This checks the base64 decoded bytes from a Secret field for any of the
marker bytes, thereby allowing data to be encrypted into any format.
Instead of the previous behavior which assumed it to either be YAML or
JSON.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This ensures the Secret field gets formatted back into JSON, instead of
it being detected as binary output.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Rather than inspecting the source file name supplied to kustomize's
Secret generator to determine the format of the SOPS-encrypted file
content, instead inspect the Secret key (when supplied separately from
the source file name) as a more reliable heuristic.
Doing so allows kustomization authors to name their SOPS-encrypted
output files with a ".json" extension accurately reflecting the format
in which SOPS writes its encrypted output, even if the encrypted
content itself is not in JSON format.
Signed-off-by: Steven E. Harris <seh@panix.com>
Azure SDK dependencies cannot be updated, as this requires us to move to
Go 1.18.
- github.com/fluxcd/pkg/apis/kustomize to version 0.3.3
- github.com/fluxcd/pkg/apis/meta to version 0.12.2
- github.com/fluxcd/pkg/runtime to version 0.14.1
- github.com/fluxcd/pkg/ssa to version 0.15.2
- github.com/hashicorp/go-retryablehttp to version 0.7.1
- github.com/hashicorp/vault/api to version 1.5.0
- github.com/onsi/gomega to version 1.19.0
- golang.org/x/net to version 0.0.0-20220412020605-290c469a71a5
- sigs.k8s.io/cli-utils to version 0.29.4
Signed-off-by: Hidde Beydals <hello@hidde.co>
- github.com/fluxcd/pkg/apis/kustomize to v0.3.3
- github.com/fluxcd/pkg/apis/meta to v0.12.2
- k8s.io/apiextensions-apiserver to v0.23.5
- k8s.io/apimachinery to v0.23.5
- sigs.k8s.io/controller-runtime to v0.11.2
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new Token type which can be used to configure an
azcore.TokenCredential on a master key. Due to this introduction, the
server only has to go through the AADConfig once.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new ParsedIdentities type which can be used to parse a set
of age identities just once, instead of parsing them for every Decrypt
request.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new GnuPGHome type which can be used to create a new
contained GnuPG home directory. The type is self-validating, ensuring
it adheres to e.g. permission rules set out by GnuPG, and allows for
importing keys from armored bytes and files.
Because of this introduction, the decryptor service no longer has to
write data from a Secret to a temporary file, but is instead able to
directly import them into the keyring from the Secret entry's bytes.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This revises the PGP keysource implementation, removing bits of code
that were not actually in use, or not viable in combination with how we
work with keys. In short:
- crypto/openpgp implementation has been removed. As it is unable to read
the keystore created by newer versions of GnuPG. Given we import user
provided keys _with_ GnuPG, this was basically dead code.
- All capabilities around fetching public keys from a server have been
removed.
- "Jailing" of GnuPG shell-out is now handled in `gpgExec`, in addition,
arguments for encrypt and decrypt execs have been revised to ensure
they e.g. do not instruct to use the agent.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Hidde Beydals
Hidde Beydals
Stefan Prodan
Steven E. Harris
Sanskar Jaiswal
York Chen
Paulo Gomes