Rather than inspecting the source file name supplied to kustomize's
Secret generator to determine the format of the SOPS-encrypted file
content, instead inspect the Secret key (when supplied separately from
the source file name) as a more reliable heuristic.
Doing so allows kustomization authors to name their SOPS-encrypted
output files with a ".json" extension accurately reflecting the format
in which SOPS writes its encrypted output, even if the encrypted
content itself is not in JSON format.
Signed-off-by: Steven E. Harris <seh@panix.com>
- Refactored recursion while iterating over Kustomization files.
References of files that have been visited are cached, and not
visited again. In addition, symlinks are confirmed to not traverse
outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
https://pkg.go.dev/sigs.k8s.io/kustomize@v1.0.2/pkg/types#DataSources
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new Token type which can be used to configure an
azcore.TokenCredential on a master key. Due to this introduction, the
server only has to go through the AADConfig once.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new ParsedIdentities type which can be used to parse a set
of age identities just once, instead of parsing them for every Decrypt
request.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new GnuPGHome type which can be used to create a new
contained GnuPG home directory. The type is self-validating, ensuring
it adheres to e.g. permission rules set out by GnuPG, and allows for
importing keys from armored bytes and files.
Because of this introduction, the decryptor service no longer has to
write data from a Secret to a temporary file, but is instead able to
directly import them into the keyring from the Secret entry's bytes.
Signed-off-by: Hidde Beydals <hello@hidde.co>
The original keyservice implementation was forked from SOPS, keeping
the prompt capabilities intact. However, since the implementations have
started to grow, it is better to remove this capability and resort to
a hardcoded `false` default for the fallback server. As the controller
is never expected to have an interactive TTY/shell.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Two new flags were added to allow users to enable the
use of user.Exec and InsecureTLS in the kubeconfigs
provided remote apply reconciliations.
Breaking change: both functionalities are no longer
enabled by default.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This solves a regression bug introduced in `v0.22.0`, which caused the
keyservice to not properly fall back to the default for Azure Key Vault
decryption requests.
A couple of nitpicks that I ran into while inspecting the code have
been adressed as well.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This to facilitate improvements on the notification-controller side,
where annotations prefixed with the FQDN of the Group of the Involved
Object will be transformed into "fields".
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes an update of the source-controller to v0.22.0, to pull in
the v1beta2 API which makes use of the same packages.
Co-authored-by: Sunny <darkowlzz@protonmail.com>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes a refactor of the other entries, to start moving guides
to the website while containing minimal technical (instructions)
in-spec.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates to the `github.com/Azure/azure-sdk-for-go` SDK, which is
the (apparent) successor of the previous SDK, and allows for easier
configuration of credentials through the `azidentity` package.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- Ensure key source follows upstream SOPS contracts as closely as
possible (e.g. `MasterKey` interface).
- Prevent unnecesary FS operations by allowing token creation and
and authorizer configuration to be factored from file bytes.
- Ensure a limited number of configuration option is taken into
account, excluding e.g. file path references.
- Ensure server maintains backwards compatibility with previously
supported "global" Azure configuration, _without_ relying on file
assumptions and/or inspections (but rather, server configurations).
Signed-off-by: Hidde Beydals <hello@hidde.co>
Introduce an annotation that configures kustomize-controller to co-manage objects applied with kubectl.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
In a Kustomization's post-build substitution sources, introduce a new
"Optional" field to allow referencing a Kubernetes ConfigMap or Secret
that may not exist at time of reconciliation. Treat substitution when
the referenced object is missing as if the object had been present but
empty, lacking any variable bindings.
Retain the longstanding behavior of interpreting references to
Kubernetes objects being mandatory by default, such that
reconciliation fails if such a referenced object does not exist. Only
when the "Optional" field is set to true will reconciliation tolerate
finding the referenced object to be missing.
Signed-off-by: Steven E. Harris <seh@panix.com>
When the Docker service isn't running, the test suite can't create a
Vault instance. Trap this failure earlier in the test program to
preclude panicking after tests relying on Vault have failed.
Signed-off-by: Steven E. Harris <seh@panix.com>
If the service account used for impersonation has been deleted, skip pruning, log the error and continue with finalization to allow tenants removals from clusters.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--no-cross-namespace-refs` (defaults to false) for allowing cluster admins to disable cross-namespace references to sources.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Validate that the resources built with kustomize conform to the Kubernetes API conventions before passing them to the server-side apply engine.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.
Signed-off-by: Soule BA <bah.soule@gmail.com>
Structure the fuzz implementation to be closer to what go native will support.
Add Makefile target to enable smoketesting fuzzers.
Add smoketest as CI workflow.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Stefan Prodan
Steven E. Harris
Hidde Beydals
Sanskar Jaiswal
York Chen
Hidde Beydals
Paulo Gomes
David Quagebeur
harshi1122
Soule BA
Kingdon Barrett
Florian Fl Bauer
Aurel Canciu
Somtochi Onyekwere