If decryption is not enabled, SOPS encrypted secrets will fail to apply with a validation error that doesn't give any hints. It's better to exit early and throw an error that tells users to enable decryption.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
The previous `.txt` is very generic and could have resulted in
collisions when a new encryption format would be introduced in the
future.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit ensures that relative (user configurable) paths never
traverse outside their working directory.
It does _not_ provide protection against path traversal within
`kustomization.yaml` files.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Stefan Prodan
Rishabh Bohra
Somtochi Onyekwere
Gorka Maiztegi
bob.rohan
Hidde Beydals
David J. M. Karlsen
Nicolas Lamirault