This adds a SOPS GCP KMS key source which makes use of the latest GCP
client, and supports both injection of master key credentials and a
default client making use of environmental runtime values.
The implementation fully replaces SOPS', and is covered with
compatability tests.
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
This checks the base64 decoded bytes from a Secret field for any of the
marker bytes, thereby allowing data to be encrypted into any format.
Instead of the previous behavior which assumed it to either be YAML or
JSON.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This ensures the Secret field gets formatted back into JSON, instead of
it being detected as binary output.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes an update of the source-controller to v0.22.0, to pull in
the v1beta2 API which makes use of the same packages.
Co-authored-by: Sunny <darkowlzz@protonmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.
Signed-off-by: Soule BA <bah.soule@gmail.com>
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Stefan Prodan
Somtochi Onyekwere
Sanskar Jaiswal
Hidde Beydals
Nick Stogner
Hidde Beydals
Steven E. Harris
Soule BA
Rishabh Bohra