN6o9/XunC7KimHAXbg3iI29hg71
|
||||
VHeuzfLjhuwOJv/rlNyHIdqbvGlMHUU5exZ7dVr4DMen+FsNRvnfJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-12T13:33:42Z"
|
||||
mac: ENC[AES256_GCM,data:ArD1tNf9Z72ZyUXj7PiBbHDTbmhprOfp8UUFPE7z9O/WvHOCgfwfhtnDfri/SeHiKyLHVQjdvoEw+Xu9xCNkG+UJuKnz/YBT4Wq+jkbQTSOvFNL4K8HwroWmTmcKS2CVUy5N2U64qNg29nFceiMoX8mSvlqOLKMWLCPhYP4L3sc=,iv:hj4VEh3mWjD2NNE9aGG3rqw1niFfE3VTkgUpY2SwhA0=,tag:nVG2dca/11vDANi9Bgk3dA==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.9.0
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret
|
||||
stringData:
|
||||
merge2: ENC[AES256_GCM,data:QN7wGPNK,iv:cg3UYtCAWmxxLMGvK3ImXz1j/kN0vyujQNzbJE84LCU=,tag:LwQwsEEam96wmeSwRmZevQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTDFGM0pxZXc1VWQzWm8z
|
||||
MGxYRWprMXFWakdiTmpycDB4RnBlc0lkUEJZCmlLQ0Q1a1BRcXQ5Q1ZpRGljM2Fn
|
||||
SWlQaUVuUjNKb3p2NmYrdWxlUDIzajQKLS0tIGlZWUlQK05wOGVlRGp3UE5YalNZ
|
||||
S1hNbFd5a1Q0KzNwOE1oa3JZUnRMdmMKg7Ac1ik+6gmtKF7SUkiGb/Prh3kyJUA6
|
||||
PlVtWc+QGanN7mkXIxnPbhoDF8RYrxXH0mot9iiFWdzH+IeC19DANA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-12T13:33:42Z"
|
||||
mac: ENC[AES256_GCM,data:Lnz+0hdARiP6yHgyJugrtuuhKhy21X4TBQG3Pz0EVZWFfIfheWBbW9KOXlw+x7FruuGWQxIlMmmgCMx4YVxQwpT6zFvjUw6hfD4fpeyrxnsCOiN56N3ECpLZMfq27ilubnMHe/AC0mhdAjivZfQJWPe/lQBO3Jb6HRJj7FTPWWA=,iv:0mNU7QFsYCsxNvbtcPLg19dktr9eWDGQLcKw+WWCaFU=,tag:zp+dyySRJMjwccw4TEGnjg==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.9.0
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
key=ENC[AES256_GCM,data:3PTvx6o=,iv:74ni7B2QMB6aygdd3R7IEzNCwo1W+TpPWMJLfYCCG4U=,tag:mK2Tu7JWDdEmZUrXz3uRzw==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDhVTW1IenNXQmptWnha\nMjd1UWN3dHp0QXRkSnhUSjBHVFdKSmdXYzNNClVWeXVGWndJQ1RpRUlJRy9yeHJY\nb1VhbnR2TlovSUg1MlpZdkhWdkVHTG8KLS0tIHVOSEhOVVV2cXRUQUs2Sk15eU1a\nRW92L1BWQnhNbStFekZjVVRDUFJtaWsK+wPkQAtZtTbh2WHik1ovX61ZJPpkmwuO\nnUYAn37tZELXX/alrOORRwoq+0oBQO5pZYsJBi0fvijfm9VqR/4jKg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2024-11-12T13:33:42Z
|
||||
sops_mac=ENC[AES256_GCM,data:YQHMLRk85ozeuqIvNekLAVp2DFSj+VgDG2z70uQaeCA+uxFp3k/THlANAXx+GP1Oab923Q6nG5ItV9dcG1hTXpA/NRpbM02pfNe/iYnVL7AtcXqFg/jy2T4kkqx7cHAXJi9zd+ZrISIZCNWinLoFfaAo70+epsFumUmLUaDzUPQ=,iv:TdOIRoy6Wch1/x9GlEsmArA5g461ILJZUE7tIxi9G28=,tag:miip/H0SuHqvaoxGvzheIg==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.9.0
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namePrefix: remote-
|
||||
resources:
|
||||
- https://raw.githubusercontent.com/fluxcd/kustomize-controller/refs/heads/main/config/default/namespace.yaml
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
secretGenerator:
|
||||
- name: secret
|
||||
envs:
|
||||
- env.env
|
||||
patches:
|
||||
- patch: |-
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: sops-remote-configmap
|
||||
data:
|
||||
key: value
|
||||
target:
|
||||
kind: Namespace
|
||||
options:
|
||||
allowNameChange: true
|
||||
allowKindChange: true
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: sops-age
|
||||
stringData:
|
||||
secret: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGduOFZjRWw2WTFQdWdu
|
||||
OS83OEZaN1E1aU1zSThhMlNEZzd0aEYvdURFCnE3bmJ5c3J2cDNEbXhselFPVC9v
|
||||
NFhMRjZjOHZOdEpoYjdiS0ZPd2pvN1kKLS0tIDZUVEFoblpDNWhnaWxYRTBjaktk
|
||||
bHRXV0o1K2ZDNm5Mem5SdzNBMTNuNFUKylE2cRLqydjj6e4+4Giwn4y8mIPej+CM
|
||||
Bab3UWiK1da2rFNTOEnoHl6QDAVxNrWdrrIa5k22SzApT88VtJ4xuQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2021-04-06T09:07:05Z"
|
||||
mac: ENC[AES256_GCM,data:oaM8qFtEP8dOCd/Tr5yb08uetsnDtZO8o1rCayN53ncQ1HUAdhRBrFdmbYx1YTh1mwQVVN6sGYqFZU1LBMVv5pTqvpwd41biJZEg8NznXQWx0GA2Z6HOrblGhFZKrqky3P5xN+6j63zkJizXWgBMKzRvBnsVKxjZGr/lk1vVVv4=,iv:p4y9Fo3SArkEMuoK2d9sQYgNdc0iw/StFhg/5LnhcXM=,tag:61JGbnEw35tv6WnGj46JOw==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.0
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
secret: ewoJImRhdGEiOiAiRU5DW0FFUzI1Nl9HQ00sZGF0YTpCZDJuL1VCc21KN2NYYXVvLGl2OmR4c25ncWVDVitzVVVIM24rVTZ1N1F3WjEvRFptM3RhVlVOSjJRTFNlWGM9LHRhZzp3enhxUjA2MWRmbmVhQmlMNHRxaTN3PT0sdHlwZTpzdHJdIiwKCSJzb3BzIjogewoJCSJrbXMiOiBudWxsLAoJCSJnY3Bfa21zIjogbnVsbCwKCQkiYXp1cmVfa3YiOiBudWxsLAoJCSJoY192YXVsdCI6IG51bGwsCgkJImxhc3Rtb2RpZmllZCI6ICIyMDIxLTA0LTI3VDE5OjQ4OjIwWiIsCgkJIm1hYyI6ICJFTkNbQUVTMjU2X0dDTSxkYXRhOkUwQmFsdjRGcWRiQVNRSGNpa2oyaURTeTdCTjBVSUY3cHhlSFNwUUZ2dXF6akVtRWlDV2xJRFl0dmgxY2t4ZnZxNHpYS2xITkp6QitkM1RSaHNuaGtIZ2tSWFA1MldwUkNHZ1pwY3h5Q3FCTmhhL00wRGNGY1ZZZG14T2NVNEU4eFdsdFRuektzZll0bVkvTVludmVJT1htNkpmMUhPS2FVM1EwdzBGbG8wQT0saXY6QWgza0puZEI3UnE5RVV3ZUc0TUMzUmh5bXRYRXY0ellIc2M3M3NxQzlGdz0sdGFnOnpOS3ZHcW5WNG8yWTdhNUJTV28yZEE9PSx0eXBlOnN0cl0iLAoJCSJwZ3AiOiBbCgkJCXsKCQkJCSJjcmVhdGVkX2F0IjogIjIwMjEtMDQtMjdUMTk6NDg6MjBaIiwKCQkJCSJlbmMiOiAiLS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tXG5cbmhRSU1BOTBTT0ppaGFBakxBUS8vZGo2NzlnSXpKdU1vc05wdkRZQVNUOVF4MjBGdmJOREsvTDhmY2xlTFd0NHpcbktWaHdlTnRRdXhZbXA1a2Z6VUpBWXh2Mk01a2NSWFo1QzVDWDJLSER2N1lxVWRRdVdMam9wTFRmR1RPcE56RlBcbjNyZE5sRXZKMC8zSXdteEhtYXVPbUpPazByRUQrOXZtTXNCL3pnaXIxWkd2d0tTNVM5dW9XSDN6bUlVdmJBR29cbmpCKzAxRkdqaXlYRUhSanFzbFlMZ0tXczhZaVR4anNPOVd3QlU0ZmRySzRCKytEaWFweVdFcDJYVWhFZWt6MjFcbjR3dXU5dEp5TmtOWXpmMXNXUWxMc1lPblMzRkkrNSsrMFg1SmREYWtFVmkzSnF1TmtLeDRuWms3ZHJqcktnM1hcbnJPWTc1YnIxdGkwTkxrQWFsaUwvbEJSR3JCTW5BeTViV0l4dkpoSmtqRGMyZTNBWmJNbXdJQ0FJZ05kMEcrNFBcbkJqWkhNWnZUQk1RN0VvWFhGeVg5K3JKKzFnUzF5UEJuaFNma3lrSmJSR1ljdnB1RVRFL1NyK0FSa0s0cHV5bFVcbk5sdU8xZmdOMEF1STVqVll2NzJ1MzJWZEw2N2ZYbjlPdjhFYmlkdVVKcWoxZXB3Mk53dDNZK2xrNERLbVBybVRcbjFRTzF3OC96UHo1SlR0U1R4ZXFJak4weXBTazFocE9XekNwOTE0QmgxckFscXFxakorc0Q4dkVseEk2N2JSWG5cblY1alBkZkQwQktLU0tqS0ZLeVhnUHdPdCtvd2xTTDROR0V6bmdTcmsyeDlTcHVDdWQweXpoeVpta2tHRm5JKzdcbmhpT2kzeGxmZnkvRWY4TDkvaWhDbmJQc1pTck50L0RPQlVGK0ZGQUlmZitpUElPRTBieGZCaHpMNWZOTS9ZdlNcblhBRS9pYk42NktLT2ZwYWlqWnRXSkdTY1RHVVlYMkt2WTAwN2h6Y1ErR3BaZUZOd3oyUlpEd3BkTzZ4N3JHelFcbkFHQUtjd2pTYXcramluVzQwWmZnOWQ5YmFMdWRYTDRXVU9FSUdTN2FpWjNFNjJTSFJGU2U0dmNpSVh6blxuPThRcmZcbi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0tLS1cbiIsCgkJCQkiZnAiOiAiMzVDMUE2NENEN0ZDMEFCNkVCNjY3NTZCMjQ0NTQ2M0MzMjM0RUNFMSIKCQkJfQoJCV0sCgkJImVuY3J5cHRlZF9yZWdleCI6ICJeKGRhdGF8c3RyaW5nRGF0YSkkIiwKCQkidmVyc2lvbiI6ICIzLjYuMCIKCX0KfQ==
|
||||
kind: Secret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: sops-day
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
secret: bXktc29wcy12YXVsdC1zZWNyZXQK
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: sops-hcvault
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: sops-pgp
|
||||
stringData:
|
||||
secret: ENC[AES256_GCM,data:rZEmadbj49GoQLlK85hKKAsc,iv:FX4Dfbd173bZQdUgEVRo4q29m/Gz9ob07QHFuiCAufA=,tag:VM6tzAVdGjsythy2Mr5tvw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-04-06T09:07:19Z"
|
||||
mac: ENC[AES256_GCM,data:iBg8FY39VSykcWZ/asv86P3VNZkscQdINNOy3UtI5m4OWDpUkyDuq66w7ELiiEXJ3D+b7JKJrsSrYtT7Tn7t+NZGxJcLQFEczozvWgKd2hCikxnMEepCJ3tRcoz7JaItommi1HvA08syGfLA5f6eOxsHQWzmjVdYaVpQ4VGRibk=,iv:VI+Fb7dXV4442IMKZSHOb0GJ/2nNgK9AUTblOZ49Oco=,tag:gJjFguJeE7irKZW7yZi0jw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-04-06T09:07:19Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA90SOJihaAjLAQ/+LnZo9UHmJ2Llcpq6m5gjo5hbCx6aYTbrvJOFCWeu2oyC
|
||||
71XsuTUzBp7TK8SkGrxlJmUodezACQ3rCsKY/r2GI4t9HkVRSuhnc/YQMunm3iG1
|
||||
bsgfdV/KBm0Go7dFXy2R1Pt3PuVnuM9MZ59U4SdqYGZDI7vzy2gfH127qa3oIOoF
|
||||
2OFfwhUy8nZIVCJ47ExIdrc7Qdk94tbLfwmBAKHFN4Ab0YXasKCpH9O+9/vQ+JJU
|
||||
7xy61Nv4dqtEDYU9QTh2ZuT6ZaWikTqCcIv/W7lW1RsT8n7YiRZv9POobKDh5KbP
|
||||
PyfqvJsLcJB8LHN2kZfwr6Iemuce19kRi+7JL9zMGRJSsq0thJ0ly3JBi48pU27w
|
||||
jbFnmxlIwfb0EsLBp9lsxw7GoUbooSC/rfI5NVeQ+4lFA4gQn2oz7i4zTYesnwil
|
||||
lrgMxz49SSluAYsGjrJHc+ABmlDz83K42KtWlNjwaIbDgHMl4EbYUe4pxcynEZ6D
|
||||
0csDIsIA15MP0THfTL1F1vkhvdPHNuUlVjFqgWaJAP2CC5KH8IeTCUN72FySEYAB
|
||||
BJH+VQoRnS942M8VQAfUQyBsfZKtQhyCkU7KEimUjQzy75JWgy8YMX1mviXk52qB
|
||||
kVHQIjNEuBta58pmNyhxc+6+bz+ABGp+mR9QemUQjmXghH3VjOwnZVj6KMMX4J3S
|
||||
XgEubPmw6u4nYqb9bLDVyE2uXXA4TVgFDuZxJrbZOn9zF2aQOOGfZX2Gx5xgK+pV
|
||||
srM1wyJqdP+QL/fWO9ZI38+tyr1T5zOBPpJ/JTrkSJoVeRWpwuI6BUCZhH66nfU=
|
||||
=+1cf
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.0
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
year=ENC[AES256_GCM,data:HoFRvaM=,iv:XNDFLkONNvKSKkbqErVx1/tnEtDuZIG3SficCd7NIaM=,tag:aC7SCerL01kYyXyXkWR2ag==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_mac=ENC[AES256_GCM,data:s75x7NzSjmkovCOopnT1eIfXMAdwwsN8KoVdVbAYDTAsB856w/i/W/JshXAUdr5SnXHNbtwzEha/HSppnWEQw1nds18yZCeIW54QE7yxvBKw9Mhd3wxHWiZWziTY0awbYinbyQ45zpq1Iz97BueNjhwtZWMQzRKLQvwyqEljTHs=,iv:AuKqCzIgTYcogtyLrtM6VdgwKTlDE3uMxvVaWbpKBOA=,tag:Ija+U/97TxxWoXYDpG6+jg==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV1FYTkdzV210SkswWmty\nZzZSVzlCUlRQcVNEOVpYSWNSSWtPd00rcDJrCjZKVVp6aFY2cHJQbm9oY2Q1Z2N3\nLzBWalF4ZHZYTU5kMlcwaGRvYkVKcFEKLS0tIG1QTjNuY0pRbFBqT3dFNFROQWU3\nTWQxNVlUNG8rblQyYmJoaCtKSGcrdE0KjUJ+hGiyCkzUG41mwT3rAb0BdwBF8303\nhBDRmW+DjP1ETrGTXviTS1Cq29IX1K2KdBRxixjtwewkXV/i87wHRA==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2021-10-15T11:09:14Z
|
||||
sops_version=3.7.1
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
year=ENC[AES256_GCM,data:c+S7GjA=,iv:bcYeALfyGDWlXi5UqOFVC2tCdex5MXaJKxn6awDIfAI=,tag:UQepDih41dSSUiebFYNxiw==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4L01FcTR6dVpPR1JpNldW\nSURuaHBEZ3RrY1hpS1Mxam10VEhVSE85RG5NClFTZHEvQzBnbjVHK3VydEIxVkZE\ncEI0a1hVMmtVSXZjNU5VQXBVV2RIS0UKLS0tIEZlUndyWEVZZUl1bHI0a3JwS2M1\nQnNNcFZxaTNzWlZoSFRpdWd2QUJjNGcKzEaQDRjvnFPkwCXL6K5s5guI5xP0urcD\nfeYHuyAS9Td0l/5fTyDlLv6jFJ09QS1ob0OL0GAvknwjbRlbaWjrAA==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
sops_lastmodified=2024-11-10T18:49:59Z
|
||||
sops_mac=ENC[AES256_GCM,data:jeyF+D6Y5tGtcaxWfK65PlbjZLicI1lFi0uEcEq2fLVv9vPCpSO/iAfGGOqQiMPbndAV7FdqeFCSXC4gmf27gysR3FvHnYrbLZDO+fZm5K6Fk2IReSCZIHLxVGUlC9E5z1NFfPjJdD3fMM5I6sT7Cpn6xCg/rHavmfOEwW2dU94=,iv:kgxhX2NhFEmgfbOD7FpiXI+WXXZrpzf7R8r1RMSPPjs=,tag:aHge+qF1wsAszeTL25HtBw==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.9.0
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
year=ENC[AES256_GCM,data:tV/GLTE=,iv:AtEKKSUa4BiTnDzGMtpGrO78NuR0wMXzjKrQScbtX24=,tag:zAzcBzQ6ORO+NhcY3idHcA==,type:str]
|
||||
sops_lastmodified=2021-10-15T11:08:51Z
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFU29oWEh2ckRjaCs3d1FJ\nYTkxN0dqY1lsc1dEUmZ4OGN0N1BHK0xxQld3CmpTL2Z2VDloQStCYnRmYnJ0SDFj\nVU9USmszbU44YUxzRi95Q0sxY2t0bkUKLS0tIC80Ulh1RWJPeUFqbUFNSjFOeGIy\nY001MzMwbnRsQXlsN1VVY2xLY20yazQKYhZQGZpay9J1cnGiHCKBY6DtYMCSIBo7\nAP41GiVukT6M4LT83TpWzWgbR/xNgreKdNpweYcw+Fp+wJHVeR3+fg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_mac=ENC[AES256_GCM,data:rw8vAq+8nqa5/V8p/ICuVKXNQCeTIFExF33qy1YEbc8f4kePDhTlGqxluEytbWOhk+hzCd4POk+zY8bWBY2QSiq0lle2rCtE2WT3I04/+bHzX74yMBuadYLqiUFEhkra/58FXD404PPJBUrOy8mAPgWVczcqMexYhzz//tPdGMY=,iv:yk3CsyGigCSHonvMBTQvjg+kgNssf87KqlKeR6FE8sk=,tag:dCaOhh97ebJWNT5v35n6Iw==,type:str]
|
||||
sops_version=3.7.1
|
||||
sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
|
||||
|
|
@ -392,28 +392,28 @@ func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource,
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
// DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and
|
||||
// DecryptSources attempts to decrypt all types.SecretArgs FileSources and
|
||||
// EnvSources a Kustomization file in the directory at the provided path refers
|
||||
// to, before walking recursively over all other resources it refers to.
|
||||
// It ignores resource references which refer to absolute or relative paths
|
||||
// outside the working directory of the decryptor, but returns any decryption
|
||||
// error.
|
||||
func (d *Decryptor) DecryptEnvSources(path string) error {
|
||||
func (d *Decryptor) DecryptSources(path string) error {
|
||||
if d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.Provider != DecryptionProviderSOPS {
|
||||
return nil
|
||||
}
|
||||
|
||||
decrypted, visited := make(map[string]struct{}, 0), make(map[string]struct{}, 0)
|
||||
visit := d.decryptKustomizationEnvSources(decrypted)
|
||||
visit := d.decryptKustomizationSources(decrypted)
|
||||
return recurseKustomizationFiles(d.root, path, visit, visited)
|
||||
}
|
||||
|
||||
// decryptKustomizationEnvSources returns a visitKustomization implementation
|
||||
// decryptKustomizationSources returns a visitKustomization implementation
|
||||
// which attempts to decrypt any EnvSources entry it finds in the Kustomization
|
||||
// file with which it is called.
|
||||
// After decrypting successfully, it adds the absolute path of the file to the
|
||||
// given map.
|
||||
func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{}) visitKustomization {
|
||||
func (d *Decryptor) decryptKustomizationSources(visited map[string]struct{}) visitKustomization {
|
||||
return func(root, path string, kus *kustypes.Kustomization) error {
|
||||
visitRef := func(sourcePath string, format formats.Format) error {
|
||||
if !filepath.IsAbs(sourcePath) {
|
||||
|
|
@ -426,19 +426,19 @@ func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{})
|
|||
if _, ok := visited[absRef]; ok {
|
||||
return nil
|
||||
}
|
||||
|
||||
if err := d.sopsDecryptFile(absRef, format, format); err != nil {
|
||||
return securePathErr(root, err)
|
||||
}
|
||||
|
||||
// Explicitly set _after_ the decryption operation, this makes
|
||||
// visited work as a list of actually decrypted files
|
||||
visited[absRef] = struct{}{}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Iterate over all SecretGenerator entries in the Kustomization file and attempt to decrypt their FileSources and EnvSources.
|
||||
for _, gen := range kus.SecretGenerator {
|
||||
for _, fileSrc := range gen.FileSources {
|
||||
// Split the source path from any associated key, defaulting to the key if not specified.
|
||||
parts := strings.SplitN(fileSrc, "=", 2)
|
||||
key := parts[0]
|
||||
var filePath string
|
||||
|
|
@ -447,21 +447,36 @@ func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{})
|
|||
} else {
|
||||
filePath = key
|
||||
}
|
||||
// Visit the file reference and attempt to decrypt it.
|
||||
if err := visitRef(filePath, formatForPath(key)); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
for _, envFile := range gen.EnvSources {
|
||||
// Determine the format for the environment file, defaulting to Dotenv if not specified.
|
||||
format := formatForPath(envFile)
|
||||
if format == formats.Binary {
|
||||
// Default to dotenv
|
||||
format = formats.Dotenv
|
||||
}
|
||||
// Visit the environment file reference and attempt to decrypt it.
|
||||
if err := visitRef(envFile, format); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
// Iterate over all patches in the Kustomization file and attempt to decrypt their paths if they are encrypted.
|
||||
for _, patch := range kus.Patches {
|
||||
if patch.Path == "" {
|
||||
continue
|
||||
}
|
||||
// Determine the format for the patch, defaulting to YAML if not specified.
|
||||
format := formatForPath(patch.Path)
|
||||
// Visit the patch reference and attempt to decrypt it.
|
||||
if err := visitRef(patch.Path, format); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -747,7 +747,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestDecryptor_decryptKustomizationEnvSources(t *testing.T) {
|
||||
func TestDecryptor_decryptKustomizationSources(t *testing.T) {
|
||||
type file struct {
|
||||
name string
|
||||
symlink string
|
||||
|
|
@ -910,7 +910,7 @@ func TestDecryptor_decryptKustomizationEnvSources(t *testing.T) {
|
|||
}
|
||||
|
||||
visited := make(map[string]struct{}, 0)
|
||||
visit := d.decryptKustomizationEnvSources(visited)
|
||||
visit := d.decryptKustomizationSources(visited)
|
||||
kus := &kustypes.Kustomization{SecretGenerator: tt.secretGenerator}
|
||||
|
||||
err = visit(root, tt.path, kus)
|
||||
|
|
|
|||
Loading…
Reference in New Issue