Commit Graph

18 Commits

Author SHA1 Message Date
Soule BA c579e71430
add native support for sops decryption/encryption with Vault
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.

Signed-off-by: Soule BA <bah.soule@gmail.com>
2022-01-19 21:59:10 +01:00
Stefan Prodan 4958b9c8ce
Warn when secrets are not decrypted before apply
If decryption is not enabled, SOPS encrypted secrets will fail to apply with a validation error that doesn't give any hints. It's better to exit early and throw an error that tells users to enable decryption.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-11-08 15:58:27 +02:00
Rishabh Bohra b8cebd3838
chore: remove deprecated io/ioutil
Signed-off-by: Rishabh Bohra <rishabhbohra01@gmail.com>
2021-10-29 20:28:25 +05:30
Stefan Prodan c610944139
SOPS: Fix dotenv decryption error reporting
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-10-19 11:10:10 +03:00
Somtochi Onyekwere 84a88d5878 Decrypt dotenv files
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2021-10-17 15:27:04 +01:00
Stefan Prodan 1e01d800c5
Implement reconciliation using server-side apply
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-09-30 18:34:40 +03:00
Gorka Maiztegi 56739d387b Support decrypting any file format in secret generator
Signed-off-by: Gorka Maiztegi <gmaiztegi@reviewpro.com>
2021-05-31 16:06:05 +02:00
bob.rohan a77ea03ec6 Decrypt base64 encoded SOPS encrypted secrets
Signed-off-by: Bob Rohan <bob.rohan@hodge.co.uk>
2021-04-28 11:54:25 +01:00
Hidde Beydals 8688fd6159 Look for `.agekey` to prevent future collisions
The previous `.txt` is very generic and could have resulted in
collisions when a new encryption format would be introduced in the
future.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-04-01 13:20:17 +02:00
Hidde Beydals b8bdc0c999 Support decrypting using age keys
Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-03-31 11:55:44 +02:00
Hidde Beydals c3e1252665 Only GPG import keys with `.asc` extension
Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-03-30 13:20:13 +02:00
David J. M. Karlsen 750a45a34b
Avoid promts on import by adding batch flag to gpg
Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>
2021-02-20 23:36:31 +01:00
Nicolas Lamirault 460eae2a2d
Add: Sops user error
Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
2020-12-17 19:07:31 +01:00
Hidde Beydals 6a4bf74cf3 Add safe guards for relative paths
This commit ensures that relative (user configurable) paths never
traverse outside their working directory.

It does _not_ provide protection against path traversal within
`kustomization.yaml` files.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2020-12-16 12:44:13 +01:00
Stefan Prodan dde74d9ea5
Change copyright to Flux authors
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2020-10-27 18:49:02 +02:00
stefanprodan 50104826ae Promote API to v1beta1 2020-09-30 19:10:27 +03:00
Hidde Beydals 07f13e56eb GPG decryption in contained environment 2020-09-02 15:42:02 +02:00
stefanprodan c605ccf6d2 Implement Mozilla SOPS decryption 2020-09-01 15:51:22 +03:00