Documentation ¶
Index ¶
- Constants
- func IsEncryptedSecret(object *unstructured.Unstructured) bool
- func IsOfflineMethod(mk keys.MasterKey) bool
- type Decryptor
- func (d *Decryptor) AddKeyServiceClient(s keyservice.KeyServiceClient)
- func (d *Decryptor) AddLocalKeyService()
- func (d *Decryptor) DecryptEnvSources(path string) error
- func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource, error)
- func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error)
Constants ¶
const ( // MaxEncryptedFileSize is the max allowed file size in bytes of an encrypted // file. MaxEncryptedFileSize int64 = 5 << 20 )
Variables ¶
This section is empty.
Functions ¶
func IsEncryptedSecret ¶
func IsEncryptedSecret(object *unstructured.Unstructured) bool
IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted with Mozilla SOPS.
func IsOfflineMethod ¶
IsOfflineMethod returns true for offline decrypt methods or false otherwise
Types ¶
type Decryptor ¶
type Decryptor struct {
// contains filtered or unexported fields
}
Decryptor performs decryption operations for a kluctlv1.KluctlDeployment. The only supported decryption provider at present is DecryptionProviderSOPS.
func NewDecryptor ¶
NewDecryptor creates a new Decryptor for the given kluctlDeployment. gnuPGHome can be empty, in which case the systems' keyring is used.
func (*Decryptor) AddKeyServiceClient ¶
func (d *Decryptor) AddKeyServiceClient(s keyservice.KeyServiceClient)
func (*Decryptor) AddLocalKeyService ¶
func (d *Decryptor) AddLocalKeyService()
func (*Decryptor) DecryptEnvSources ¶
DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and EnvSources a Kustomization file in the directory at the provided path refers to, before walking recursively over all other resources it refers to. It ignores resource references which refer to absolute or relative paths outside the working directory of the decryptor, but returns any decryption error.
func (*Decryptor) DecryptResource ¶
DecryptResource attempts to decrypt the provided resource overwriting the resource with the decrypted data. It has special support for Kubernetes Secrets with encrypted data entries while decrypting with DecryptionProviderSOPS, to allow individual data entries injected by e.g. a Kustomize secret generator to be decrypted
func (*Decryptor) SopsDecryptWithFormat ¶
func (d *Decryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error)
SopsDecryptWithFormat attempts to load a SOPS encrypted file using the store for the input format, gathers the data key for it from the key service, and then decrypts the file data with the retrieved data key. It returns the decrypted bytes in the provided output format, or an error.