As the forked code has been contributed upstream in a modified format.
We continue to inject our own default credentials in the key server if
none are provided by the Kustomization, to ensure we do not shell out
to `az`.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This updates `go.mozilla.org/sops/v3` to the `v3.8.0-rc.1` release of
`github.com/getsops/sops/v3`.
This (finally) allows us to drop our forked key sources, as they have
now been contributed upstream in a slightly modified form which still
allows us to maintain control over the used credentials in isolation.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This adds a SOPS GCP KMS key source which makes use of the latest GCP
client, and supports both injection of master key credentials and a
default client making use of environmental runtime values.
The implementation fully replaces SOPS', and is covered with
compatability tests.
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
This relicenses all of our SOPS implementation code to MPL 2.0, where
Apache 2.0 was previously used due to code being written from scratch.
By making this license change, we are better capable of contributing
the changes upstream.
In case there is doubt about validity of DCO sign-off to make such
changes: all code where Apache 2.0 license applies were authored by
myself. In addition, Apache 2.0 is compatible with MPL 2.0[1][2].
[1]: https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility
[2]: https://blog.gerv.net/2013/02/relicensing-when-do-you-have-to-ask/
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new Token type which can be used to configure an
azcore.TokenCredential on a master key. Due to this introduction, the
server only has to go through the AADConfig once.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new ParsedIdentities type which can be used to parse a set
of age identities just once, instead of parsing them for every Decrypt
request.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This adds a new GnuPGHome type which can be used to create a new
contained GnuPG home directory. The type is self-validating, ensuring
it adheres to e.g. permission rules set out by GnuPG, and allows for
importing keys from armored bytes and files.
Because of this introduction, the decryptor service no longer has to
write data from a Secret to a temporary file, but is instead able to
directly import them into the keyring from the Secret entry's bytes.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Matheus Pimenta
Stefan Prodan
Hidde Beydals
Somtochi Onyekwere
Max Jonas Werner
Hidde Beydals
Sanskar Jaiswal