decryptor

package

v1.2.2 Latest Latest Go to latest Published: Feb 2, 2024 License: Apache-2.0 Imports: 35 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/fluxcd/kustomize-controller

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func IsEncryptedSecret(object *unstructured.Unstructured) bool
type Decryptor
- func NewDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization, ...) *Decryptor
- func NewTempDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization) (*Decryptor, func(), error)

Constants ¶

View Source

const (
	// DecryptionProviderSOPS is the SOPS provider name.
	DecryptionProviderSOPS = "sops"
	// DecryptionPGPExt is the extension of the file containing an armored PGP
	// key.
	DecryptionPGPExt = ".asc"
	// DecryptionAgeExt is the extension of the file containing an age key
	// file.
	DecryptionAgeExt = ".agekey"
	// DecryptionVaultTokenFileName is the name of the file containing the
	// Hashicorp Vault token.
	DecryptionVaultTokenFileName = "sops.vault-token"
	// DecryptionAWSKmsFile is the name of the file containing the AWS KMS
	// credentials.
	DecryptionAWSKmsFile = "sops.aws-kms"
	// DecryptionAzureAuthFile is the name of the file containing the Azure
	// credentials.
	DecryptionAzureAuthFile = "sops.azure-kv"
	// DecryptionGCPCredsFile is the name of the file containing the GCP
	// credentials.
	DecryptionGCPCredsFile = "sops.gcp-kms"
)

Variables ¶

This section is empty.

Functions ¶

func IsEncryptedSecret ¶

func IsEncryptedSecret(object *unstructured.Unstructured) bool

IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted with Mozilla SOPS.

Types ¶

type Decryptor ¶

type Decryptor struct {
	// contains filtered or unexported fields
}

Decryptor performs decryption operations for a v1.Kustomization. The only supported decryption provider at present is DecryptionProviderSOPS.

func NewDecryptor ¶

func NewDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization, maxFileSize int64, gnuPGHome string) *Decryptor

NewDecryptor creates a new Decryptor for the given kustomization. gnuPGHome can be empty, in which case the systems' keyring is used.

func NewTempDecryptor ¶

func NewTempDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization) (*Decryptor, func(), error)

NewTempDecryptor creates a new Decryptor, with a temporary GnuPG home directory to Decryptor.ImportKeys() into.

func (*Decryptor) DecryptEnvSources ¶

func (d *Decryptor) DecryptEnvSources(path string) error

DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and EnvSources a Kustomization file in the directory at the provided path refers to, before walking recursively over all other resources it refers to. It ignores resource references which refer to absolute or relative paths outside the working directory of the decryptor, but returns any decryption error.

func (*Decryptor) DecryptResource ¶

func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource, error)

DecryptResource attempts to decrypt the provided resource with the decryption provider specified on the Kustomization, overwriting the resource with the decrypted data. It has special support for Kubernetes Secrets with encrypted data entries while decrypting with DecryptionProviderSOPS, to allow individual data entries injected by e.g. a Kustomize secret generator to be decrypted

func (*Decryptor) ImportKeys ¶

func (d *Decryptor) ImportKeys(ctx context.Context) error

ImportKeys imports the DecryptionProviderSOPS keys from the data values of the Secret referenced in the Kustomization's v1.Decryption spec. It returns an error if the Secret cannot be retrieved, or if one of the imports fails. Imports do not have an effect after the first call to SopsDecryptWithFormat(), which initializes and caches SOPS' (local) key service server. For the import of PGP keys, the Decryptor must be configured with an absolute GnuPG home directory path.

func (*Decryptor) SopsDecryptWithFormat ¶

func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error)

SopsDecryptWithFormat attempts to load a SOPS encrypted file using the store for the input format, gathers the data key for it from the key service, and then decrypts the file data with the retrieved data key. It returns the decrypted bytes in the provided output format, or an error.

Source Files ¶

View all Source files

decryptor.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL