From 49770ea4cc576d1d8c30f864f6619fc449580c8c Mon Sep 17 00:00:00 2001 From: Yuriy Date: Tue, 12 Nov 2024 10:58:40 +0200 Subject: [PATCH] Added decryption of patches and components. Cleaned SOPS tests. Signed-off-by: Yuriy --- docs/spec/v1/kustomizations.md | 10 +- .../controller/kustomization_controller.go | 4 +- .../kustomization_decryptor_test.go | 109 ++++++------------ .../controller/kustomization_fuzzer_test.go | 8 +- internal/controller/testdata/sops/.sops.yaml | 37 ++++-- .../testdata/sops/algorithms/age.yaml | 26 +++++ .../sops/algorithms/kustomization.yaml | 7 ++ .../testdata/sops/algorithms/pgp.yaml | 37 ++++++ .../testdata/sops/algorithms/vault.yaml | 6 + .../testdata/sops/component/env.env | 7 ++ .../component/kustomization.yaml | 8 +- internal/controller/testdata/sops/day.txt | 1 - .../testdata/sops/day.txt.encrypted | 20 ---- .../controller/testdata/sops/envs/env.env | 7 ++ .../bases => sops/envs}/kustomization.yaml | 13 ++- .../controller/testdata/sops/files/file.txt | 20 ++++ .../sops/{month => files}/kustomization.yaml | 19 ++- .../testdata/sops/inside/kustomization.yaml | 5 + .../testdata/sops/inside/secret.yaml | 6 + .../testdata/sops/{ => keys}/age.txt | 0 .../testdata/sops/{ => keys}/pgp.asc | 0 .../testdata/sops/kustomization.yaml | 12 ++ .../controller/testdata/sops/month/month.yaml | 32 ----- .../testdata/sops/month/unencrypted-year.env | 1 - .../controller/testdata/sops/month/year.env | 7 -- .../patches}/kustomization.yaml | 16 +-- .../testdata/sops/patches/merge1.yaml | 26 +++++ .../testdata/sops/patches/merge2.yaml | 26 +++++ .../controller/testdata/sops/remote/env.env | 7 ++ .../testdata/sops/remote/kustomization.yaml | 24 ++++ .../controller/testdata/sops/secret.age.yaml | 26 ----- .../controller/testdata/sops/secret.day.yaml | 7 -- .../testdata/sops/secret.vault.yaml | 8 -- internal/controller/testdata/sops/secret.yaml | 37 ------ .../test-dotenv/bases/secrets/year2.txt | 7 -- .../test-dotenv/overlays/component/year3.env | 7 -- .../testdata/test-dotenv/overlays/year1.env | 7 -- internal/decryptor/decryptor.go | 29 +++-- internal/decryptor/decryptor_test.go | 4 +- 39 files changed, 346 insertions(+), 287 deletions(-) create mode 100644 internal/controller/testdata/sops/algorithms/age.yaml create mode 100644 internal/controller/testdata/sops/algorithms/kustomization.yaml create mode 100644 internal/controller/testdata/sops/algorithms/pgp.yaml create mode 100644 internal/controller/testdata/sops/algorithms/vault.yaml create mode 100644 internal/controller/testdata/sops/component/env.env rename internal/controller/testdata/{test-dotenv/overlays => sops}/component/kustomization.yaml (77%) delete mode 100644 internal/controller/testdata/sops/day.txt delete mode 100644 internal/controller/testdata/sops/day.txt.encrypted create mode 100644 internal/controller/testdata/sops/envs/env.env rename internal/controller/testdata/{test-dotenv/bases => sops/envs}/kustomization.yaml (53%) create mode 100644 internal/controller/testdata/sops/files/file.txt rename internal/controller/testdata/sops/{month => files}/kustomization.yaml (50%) create mode 100644 internal/controller/testdata/sops/inside/kustomization.yaml create mode 100644 internal/controller/testdata/sops/inside/secret.yaml rename internal/controller/testdata/sops/{ => keys}/age.txt (100%) rename internal/controller/testdata/sops/{ => keys}/pgp.asc (100%) create mode 100644 internal/controller/testdata/sops/kustomization.yaml delete mode 100644 internal/controller/testdata/sops/month/month.yaml delete mode 100644 internal/controller/testdata/sops/month/unencrypted-year.env delete mode 100644 internal/controller/testdata/sops/month/year.env rename internal/controller/testdata/{test-dotenv/overlays => sops/patches}/kustomization.yaml (51%) create mode 100644 internal/controller/testdata/sops/patches/merge1.yaml create mode 100644 internal/controller/testdata/sops/patches/merge2.yaml create mode 100644 internal/controller/testdata/sops/remote/env.env create mode 100644 internal/controller/testdata/sops/remote/kustomization.yaml delete mode 100644 internal/controller/testdata/sops/secret.age.yaml delete mode 100644 internal/controller/testdata/sops/secret.day.yaml delete mode 100644 internal/controller/testdata/sops/secret.vault.yaml delete mode 100644 internal/controller/testdata/sops/secret.yaml delete mode 100644 internal/controller/testdata/test-dotenv/bases/secrets/year2.txt delete mode 100644 internal/controller/testdata/test-dotenv/overlays/component/year3.env delete mode 100644 internal/controller/testdata/test-dotenv/overlays/year1.env diff --git a/docs/spec/v1/kustomizations.md b/docs/spec/v1/kustomizations.md index 5ba55c44..554e6f0f 100644 --- a/docs/spec/v1/kustomizations.md +++ b/docs/spec/v1/kustomizations.md @@ -725,7 +725,7 @@ For more information, see [remote clusters/Cluster-API](#remote-clusterscluster- ### Decryption `.spec.decryption` is an optional field to specify the configuration to decrypt -Secrets that are a part of the Kustomization. +Secrets, ConfigMaps and patches that are a part of the Kustomization. Since Secrets are either plain text or `base64` encoded, it's unsafe to store them in plain text in a public or private Git repository. In order to store @@ -734,9 +734,11 @@ encrypt your Kubernetes Secret data with [age](https://age-encryption.org/v1/) and/or [OpenPGP](https://www.openpgp.org) keys, or with provider implementations like Azure Key Vault, GCP KMS or Hashicorp Vault. -**Note:** You should encrypt only the `data/stringData` section of the Kubernetes -Secret, encrypting the `metadata`, `kind` or `apiVersion` fields is not supported. -An easy way to do this is by appending `--encrypted-regex '^(data|stringData)$'` +Also, you may want to encrypt some parts of resources as well. In order to do that, +you may encrypt patches as well. + +**Note:** You must leave `metadata`, `kind` or `apiVersion` in plain text. +An easy way to do this is to limit encrypted keys by appending `--encrypted-regex '^(data|stringData)$'` to your `sops --encrypt` command. It has two fields: diff --git a/internal/controller/kustomization_controller.go b/internal/controller/kustomization_controller.go index 9a99bcc1..8072ee16 100644 --- a/internal/controller/kustomization_controller.go +++ b/internal/controller/kustomization_controller.go @@ -599,8 +599,8 @@ func (r *KustomizationReconciler) build(ctx context.Context, } // Decrypt Kustomize EnvSources files before build - if err = dec.DecryptEnvSources(dirPath); err != nil { - return nil, fmt.Errorf("error decrypting env sources: %w", err) + if err = dec.DecryptSources(dirPath); err != nil { + return nil, fmt.Errorf("error decrypting sources: %w", err) } m, err := generator.SecureBuild(workDir, dirPath, !r.NoRemoteBases) diff --git a/internal/controller/kustomization_decryptor_test.go b/internal/controller/kustomization_decryptor_test.go index 253bf729..1998e1e9 100644 --- a/internal/controller/kustomization_decryptor_test.go +++ b/internal/controller/kustomization_decryptor_test.go @@ -43,18 +43,18 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) { g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client") // create a master key on the vault transit engine - path, data := "sops/keys/firstkey", map[string]interface{}{"type": "rsa-4096"} + path, data := "sops/keys/vault", map[string]interface{}{"type": "rsa-4096"} _, err = cli.Logical().Write(path, data) g.Expect(err).NotTo(HaveOccurred(), "failed to write key") // encrypt the testdata vault secret - cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/secret.vault.yaml") + cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/vault", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml") err = cmd.Run() g.Expect(err).NotTo(HaveOccurred(), "failed to encrypt file") // defer the testdata vault secret decryption, to leave a clean testdata vault secret defer func() { - cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/secret.vault.yaml") + cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml") err = cmd.Run() }() @@ -70,36 +70,23 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) { artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops", artifactName) g.Expect(err).ToNot(HaveOccurred()) - overlayArtifactName := "sops-" + randStringRunes(5) - overlayChecksum, err := testServer.ArtifactFromDir("testdata/test-dotenv", overlayArtifactName) - g.Expect(err).ToNot(HaveOccurred()) - repositoryName := types.NamespacedName{ Name: fmt.Sprintf("sops-%s", randStringRunes(5)), Namespace: id, } - overlayRepositoryName := types.NamespacedName{ - Name: fmt.Sprintf("sops-%s", randStringRunes(5)), - Namespace: id, - } - err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum) g.Expect(err).NotTo(HaveOccurred()) - err = applyGitRepository(overlayRepositoryName, overlayArtifactName, "main/"+overlayChecksum) - g.Expect(err).NotTo(HaveOccurred()) - - pgpKey, err := os.ReadFile("testdata/sops/pgp.asc") + pgpKey, err := os.ReadFile("testdata/sops/keys/pgp.asc") g.Expect(err).ToNot(HaveOccurred()) - ageKey, err := os.ReadFile("testdata/sops/age.txt") + ageKey, err := os.ReadFile("testdata/sops/keys/age.txt") g.Expect(err).ToNot(HaveOccurred()) sopsSecretKey := types.NamespacedName{ Name: "sops-" + randStringRunes(5), Namespace: id, } - sopsSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: sopsSecretKey.Name, @@ -153,64 +140,40 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) { return obj.Status.LastAppliedRevision == "main/"+artifactChecksum }, timeout, time.Second).Should(BeTrue()) - overlayKustomizationName := fmt.Sprintf("sops-%s", randStringRunes(5)) - overlayKs := kustomization.DeepCopy() - overlayKs.ResourceVersion = "" - overlayKs.Name = overlayKustomizationName - overlayKs.Spec.SourceRef.Name = overlayRepositoryName.Name - overlayKs.Spec.SourceRef.Namespace = overlayRepositoryName.Namespace - overlayKs.Spec.Path = "./testdata/test-dotenv/overlays" - - g.Expect(k8sClient.Create(context.TODO(), overlayKs)).To(Succeed()) - - g.Eventually(func() bool { - var obj kustomizev1.Kustomization - _ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(overlayKs), &obj) - return obj.Status.LastAppliedRevision == "main/"+overlayChecksum - }, timeout, time.Second).Should(BeTrue()) - t.Run("decrypts SOPS secrets", func(t *testing.T) { g := NewWithT(t) - var pgpSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-pgp", Namespace: id}, &pgpSecret)).To(Succeed()) - g.Expect(pgpSecret.Data["secret"]).To(Equal([]byte(`my-sops-pgp-secret`))) - - var ageSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-age", Namespace: id}, &ageSecret)).To(Succeed()) - g.Expect(ageSecret.Data["secret"]).To(Equal([]byte(`my-sops-age-secret`))) - - var daySecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-day", Namespace: id}, &daySecret)).To(Succeed()) - g.Expect(string(daySecret.Data["secret"])).To(Equal("day=Tuesday\n")) - - var yearSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year", Namespace: id}, &yearSecret)).To(Succeed()) - g.Expect(string(yearSecret.Data["year"])).To(Equal("2017")) - - var unencryptedSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "unencrypted-sops-year", Namespace: id}, &unencryptedSecret)).To(Succeed()) - g.Expect(string(unencryptedSecret.Data["year"])).To(Equal("2021")) - - var year1Secret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year1", Namespace: id}, &year1Secret)).To(Succeed()) - g.Expect(string(year1Secret.Data["year"])).To(Equal("year1")) - - var year2Secret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year2", Namespace: id}, &year2Secret)).To(Succeed()) - g.Expect(string(year2Secret.Data["year"])).To(Equal("year2")) - - var year3Secret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-year3", Namespace: id}, &year3Secret)).To(Succeed()) - g.Expect(string(year3Secret.Data["year"])).To(Equal("year3")) - - var encodedSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-month", Namespace: id}, &encodedSecret)).To(Succeed()) - g.Expect(string(encodedSecret.Data["month.yaml"])).To(Equal("month: May\n")) - - var hcvaultSecret corev1.Secret - g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-hcvault", Namespace: id}, &hcvaultSecret)).To(Succeed()) - g.Expect(string(hcvaultSecret.Data["secret"])).To(Equal("my-sops-vault-secret\n")) + secretNames := []string{ + "sops-algo-age", + "sops-algo-pgp", + "sops-algo-vault", + "sops-component", + "sops-envs-secret", + "sops-files-secret", + "sops-inside-secret", + "sops-remote-secret", + } + for _, name := range secretNames { + var secret corev1.Secret + g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &secret)).To(Succeed()) + g.Expect(string(secret.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on secret %s", name)) + } + + configMapNames := []string{ + "sops-envs-configmap", + "sops-files-configmap", + "sops-remote-configmap", + } + for _, name := range configMapNames { + var configMap corev1.ConfigMap + g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &configMap)).To(Succeed()) + g.Expect(string(configMap.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on configmap %s", name)) + } + + var patchedSecret corev1.Secret + g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-patches-secret", Namespace: id}, &patchedSecret)).To(Succeed()) + g.Expect(string(patchedSecret.Data["key"])).To(Equal("merge1")) + g.Expect(string(patchedSecret.Data["merge2"])).To(Equal("merge2")) }) t.Run("does not emit change events for identical secrets", func(t *testing.T) { diff --git a/internal/controller/kustomization_fuzzer_test.go b/internal/controller/kustomization_fuzzer_test.go index d81a503b..c4ffd3f7 100644 --- a/internal/controller/kustomization_fuzzer_test.go +++ b/internal/controller/kustomization_fuzzer_test.go @@ -80,8 +80,8 @@ const vaultVersion = "1.13.2" const defaultBinVersion = "1.24" //go:embed testdata/crd/*.yaml -//go:embed testdata/sops/pgp.asc -//go:embed testdata/sops/age.txt +//go:embed testdata/sops/keys/pgp.asc +//go:embed testdata/sops/keys/age.txt var testFiles embed.FS // FuzzControllers implements a fuzzer that targets the Kustomize controller. @@ -182,11 +182,11 @@ func Fuzz_Controllers(f *testing.F) { if err != nil { return err } - pgpKey, err := testFiles.ReadFile("testdata/sops/pgp.asc") + pgpKey, err := testFiles.ReadFile("testdata/sops/keys/pgp.asc") if err != nil { return err } - ageKey, err := testFiles.ReadFile("testdata/sops/age.txt") + ageKey, err := testFiles.ReadFile("testdata/sops/keys/age.txt") if err != nil { return err } diff --git a/internal/controller/testdata/sops/.sops.yaml b/internal/controller/testdata/sops/.sops.yaml index 04517a65..313ea769 100644 --- a/internal/controller/testdata/sops/.sops.yaml +++ b/internal/controller/testdata/sops/.sops.yaml @@ -1,11 +1,30 @@ +stores: + json: + indent: 2 + yaml: + indent: 2 + # creation rules are evaluated sequentially, the first match wins creation_rules: - # files using age - - path_regex: \.age.yaml$ - encrypted_regex: ^(data|stringData)$ - age: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 - - path_regex: month.yaml$ - pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 - # fallback to PGP - - encrypted_regex: ^(data|stringData)$ - pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 + # Testing PGP + - path_regex: (inside|pgp)\.yaml$ + encrypted_regex: &encrypted_regex ^(data|stringData)$ + pgp: &pgp 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 + + - path_regex: json\.yaml$ + encrypted_regex: ".*" + age: &age age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 + + - path_regex: \.yaml$ + encrypted_regex: *encrypted_regex + age: *age + + - path_regex: \.(env|txt)$ + age: *age + + # Fallback + - key_groups: + - age: + - *age + - pgp: + - *pgp diff --git a/internal/controller/testdata/sops/algorithms/age.yaml b/internal/controller/testdata/sops/algorithms/age.yaml new file mode 100644 index 00000000..6dfd8d7f --- /dev/null +++ b/internal/controller/testdata/sops/algorithms/age.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: age +stringData: + key: ENC[AES256_GCM,data:mHeXsmQ=,iv:vUMpILz3xchORqkzDFvgwENY7EqIHHGJdEF6C8xqbFE=,tag:IroV7hykADvD0IUaq6kikA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeHVSdjJoY3ZSQjJzbk1q + ZXFxMWJ5amkrN1VXeHI4QzQ5OHcwVGxDem1zCm8wQVEzNEUrOUhtRUFkVnFUY0tN + aFgwaHNrWmVWY1RGWXI2YlpYbUhYMGMKLS0tIDBFSXo3cjRCMngvTXpldzhMRlVp + TXk2d2ExSVZYNDVTV0xwVlZnQnpScG8KVpjffjtRTA7Z4Wf/l1VMLjcl16hOrRUv + LKiZDcq+nqKDUI7owZ+xNs2w5SrQjEWVhDXRSeSSRiJrK/bCYKzRxA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-12T13:33:42Z" + mac: ENC[AES256_GCM,data:vmrF+VgW3o8z4h/DOStCUNudz68yHEC8Mws+LPoKpM3Xc7GM0Z1CfX0TKwdLLjMuvyWa2Nx2NIxm0+MCbmR8+y2izn0hHPSWhNVCWSK+iW48M05vXhDCV0xNkqM7g0kLhQ3PiSrB69loQj8C590HIfEViEtyDCFUeynDgcC289Q=,iv:u5lhmtXMxyt+3Pw09wWvgBhmKLoOSpKNWUpu/LuCr3Y=,tag:Dg0HFdLgQltzPgnEmltAzQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/internal/controller/testdata/sops/algorithms/kustomization.yaml b/internal/controller/testdata/sops/algorithms/kustomization.yaml new file mode 100644 index 00000000..be0ed291 --- /dev/null +++ b/internal/controller/testdata/sops/algorithms/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: algo- +resources: + - age.yaml + - pgp.yaml + - vault.yaml diff --git a/internal/controller/testdata/sops/algorithms/pgp.yaml b/internal/controller/testdata/sops/algorithms/pgp.yaml new file mode 100644 index 00000000..2e8f4adb --- /dev/null +++ b/internal/controller/testdata/sops/algorithms/pgp.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pgp +stringData: + key: ENC[AES256_GCM,data:EJey73Q=,iv:QRdpZJ6WYi3fWpKwjl8ZiV+Wwq9qtYTpcMQ0j0OEa44=,tag:d1WlcRpwEJg1lk3X3ILDmA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-11-12T13:33:42Z" + mac: ENC[AES256_GCM,data:25ERLClNe3o33jEo109QtmVH/qzl+e0pMRR1RDyQ4QHrVqYfMIvgUeYDHAIJ5WDwQaueON8nne1KIo+fcPYVBdHvTYvnZiicCUPA5/fpgbyts0u5CdUs31bltI/blnUlU8VbJfIk2Zjlj93erLw23sdzdo/0xsdDTrf3bYiS2CI=,iv:vxrgdyqIKRWGBA+dgrGbjGn7tkXEqbADayIxuzNwxp0=,tag:qWesJqClsLpZHY9UR7ptLQ==,type:str] + pgp: + - created_at: "2024-11-12T13:33:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA90SOJihaAjLARAAqSf7bnqHB0/gfh8CmweYr5cfUpH8aYg7B5QhsnD6nOok + x0UIPtaxtfEBvuDsM9M678Gj/hTEzMv0FmDYRt88NAXm1+63HHnz0/0O3xXQ/DR6 + +1uEZruuyC23nyzjc1fefaqgZ1YJAnj5WCvcWaF12bXbIdFQpRhpVcoMMqWhQizF + 5QJFXjU3cnzIVtvcpMDD63NTpk8+hSTYJr5ZFODSMbQr+EPHvKPMrIx3LLcihkkS + eyxvfLalj556f/3QVgGuOX6VX8lPIaUyIcmXyUkGsooEirOyhiZg2sk/QB6TYIa6 + Nm62hmeeXP01wyY6tax7l3LpAuda6CJRVg+Je1OkIjiuPMIBzHgtfhGFks8vgeTP + xsHXKLKXlJAQyS4ewOItm9n9jc9Xdnwfli4HrGbHNzq7lgEyAOyZZtOifl4KqFbM + 0c3kGiP3ezycRrQGudvbdIZqGfeD+gKrBv6cV49Wgt7Nb1WJUKLcPv4PNtSlYzSu + lGDM63bO+QBAKObc6MOvLnVXbFXrErLMqrexN9XFdjvvsmQAVr2z5phZk5fEk7kw + j8CqyTuy2Dm+ChJwNEeqIY3BNHkvvWMLx8Cr7ZY6bO1BvOdp01mBf+XD/apeBBUe + v2DT36mCehKZh5BHDYH7hKCNw+4PN2hzZd02zKMNzmARqLzQeseaTXti3Hyze23S + XAG1ddNzKXsgbTwLog5EN7DTIQKR+uCIgHuK0DclyWvTiUK7P6HGepTE7byJnnpl + jHtAVs8t+cYHBtY+gKFsstRGbJgAe8QfIt12/XMu9jcA/r8m7xdyNS5P9VZj + =gXAv + -----END PGP MESSAGE----- + fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/internal/controller/testdata/sops/algorithms/vault.yaml b/internal/controller/testdata/sops/algorithms/vault.yaml new file mode 100644 index 00000000..14d0b8bd --- /dev/null +++ b/internal/controller/testdata/sops/algorithms/vault.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vault +stringData: + key: value diff --git a/internal/controller/testdata/sops/component/env.env b/internal/controller/testdata/sops/component/env.env new file mode 100644 index 00000000..1971d722 --- /dev/null +++ b/internal/controller/testdata/sops/component/env.env @@ -0,0 +1,7 @@ +key=ENC[AES256_GCM,data:HfbmmMU=,iv:nWWqqIzzutZJBzu5PbaTPBsqvszaz2/+58mYOK7hj9Q=,tag:b+VcateAccwdb7x2dmYDrQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsc0Vyd25KTE1sYWM1akFH\nTUFBeHBmSmdGMnY3ZFJvazRZMUtPMFpscmhBCnVsL2Y0cUd1Nkx1Z0Q1OWpHOG0w\nNnhXSmxjbzR5NVE1NGpjR3d2SHN6SzgKLS0tIG5tdXpXK0U2SUlsQlcvY0ZvRWJB\nS2N6MS9QRVR4K2toMEg1eDR3a3ZtdzAKiliurqchsdfT4XbttES0ohnuTMNKlZy9\nefqbQO2lTLw8wUsNUunTpJBEAx9MFZ+LFHE/EZfHZqYlzxCPzfhufA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 +sops_lastmodified=2024-11-12T13:33:42Z +sops_mac=ENC[AES256_GCM,data:kPn8FhXF7UcPbkA7gjfjfYljawfT67SQBsYbnaAgtcFAtMWTryTHSDAASp2RZiClZiWnKgOgT8NeFUC+hUvjlz/Vj3pQxl6zY+3CmlrbBiqYUwd8ksXjps8UTqcioWKc7xULLqV5GMUHpoWnDWkkt0F6F10uCL78P0JoKmIeCXM=,iv:/G3GIGXriXuoS9OhfEazEYgVBbo+XvouTGYEi5XVYqQ=,tag:80P9IXhwJzoqJ43eK2W+4g==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0 diff --git a/internal/controller/testdata/test-dotenv/overlays/component/kustomization.yaml b/internal/controller/testdata/sops/component/kustomization.yaml similarity index 77% rename from internal/controller/testdata/test-dotenv/overlays/component/kustomization.yaml rename to internal/controller/testdata/sops/component/kustomization.yaml index 78520877..4bf4be0a 100644 --- a/internal/controller/testdata/test-dotenv/overlays/component/kustomization.yaml +++ b/internal/controller/testdata/sops/component/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -secretGenerator: - - name: sops-year3 - envs: - - year3.env generatorOptions: disableNameSuffixHash: true +secretGenerator: + - name: component + envs: + - env.env diff --git a/internal/controller/testdata/sops/day.txt b/internal/controller/testdata/sops/day.txt deleted file mode 100644 index 9c7fc6a6..00000000 --- a/internal/controller/testdata/sops/day.txt +++ /dev/null @@ -1 +0,0 @@ -day=Tuesday diff --git a/internal/controller/testdata/sops/day.txt.encrypted b/internal/controller/testdata/sops/day.txt.encrypted deleted file mode 100644 index 87d91d3c..00000000 --- a/internal/controller/testdata/sops/day.txt.encrypted +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:YWPHPTVOCWivqZu0,iv:tLqbJD/KN2BchlAz1mnf4FtMY+SP5hiBYJP6dHy8gtc=,tag:Aj9T0Q7y9baA84EfEt8MfQ==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "lastmodified": "2021-04-27T20:27:20Z", - "mac": "ENC[AES256_GCM,data:1OqDvIaUpOKFa1vsa6nc+GHIvsxwQ3JhJsDTp+Yl2r8y0+n0VUbCm9FyqVvq8ur3Y3NyZfX+7FL6HxgTN0RnSMdwK1X16ioGWBk4CM3K7W8tyY7gmhddsuJqSDZdV7Hr2s7FB6LZJAHWO9vTn9zXM75Ef0B5yuOgzp29LmIhCK4=,iv:8ozNZ7IgDub2vICSzHWcAdx7/sVEoe8YayXYrAkN0BM=,tag:UwE0b6eTpA9uir+4Mwed7g==,type:str]", - "pgp": [ - { - "created_at": "2021-04-27T20:27:20Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA90SOJihaAjLAQ//cd4d6zghXW7uJ8rk0PoWiCVy5BeYwnInJT4uqJ5uUY62\nFLlsM4ZJB2SSBHGcXdwkWqTXeLLmD8aEuAe0lfutcOYyMZVWeYY+wybyJ5TgBMAo\nvEJoY67felWRb4h0BzkHIG/ZLiuDTV020GJNH2tGgE/mXVPhYosQ+EmA5EF45vfj\nqx2LjZjsCg28FK2qkXnHHjOV/12OnGpR0y6t9GijBUtttyjYaXUpNUSUiHHMjXyL\nQnKlRPt9N2QF6oUQVEwr9plNYKTfmeqUwWh6wFAaWF/104oSOwXFA8ID5wF6de1j\ntnzVf+1Ld5WNmXGmrz/6ugWfcU/3147EuPodjTyQIFMTxA6V7Z7BORjhuxFpR/jS\noZJF/SS70fg9J7sdizWKFNkqS9pPasdNHcGuXU+KGkD2ya54WyUDE86gMq0xtEf3\nMmQJRnjHuriD5EvnKmDJ+QE9nU0ld0kyfVUueHQHCtuuw7yZGi8vlyyjOq4nqCGV\nZ4TJcmpt7pKoxEAnp2tImnos7DbEoQMl7RIYgrhxS7Nej9naYeadFz/G84uwjfm0\nBr5J3A+xtG37HXQWqtd7EXmy/I94okNVXeAZuuQFt/So78jJ4H9uQK1snukPNBhr\nG8aM8SfdrTbp4KZQpm2RJwNdhbHzHoz2M2Dc6Eo14FceW0R0jYDaKTwKeNIgH6jS\nXgGdX+eJRyC1yhp6HAXOaaR9MvXJ8xCi6clWRpI9h3wxnrZtg+pERFeHhp2Ldlww\nRTjw4g3Cp9GQJB/0aTkVVOPmZ4/jpCyUS6hiV3cEE4veuDYZ20evpgO4sld6Ve8=\n=1o9a\n-----END PGP MESSAGE-----\n", - "fp": "35C1A64CD7FC0AB6EB66756B2445463C3234ECE1" - } - ], - "encrypted_regex": "^(data|stringData)$", - "version": "3.6.0" - } -} \ No newline at end of file diff --git a/internal/controller/testdata/sops/envs/env.env b/internal/controller/testdata/sops/envs/env.env new file mode 100644 index 00000000..792dc1a0 --- /dev/null +++ b/internal/controller/testdata/sops/envs/env.env @@ -0,0 +1,7 @@ +key=ENC[AES256_GCM,data:3PTvx6o=,iv:74ni7B2QMB6aygdd3R7IEzNCwo1W+TpPWMJLfYCCG4U=,tag:mK2Tu7JWDdEmZUrXz3uRzw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDhVTW1IenNXQmptWnha\nMjd1UWN3dHp0QXRkSnhUSjBHVFdKSmdXYzNNClVWeXVGWndJQ1RpRUlJRy9yeHJY\nb1VhbnR2TlovSUg1MlpZdkhWdkVHTG8KLS0tIHVOSEhOVVV2cXRUQUs2Sk15eU1a\nRW92L1BWQnhNbStFekZjVVRDUFJtaWsK+wPkQAtZtTbh2WHik1ovX61ZJPpkmwuO\nnUYAn37tZELXX/alrOORRwoq+0oBQO5pZYsJBi0fvijfm9VqR/4jKg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 +sops_lastmodified=2024-11-12T13:33:42Z +sops_mac=ENC[AES256_GCM,data:YQHMLRk85ozeuqIvNekLAVp2DFSj+VgDG2z70uQaeCA+uxFp3k/THlANAXx+GP1Oab923Q6nG5ItV9dcG1hTXpA/NRpbM02pfNe/iYnVL7AtcXqFg/jy2T4kkqx7cHAXJi9zd+ZrISIZCNWinLoFfaAo70+epsFumUmLUaDzUPQ=,iv:TdOIRoy6Wch1/x9GlEsmArA5g461ILJZUE7tIxi9G28=,tag:miip/H0SuHqvaoxGvzheIg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0 diff --git a/internal/controller/testdata/test-dotenv/bases/kustomization.yaml b/internal/controller/testdata/sops/envs/kustomization.yaml similarity index 53% rename from internal/controller/testdata/test-dotenv/bases/kustomization.yaml rename to internal/controller/testdata/sops/envs/kustomization.yaml index 1c2a824c..0299aab3 100644 --- a/internal/controller/testdata/test-dotenv/bases/kustomization.yaml +++ b/internal/controller/testdata/sops/envs/kustomization.yaml @@ -1,8 +1,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -secretGenerator: - - name: sops-year2 - envs: - - ./secrets/year2.txt +namePrefix: envs- generatorOptions: disableNameSuffixHash: true +secretGenerator: +- name: secret + envs: + - env.env +configMapGenerator: +- name: configmap + envs: + - env.env diff --git a/internal/controller/testdata/sops/files/file.txt b/internal/controller/testdata/sops/files/file.txt new file mode 100644 index 00000000..367d76d9 --- /dev/null +++ b/internal/controller/testdata/sops/files/file.txt @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:QNbPAYY=,iv:cMvqZZXqOFmH+bAFdzX+ORH3cnj2cgKX/f6+8q8bDlA=,tag:Pb5wsv4wq5mbccaUhjqQCA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybkpYNFFjVFprQndmWklK\nVnpyVzFjRGZ5cU5IK1NHb2t6bjhKUnZVZ24wCnZFSjBrVEJ6RmpORGMrVHRWUXA5\nL1BMbk1jWXM2aGpVcTkzckdHYm14SmMKLS0tIDdBS2NGaWFWRlZvRktPYksvd0pa\nRzFBRWtHcXlWcVkvK0VKQVRPRGFlYXcKeSgCitkcDxVNZSxS/TsR72xVh6iPL4l5\nS+FP0R0wbo3LbunScvF168f4NhB5HRpS29a5onxH64HEiYdMitV8WA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-12T13:33:42Z", + "mac": "ENC[AES256_GCM,data:8H24g0IjdODRma+52utYPlZnGEH+Oi3LiXel2JExHEd1YwbBL417lTbJpZVIfwk7+SYLWw6V4ZbPgHFUHchhRH5URNqb4I0m/FhTMyDW2h0Zm1kM1zMdE8AZTGUyNhmVkrlw7GnBwuGwWS6Usm9C9XD5O+/2Yn20YqmB2/T3a0o=,iv:0sclmOePSOpekgQLr/kNTM2xKdr7djHn2xYSNrFSGD4=,tag:6gvdsQKSqKafO6VrXqlaeA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/internal/controller/testdata/sops/month/kustomization.yaml b/internal/controller/testdata/sops/files/kustomization.yaml similarity index 50% rename from internal/controller/testdata/sops/month/kustomization.yaml rename to internal/controller/testdata/sops/files/kustomization.yaml index 3d3668f7..d66fc837 100644 --- a/internal/controller/testdata/sops/month/kustomization.yaml +++ b/internal/controller/testdata/sops/files/kustomization.yaml @@ -1,14 +1,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -secretGenerator: -- name: sops-month - files: - - month.yaml -- name: sops-year - envs: - - year.env -- name: unencrypted-sops-year - envs: - - unencrypted-year.env +namePrefix: files- generatorOptions: disableNameSuffixHash: true +secretGenerator: +- name: secret + files: + - key=file.txt +configMapGenerator: +- name: configmap + files: + - key=file.txt diff --git a/internal/controller/testdata/sops/inside/kustomization.yaml b/internal/controller/testdata/sops/inside/kustomization.yaml new file mode 100644 index 00000000..32eac275 --- /dev/null +++ b/internal/controller/testdata/sops/inside/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: inside- +resources: + - secret.yaml diff --git a/internal/controller/testdata/sops/inside/secret.yaml b/internal/controller/testdata/sops/inside/secret.yaml new file mode 100644 index 00000000..40d65cf8 --- /dev/null +++ b/internal/controller/testdata/sops/inside/secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret +data: + key: ewoJImRhdGEiOiAiRU5DW0FFUzI1Nl9HQ00sZGF0YTpySEx3RWdnPSxpdjo4eU1USXFyMnhYUTVZWXlxTm5PWGx6SDNJa0dpY2h5RFpCWlMxbS9EWitNPSx0YWc6eHpZQjUrYjlUSlcrdkpzU0xha1hwUT09LHR5cGU6c3RyXSIsCgkic29wcyI6IHsKCQkia21zIjogbnVsbCwKCQkiZ2NwX2ttcyI6IG51bGwsCgkJImF6dXJlX2t2IjogbnVsbCwKCQkiaGNfdmF1bHQiOiBudWxsLAoJCSJhZ2UiOiBbCgkJCXsKCQkJCSJyZWNpcGllbnQiOiAiYWdlMWw0NHhjbmc4ZHFqMzJubHY2ZDkzMHF2dnJueTA1aGdsemN2OXFwYzdreGpjNjkwMm1hNHF1ZnlzMjkiLAoJCQkJImVuYyI6ICItLS0tLUJFR0lOIEFHRSBFTkNSWVBURUQgRklMRS0tLS0tXG5ZV2RsTFdWdVkzSjVjSFJwYjI0dWIzSm5MM1l4Q2kwK0lGZ3lOVFV4T1NBelExVnJVek5UT1UxWU1VbzRNWHBxXG5NMHh4YUhOS2NqQlJOMlZxTUd0dE5HY3pVbUo1TVdwUGQxVXdDazAzYWxwdlNFY3haM0JOVkUxMlQwTTBNR3BFXG5hU3NyV0hsWVZsQkJUbGhzZFhkcVVrOVlVVGRDWjJjS0xTMHRJRGN3ZVZwbmF6ZFhORzlPVWxwSU1pdFVWMnBoXG5SRzExUkdsbWJTOU5aMGxETnpSNVdXNXVORTlITVc4S1FCSlJIRVlhSFphdlN1RUlCN3pDU3hCN0RSdkxoRW8xXG5vRlVVNjRWOW54RC80ZUQyVyswdWpFYnprbVJ1ZDhsdGo5clhSY1lyU3B3MVdXcTdRbjFlakE9PVxuLS0tLS1FTkQgQUdFIEVOQ1JZUFRFRCBGSUxFLS0tLS1cbiIKCQkJfQoJCV0sCgkJImxhc3Rtb2RpZmllZCI6ICIyMDI0LTExLTEyVDEzOjMyOjA0WiIsCgkJIm1hYyI6ICJFTkNbQUVTMjU2X0dDTSxkYXRhOjBLdzFwNmNPUFd2NTlvZXhRVTFVV0tMcjNvY3NLQ1dxWE1RUnFsMnlaazRiWGpvcm14NS9VcmNqbkF3NUZnRVQzWXRtT0p0cUpVWnRTUDRuRTkxMFUxZFd2bWhUL240cmRFMFpyYU5NQmpTbVMzUVVCcm1aeXJERDN0ODlhaUJBVE42MnlSZ0pVNmlWWU80bHdlb0VuWUQ0K09ZcWczWHBSNldUUjRkVEtwTT0saXY6aHliWHI2YVJIQWxTcFAwZXZQaEhaNWhpazlObGgvRFJEUEZRUklXTktyaz0sdGFnOjNybHhzbktuN08vM3RnalBNbm91bWc9PSx0eXBlOnN0cl0iLAoJCSJwZ3AiOiBudWxsLAoJCSJ1bmVuY3J5cHRlZF9zdWZmaXgiOiAiX3VuZW5jcnlwdGVkIiwKCQkidmVyc2lvbiI6ICIzLjkuMCIKCX0KfQ== diff --git a/internal/controller/testdata/sops/age.txt b/internal/controller/testdata/sops/keys/age.txt similarity index 100% rename from internal/controller/testdata/sops/age.txt rename to internal/controller/testdata/sops/keys/age.txt diff --git a/internal/controller/testdata/sops/pgp.asc b/internal/controller/testdata/sops/keys/pgp.asc similarity index 100% rename from internal/controller/testdata/sops/pgp.asc rename to internal/controller/testdata/sops/keys/pgp.asc diff --git a/internal/controller/testdata/sops/kustomization.yaml b/internal/controller/testdata/sops/kustomization.yaml new file mode 100644 index 00000000..9017c48c --- /dev/null +++ b/internal/controller/testdata/sops/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: sops- +resources: + - algorithms + - envs + - files + - patches + - inside + - remote +components: + - ./component diff --git a/internal/controller/testdata/sops/month/month.yaml b/internal/controller/testdata/sops/month/month.yaml deleted file mode 100644 index 1467ebc4..00000000 --- a/internal/controller/testdata/sops/month/month.yaml +++ /dev/null @@ -1,32 +0,0 @@ -month: ENC[AES256_GCM,data:9e+R,iv:EzJxah6sCY2D9L76l/CuVq6qVq2ncJDYphm9gXE/ZgM=,tag:r82agynzHp/aOTVo6Iu9wg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-31T11:27:34Z" - mac: ENC[AES256_GCM,data:BV/jKqSzKr2sq/yA4HToFseOWOB04cYo+54Dby/Jp4ZuVwxNt1i02zncsvWyQZK5WFcvK47brvzN6fWJyyf5WnX+XISbuUDGMWjqNG/te3YKEY4ZqJUopDF/AxDZDkUC5KdnIln6RZqtHuJH18J35kakWFrg1YOJtI28ZVK5yBM=,iv:T6JJkYbfqpUz2AClToZtSsuVbUXcPD5nqaUhJJdH6Uc=,tag:jvmH8iyfivoGIt1k+Uodrg==,type:str] - pgp: - - created_at: "2021-05-31T11:27:34Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA90SOJihaAjLAQ/9HYs2HyaYL9dOj8zIAr3JzqEFHlMX59Vw8kj9KxBQJXYQ - N3mE/HHQVBWk/36Pq/14n0Eals8GwivDDiJmovfeRASmb0/LnGQDzMkDGEJvyu7N - Q69rBjzVWbmMPgI0vQb0zTBRcUW+LnSijkv+H5mxuFnnZd8N3UeFLHX2oKNeA7O3 - pYjjK8vr6KaXJqYfH+bFs29cnk0+xZiThr21cz40yFZD7ynns4xjdVtqI5bvGk/F - bDW7oGgJe+q/9OHKJaVESLrcZMe2lLxA7x821ssq6BlNzv9DHTc7PloVNepsze6d - MBTgzAZoH04ENQSiL9qo24AVGaFhUXak7MslxE8nhjFJD6sfb0Q/LtlhOSpDw7NR - gugPzQuQLGN9U54id0bql8CBi58g0wdxjo6kDlMYTEd9CZbugfM1pR1imknlgPLi - 7ODDrWTTxnZm4+hZRj7EjMGlRshavPgZ/rgT1tTnjNw9c+llgCWW8Ei8JOEvA86M - DwsPzodesMO56yf3MJPAgakCapTH9VMad+E63yUMsNAX6+otrjgssvxg3j8KnjPp - Z7593P7RGYrRR+YwEi5nTHmDL1H80vP6pNnBGd7wLa3TLzypkDiZSKY6vq6vSIwd - QOpLX3VC2X53mtWmNm7oWxKLX3hKPrjTqBYE0EDK7Yc0q8rj++ygntOekI+WSm/S - XAG4Ufue6i2MTvnZmK/Byt+E/zT4jRmjRQImGekHB+rLYfM3Z85i6ExH4OCCWNqC - rg4DqrWTS8Nvt2PE5UC3Phqe51D4/ZrQPVPkFQftgQl44xECv4X8rI7RTux6 - =HE0m - -----END PGP MESSAGE----- - fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/internal/controller/testdata/sops/month/unencrypted-year.env b/internal/controller/testdata/sops/month/unencrypted-year.env deleted file mode 100644 index 1583ab22..00000000 --- a/internal/controller/testdata/sops/month/unencrypted-year.env +++ /dev/null @@ -1 +0,0 @@ -year=2021 diff --git a/internal/controller/testdata/sops/month/year.env b/internal/controller/testdata/sops/month/year.env deleted file mode 100644 index ea216744..00000000 --- a/internal/controller/testdata/sops/month/year.env +++ /dev/null @@ -1,7 +0,0 @@ -year=ENC[AES256_GCM,data:EfNnlA==,iv:pBaHDmjQ1d6JrA0Rk19giCQon7CP37hZ0dEQTkJEw1U=,tag:J29CEN9S6pSie8tsAD2REA==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NHYyMHdNcXhMS2x6aXJq\nTHVhbUYrcW8waFduN1NoWUIyTWFuMmNEVGpzCjUxb05zUndSdnpiQng2VnZ2SkNF\nbnlzY0VmaVd1Z0xZR2FKdDRPQlhKSE0KLS0tIDlEaGgwT3VHcUg5QzFpenZNOTBk\nbUZ5QkRnY0kwMFpYanFLYTlvc0FXdXMKb32CnEO8yg91kkUMFXhBL5Sfz32dNOJT\ntNGdKcOGVBzOJVgU1RquB+5OcJdbuwdV7GCq8KvXqh5fypTI00hZeg==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 -sops_lastmodified=2021-10-14T15:35:45Z -sops_mac=ENC[AES256_GCM,data:brSfy5j0wETn6YT7p8qoCSuI6bevGwrxBbtcqBSYRJ+GgLAr9a7rtwHK8/BnKCi1C1H/zGa1gEERqz2j6Zw0uS4V5lejvtDtfRn9DwYWQ2Aqo2zi4crfNhljerwQVa/Hy9pq2falIZyyhoDX30WOoLe+2eZWQXLtFlVkx4x7U1s=,iv:wr4szytKCN9j6dqccZZl0bkDUHsOtFSvDXjdpuZwTbA=,tag:N1uQ25uLS+E6yQPzXJRiNw==,type:str] -sops_version=3.7.1 -sops_unencrypted_suffix=_unencrypted diff --git a/internal/controller/testdata/test-dotenv/overlays/kustomization.yaml b/internal/controller/testdata/sops/patches/kustomization.yaml similarity index 51% rename from internal/controller/testdata/test-dotenv/overlays/kustomization.yaml rename to internal/controller/testdata/sops/patches/kustomization.yaml index cf4cfa33..eb9e45e9 100644 --- a/internal/controller/testdata/test-dotenv/overlays/kustomization.yaml +++ b/internal/controller/testdata/sops/patches/kustomization.yaml @@ -1,12 +1,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: - - ../bases -secretGenerator: - - name: sops-year1 - envs: - - year1.env +namePrefix: patches- +patches: + - path: merge1.yaml + - path: merge2.yaml generatorOptions: disableNameSuffixHash: true -components: - - component +secretGenerator: + - name: secret + literals: + - key=value diff --git a/internal/controller/testdata/sops/patches/merge1.yaml b/internal/controller/testdata/sops/patches/merge1.yaml new file mode 100644 index 00000000..85156301 --- /dev/null +++ b/internal/controller/testdata/sops/patches/merge1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret +stringData: + key: ENC[AES256_GCM,data:P7HTaDel,iv:YyIVQyWQpW5tEIGOsWRx6kFIP49Ciej60a5EccQg1us=,tag:Rg+MWSVit7f6dVSPLfoFOA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicityZGExUWdURjJmaUdY + NDF1czNNZ1B0OWFPTGpGblNwZGpza2NPZ1RjCnhQcE55VDNOaVlCUG0reE5LeEtD + TzZJR0o1dUJlb2dqV2YwaGhWZEdGYVEKLS0tIFJsc054RHJMQTUxdm9MNTJmb3o5 + QVd5VkxJam5RT3RjNzdaN3NzYWtGV1kKaaKPbN6o9/XunC7KimHAXbg3iI29hg71 + VHeuzfLjhuwOJv/rlNyHIdqbvGlMHUU5exZ7dVr4DMen+FsNRvnfJg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-12T13:33:42Z" + mac: ENC[AES256_GCM,data:ArD1tNf9Z72ZyUXj7PiBbHDTbmhprOfp8UUFPE7z9O/WvHOCgfwfhtnDfri/SeHiKyLHVQjdvoEw+Xu9xCNkG+UJuKnz/YBT4Wq+jkbQTSOvFNL4K8HwroWmTmcKS2CVUy5N2U64qNg29nFceiMoX8mSvlqOLKMWLCPhYP4L3sc=,iv:hj4VEh3mWjD2NNE9aGG3rqw1niFfE3VTkgUpY2SwhA0=,tag:nVG2dca/11vDANi9Bgk3dA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/internal/controller/testdata/sops/patches/merge2.yaml b/internal/controller/testdata/sops/patches/merge2.yaml new file mode 100644 index 00000000..9b7a443a --- /dev/null +++ b/internal/controller/testdata/sops/patches/merge2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret +stringData: + merge2: ENC[AES256_GCM,data:QN7wGPNK,iv:cg3UYtCAWmxxLMGvK3ImXz1j/kN0vyujQNzbJE84LCU=,tag:LwQwsEEam96wmeSwRmZevQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTDFGM0pxZXc1VWQzWm8z + MGxYRWprMXFWakdiTmpycDB4RnBlc0lkUEJZCmlLQ0Q1a1BRcXQ5Q1ZpRGljM2Fn + SWlQaUVuUjNKb3p2NmYrdWxlUDIzajQKLS0tIGlZWUlQK05wOGVlRGp3UE5YalNZ + S1hNbFd5a1Q0KzNwOE1oa3JZUnRMdmMKg7Ac1ik+6gmtKF7SUkiGb/Prh3kyJUA6 + PlVtWc+QGanN7mkXIxnPbhoDF8RYrxXH0mot9iiFWdzH+IeC19DANA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-12T13:33:42Z" + mac: ENC[AES256_GCM,data:Lnz+0hdARiP6yHgyJugrtuuhKhy21X4TBQG3Pz0EVZWFfIfheWBbW9KOXlw+x7FruuGWQxIlMmmgCMx4YVxQwpT6zFvjUw6hfD4fpeyrxnsCOiN56N3ECpLZMfq27ilubnMHe/AC0mhdAjivZfQJWPe/lQBO3Jb6HRJj7FTPWWA=,iv:0mNU7QFsYCsxNvbtcPLg19dktr9eWDGQLcKw+WWCaFU=,tag:zp+dyySRJMjwccw4TEGnjg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/internal/controller/testdata/sops/remote/env.env b/internal/controller/testdata/sops/remote/env.env new file mode 100644 index 00000000..792dc1a0 --- /dev/null +++ b/internal/controller/testdata/sops/remote/env.env @@ -0,0 +1,7 @@ +key=ENC[AES256_GCM,data:3PTvx6o=,iv:74ni7B2QMB6aygdd3R7IEzNCwo1W+TpPWMJLfYCCG4U=,tag:mK2Tu7JWDdEmZUrXz3uRzw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDhVTW1IenNXQmptWnha\nMjd1UWN3dHp0QXRkSnhUSjBHVFdKSmdXYzNNClVWeXVGWndJQ1RpRUlJRy9yeHJY\nb1VhbnR2TlovSUg1MlpZdkhWdkVHTG8KLS0tIHVOSEhOVVV2cXRUQUs2Sk15eU1a\nRW92L1BWQnhNbStFekZjVVRDUFJtaWsK+wPkQAtZtTbh2WHik1ovX61ZJPpkmwuO\nnUYAn37tZELXX/alrOORRwoq+0oBQO5pZYsJBi0fvijfm9VqR/4jKg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 +sops_lastmodified=2024-11-12T13:33:42Z +sops_mac=ENC[AES256_GCM,data:YQHMLRk85ozeuqIvNekLAVp2DFSj+VgDG2z70uQaeCA+uxFp3k/THlANAXx+GP1Oab923Q6nG5ItV9dcG1hTXpA/NRpbM02pfNe/iYnVL7AtcXqFg/jy2T4kkqx7cHAXJi9zd+ZrISIZCNWinLoFfaAo70+epsFumUmLUaDzUPQ=,iv:TdOIRoy6Wch1/x9GlEsmArA5g461ILJZUE7tIxi9G28=,tag:miip/H0SuHqvaoxGvzheIg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0 diff --git a/internal/controller/testdata/sops/remote/kustomization.yaml b/internal/controller/testdata/sops/remote/kustomization.yaml new file mode 100644 index 00000000..41788e42 --- /dev/null +++ b/internal/controller/testdata/sops/remote/kustomization.yaml @@ -0,0 +1,24 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: remote- +resources: + - https://raw.githubusercontent.com/fluxcd/kustomize-controller/refs/heads/main/config/default/namespace.yaml +generatorOptions: + disableNameSuffixHash: true +secretGenerator: +- name: secret + envs: + - env.env +patches: + - patch: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: sops-remote-configmap + data: + key: value + target: + kind: Namespace + options: + allowNameChange: true + allowKindChange: true diff --git a/internal/controller/testdata/sops/secret.age.yaml b/internal/controller/testdata/sops/secret.age.yaml deleted file mode 100644 index 17c7172c..00000000 --- a/internal/controller/testdata/sops/secret.age.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: sops-age -stringData: - secret: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGduOFZjRWw2WTFQdWdu - OS83OEZaN1E1aU1zSThhMlNEZzd0aEYvdURFCnE3bmJ5c3J2cDNEbXhselFPVC9v - NFhMRjZjOHZOdEpoYjdiS0ZPd2pvN1kKLS0tIDZUVEFoblpDNWhnaWxYRTBjaktk - bHRXV0o1K2ZDNm5Mem5SdzNBMTNuNFUKylE2cRLqydjj6e4+4Giwn4y8mIPej+CM - Bab3UWiK1da2rFNTOEnoHl6QDAVxNrWdrrIa5k22SzApT88VtJ4xuQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-04-06T09:07:05Z" - mac: ENC[AES256_GCM,data:oaM8qFtEP8dOCd/Tr5yb08uetsnDtZO8o1rCayN53ncQ1HUAdhRBrFdmbYx1YTh1mwQVVN6sGYqFZU1LBMVv5pTqvpwd41biJZEg8NznXQWx0GA2Z6HOrblGhFZKrqky3P5xN+6j63zkJizXWgBMKzRvBnsVKxjZGr/lk1vVVv4=,iv:p4y9Fo3SArkEMuoK2d9sQYgNdc0iw/StFhg/5LnhcXM=,tag:61JGbnEw35tv6WnGj46JOw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.0 diff --git a/internal/controller/testdata/sops/secret.day.yaml b/internal/controller/testdata/sops/secret.day.yaml deleted file mode 100644 index 19d62784..00000000 --- a/internal/controller/testdata/sops/secret.day.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - secret: ewoJImRhdGEiOiAiRU5DW0FFUzI1Nl9HQ00sZGF0YTpCZDJuL1VCc21KN2NYYXVvLGl2OmR4c25ncWVDVitzVVVIM24rVTZ1N1F3WjEvRFptM3RhVlVOSjJRTFNlWGM9LHRhZzp3enhxUjA2MWRmbmVhQmlMNHRxaTN3PT0sdHlwZTpzdHJdIiwKCSJzb3BzIjogewoJCSJrbXMiOiBudWxsLAoJCSJnY3Bfa21zIjogbnVsbCwKCQkiYXp1cmVfa3YiOiBudWxsLAoJCSJoY192YXVsdCI6IG51bGwsCgkJImxhc3Rtb2RpZmllZCI6ICIyMDIxLTA0LTI3VDE5OjQ4OjIwWiIsCgkJIm1hYyI6ICJFTkNbQUVTMjU2X0dDTSxkYXRhOkUwQmFsdjRGcWRiQVNRSGNpa2oyaURTeTdCTjBVSUY3cHhlSFNwUUZ2dXF6akVtRWlDV2xJRFl0dmgxY2t4ZnZxNHpYS2xITkp6QitkM1RSaHNuaGtIZ2tSWFA1MldwUkNHZ1pwY3h5Q3FCTmhhL00wRGNGY1ZZZG14T2NVNEU4eFdsdFRuektzZll0bVkvTVludmVJT1htNkpmMUhPS2FVM1EwdzBGbG8wQT0saXY6QWgza0puZEI3UnE5RVV3ZUc0TUMzUmh5bXRYRXY0ellIc2M3M3NxQzlGdz0sdGFnOnpOS3ZHcW5WNG8yWTdhNUJTV28yZEE9PSx0eXBlOnN0cl0iLAoJCSJwZ3AiOiBbCgkJCXsKCQkJCSJjcmVhdGVkX2F0IjogIjIwMjEtMDQtMjdUMTk6NDg6MjBaIiwKCQkJCSJlbmMiOiAiLS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tXG5cbmhRSU1BOTBTT0ppaGFBakxBUS8vZGo2NzlnSXpKdU1vc05wdkRZQVNUOVF4MjBGdmJOREsvTDhmY2xlTFd0NHpcbktWaHdlTnRRdXhZbXA1a2Z6VUpBWXh2Mk01a2NSWFo1QzVDWDJLSER2N1lxVWRRdVdMam9wTFRmR1RPcE56RlBcbjNyZE5sRXZKMC8zSXdteEhtYXVPbUpPazByRUQrOXZtTXNCL3pnaXIxWkd2d0tTNVM5dW9XSDN6bUlVdmJBR29cbmpCKzAxRkdqaXlYRUhSanFzbFlMZ0tXczhZaVR4anNPOVd3QlU0ZmRySzRCKytEaWFweVdFcDJYVWhFZWt6MjFcbjR3dXU5dEp5TmtOWXpmMXNXUWxMc1lPblMzRkkrNSsrMFg1SmREYWtFVmkzSnF1TmtLeDRuWms3ZHJqcktnM1hcbnJPWTc1YnIxdGkwTkxrQWFsaUwvbEJSR3JCTW5BeTViV0l4dkpoSmtqRGMyZTNBWmJNbXdJQ0FJZ05kMEcrNFBcbkJqWkhNWnZUQk1RN0VvWFhGeVg5K3JKKzFnUzF5UEJuaFNma3lrSmJSR1ljdnB1RVRFL1NyK0FSa0s0cHV5bFVcbk5sdU8xZmdOMEF1STVqVll2NzJ1MzJWZEw2N2ZYbjlPdjhFYmlkdVVKcWoxZXB3Mk53dDNZK2xrNERLbVBybVRcbjFRTzF3OC96UHo1SlR0U1R4ZXFJak4weXBTazFocE9XekNwOTE0QmgxckFscXFxakorc0Q4dkVseEk2N2JSWG5cblY1alBkZkQwQktLU0tqS0ZLeVhnUHdPdCtvd2xTTDROR0V6bmdTcmsyeDlTcHVDdWQweXpoeVpta2tHRm5JKzdcbmhpT2kzeGxmZnkvRWY4TDkvaWhDbmJQc1pTck50L0RPQlVGK0ZGQUlmZitpUElPRTBieGZCaHpMNWZOTS9ZdlNcblhBRS9pYk42NktLT2ZwYWlqWnRXSkdTY1RHVVlYMkt2WTAwN2h6Y1ErR3BaZUZOd3oyUlpEd3BkTzZ4N3JHelFcbkFHQUtjd2pTYXcramluVzQwWmZnOWQ5YmFMdWRYTDRXVU9FSUdTN2FpWjNFNjJTSFJGU2U0dmNpSVh6blxuPThRcmZcbi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0tLS1cbiIsCgkJCQkiZnAiOiAiMzVDMUE2NENEN0ZDMEFCNkVCNjY3NTZCMjQ0NTQ2M0MzMjM0RUNFMSIKCQkJfQoJCV0sCgkJImVuY3J5cHRlZF9yZWdleCI6ICJeKGRhdGF8c3RyaW5nRGF0YSkkIiwKCQkidmVyc2lvbiI6ICIzLjYuMCIKCX0KfQ== -kind: Secret -metadata: - creationTimestamp: null - name: sops-day diff --git a/internal/controller/testdata/sops/secret.vault.yaml b/internal/controller/testdata/sops/secret.vault.yaml deleted file mode 100644 index 71d476b4..00000000 --- a/internal/controller/testdata/sops/secret.vault.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - secret: bXktc29wcy12YXVsdC1zZWNyZXQK -kind: Secret -metadata: - name: sops-hcvault - namespace: default -type: Opaque diff --git a/internal/controller/testdata/sops/secret.yaml b/internal/controller/testdata/sops/secret.yaml deleted file mode 100644 index c6aa991c..00000000 --- a/internal/controller/testdata/sops/secret.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: sops-pgp -stringData: - secret: ENC[AES256_GCM,data:rZEmadbj49GoQLlK85hKKAsc,iv:FX4Dfbd173bZQdUgEVRo4q29m/Gz9ob07QHFuiCAufA=,tag:VM6tzAVdGjsythy2Mr5tvw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-04-06T09:07:19Z" - mac: ENC[AES256_GCM,data:iBg8FY39VSykcWZ/asv86P3VNZkscQdINNOy3UtI5m4OWDpUkyDuq66w7ELiiEXJ3D+b7JKJrsSrYtT7Tn7t+NZGxJcLQFEczozvWgKd2hCikxnMEepCJ3tRcoz7JaItommi1HvA08syGfLA5f6eOxsHQWzmjVdYaVpQ4VGRibk=,iv:VI+Fb7dXV4442IMKZSHOb0GJ/2nNgK9AUTblOZ49Oco=,tag:gJjFguJeE7irKZW7yZi0jw==,type:str] - pgp: - - created_at: "2021-04-06T09:07:19Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA90SOJihaAjLAQ/+LnZo9UHmJ2Llcpq6m5gjo5hbCx6aYTbrvJOFCWeu2oyC - 71XsuTUzBp7TK8SkGrxlJmUodezACQ3rCsKY/r2GI4t9HkVRSuhnc/YQMunm3iG1 - bsgfdV/KBm0Go7dFXy2R1Pt3PuVnuM9MZ59U4SdqYGZDI7vzy2gfH127qa3oIOoF - 2OFfwhUy8nZIVCJ47ExIdrc7Qdk94tbLfwmBAKHFN4Ab0YXasKCpH9O+9/vQ+JJU - 7xy61Nv4dqtEDYU9QTh2ZuT6ZaWikTqCcIv/W7lW1RsT8n7YiRZv9POobKDh5KbP - PyfqvJsLcJB8LHN2kZfwr6Iemuce19kRi+7JL9zMGRJSsq0thJ0ly3JBi48pU27w - jbFnmxlIwfb0EsLBp9lsxw7GoUbooSC/rfI5NVeQ+4lFA4gQn2oz7i4zTYesnwil - lrgMxz49SSluAYsGjrJHc+ABmlDz83K42KtWlNjwaIbDgHMl4EbYUe4pxcynEZ6D - 0csDIsIA15MP0THfTL1F1vkhvdPHNuUlVjFqgWaJAP2CC5KH8IeTCUN72FySEYAB - BJH+VQoRnS942M8VQAfUQyBsfZKtQhyCkU7KEimUjQzy75JWgy8YMX1mviXk52qB - kVHQIjNEuBta58pmNyhxc+6+bz+ABGp+mR9QemUQjmXghH3VjOwnZVj6KMMX4J3S - XgEubPmw6u4nYqb9bLDVyE2uXXA4TVgFDuZxJrbZOn9zF2aQOOGfZX2Gx5xgK+pV - srM1wyJqdP+QL/fWO9ZI38+tyr1T5zOBPpJ/JTrkSJoVeRWpwuI6BUCZhH66nfU= - =+1cf - -----END PGP MESSAGE----- - fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1 - encrypted_regex: ^(data|stringData)$ - version: 3.7.0 diff --git a/internal/controller/testdata/test-dotenv/bases/secrets/year2.txt b/internal/controller/testdata/test-dotenv/bases/secrets/year2.txt deleted file mode 100644 index ed82abf9..00000000 --- a/internal/controller/testdata/test-dotenv/bases/secrets/year2.txt +++ /dev/null @@ -1,7 +0,0 @@ -year=ENC[AES256_GCM,data:HoFRvaM=,iv:XNDFLkONNvKSKkbqErVx1/tnEtDuZIG3SficCd7NIaM=,tag:aC7SCerL01kYyXyXkWR2ag==,type:str] -sops_unencrypted_suffix=_unencrypted -sops_mac=ENC[AES256_GCM,data:s75x7NzSjmkovCOopnT1eIfXMAdwwsN8KoVdVbAYDTAsB856w/i/W/JshXAUdr5SnXHNbtwzEha/HSppnWEQw1nds18yZCeIW54QE7yxvBKw9Mhd3wxHWiZWziTY0awbYinbyQ45zpq1Iz97BueNjhwtZWMQzRKLQvwyqEljTHs=,iv:AuKqCzIgTYcogtyLrtM6VdgwKTlDE3uMxvVaWbpKBOA=,tag:Ija+U/97TxxWoXYDpG6+jg==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV1FYTkdzV210SkswWmty\nZzZSVzlCUlRQcVNEOVpYSWNSSWtPd00rcDJrCjZKVVp6aFY2cHJQbm9oY2Q1Z2N3\nLzBWalF4ZHZYTU5kMlcwaGRvYkVKcFEKLS0tIG1QTjNuY0pRbFBqT3dFNFROQWU3\nTWQxNVlUNG8rblQyYmJoaCtKSGcrdE0KjUJ+hGiyCkzUG41mwT3rAb0BdwBF8303\nhBDRmW+DjP1ETrGTXviTS1Cq29IX1K2KdBRxixjtwewkXV/i87wHRA==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 -sops_lastmodified=2021-10-15T11:09:14Z -sops_version=3.7.1 diff --git a/internal/controller/testdata/test-dotenv/overlays/component/year3.env b/internal/controller/testdata/test-dotenv/overlays/component/year3.env deleted file mode 100644 index 5e675cb8..00000000 --- a/internal/controller/testdata/test-dotenv/overlays/component/year3.env +++ /dev/null @@ -1,7 +0,0 @@ -year=ENC[AES256_GCM,data:c+S7GjA=,iv:bcYeALfyGDWlXi5UqOFVC2tCdex5MXaJKxn6awDIfAI=,tag:UQepDih41dSSUiebFYNxiw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4L01FcTR6dVpPR1JpNldW\nSURuaHBEZ3RrY1hpS1Mxam10VEhVSE85RG5NClFTZHEvQzBnbjVHK3VydEIxVkZE\ncEI0a1hVMmtVSXZjNU5VQXBVV2RIS0UKLS0tIEZlUndyWEVZZUl1bHI0a3JwS2M1\nQnNNcFZxaTNzWlZoSFRpdWd2QUJjNGcKzEaQDRjvnFPkwCXL6K5s5guI5xP0urcD\nfeYHuyAS9Td0l/5fTyDlLv6jFJ09QS1ob0OL0GAvknwjbRlbaWjrAA==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 -sops_lastmodified=2024-11-10T18:49:59Z -sops_mac=ENC[AES256_GCM,data:jeyF+D6Y5tGtcaxWfK65PlbjZLicI1lFi0uEcEq2fLVv9vPCpSO/iAfGGOqQiMPbndAV7FdqeFCSXC4gmf27gysR3FvHnYrbLZDO+fZm5K6Fk2IReSCZIHLxVGUlC9E5z1NFfPjJdD3fMM5I6sT7Cpn6xCg/rHavmfOEwW2dU94=,iv:kgxhX2NhFEmgfbOD7FpiXI+WXXZrpzf7R8r1RMSPPjs=,tag:aHge+qF1wsAszeTL25HtBw==,type:str] -sops_unencrypted_suffix=_unencrypted -sops_version=3.9.0 diff --git a/internal/controller/testdata/test-dotenv/overlays/year1.env b/internal/controller/testdata/test-dotenv/overlays/year1.env deleted file mode 100644 index 71e01927..00000000 --- a/internal/controller/testdata/test-dotenv/overlays/year1.env +++ /dev/null @@ -1,7 +0,0 @@ -year=ENC[AES256_GCM,data:tV/GLTE=,iv:AtEKKSUa4BiTnDzGMtpGrO78NuR0wMXzjKrQScbtX24=,tag:zAzcBzQ6ORO+NhcY3idHcA==,type:str] -sops_lastmodified=2021-10-15T11:08:51Z -sops_unencrypted_suffix=_unencrypted -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFU29oWEh2ckRjaCs3d1FJ\nYTkxN0dqY1lsc1dEUmZ4OGN0N1BHK0xxQld3CmpTL2Z2VDloQStCYnRmYnJ0SDFj\nVU9USmszbU44YUxzRi95Q0sxY2t0bkUKLS0tIC80Ulh1RWJPeUFqbUFNSjFOeGIy\nY001MzMwbnRsQXlsN1VVY2xLY20yazQKYhZQGZpay9J1cnGiHCKBY6DtYMCSIBo7\nAP41GiVukT6M4LT83TpWzWgbR/xNgreKdNpweYcw+Fp+wJHVeR3+fg==\n-----END AGE ENCRYPTED FILE-----\n -sops_mac=ENC[AES256_GCM,data:rw8vAq+8nqa5/V8p/ICuVKXNQCeTIFExF33qy1YEbc8f4kePDhTlGqxluEytbWOhk+hzCd4POk+zY8bWBY2QSiq0lle2rCtE2WT3I04/+bHzX74yMBuadYLqiUFEhkra/58FXD404PPJBUrOy8mAPgWVczcqMexYhzz//tPdGMY=,iv:yk3CsyGigCSHonvMBTQvjg+kgNssf87KqlKeR6FE8sk=,tag:dCaOhh97ebJWNT5v35n6Iw==,type:str] -sops_version=3.7.1 -sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29 diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go index cd24c06c..1ba198bd 100644 --- a/internal/decryptor/decryptor.go +++ b/internal/decryptor/decryptor.go @@ -392,28 +392,28 @@ func (d *Decryptor) DecryptResource(res *resource.Resource) (*resource.Resource, return nil, nil } -// DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and +// DecryptSources attempts to decrypt all types.SecretArgs FileSources and // EnvSources a Kustomization file in the directory at the provided path refers // to, before walking recursively over all other resources it refers to. // It ignores resource references which refer to absolute or relative paths // outside the working directory of the decryptor, but returns any decryption // error. -func (d *Decryptor) DecryptEnvSources(path string) error { +func (d *Decryptor) DecryptSources(path string) error { if d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.Provider != DecryptionProviderSOPS { return nil } decrypted, visited := make(map[string]struct{}, 0), make(map[string]struct{}, 0) - visit := d.decryptKustomizationEnvSources(decrypted) + visit := d.decryptKustomizationSources(decrypted) return recurseKustomizationFiles(d.root, path, visit, visited) } -// decryptKustomizationEnvSources returns a visitKustomization implementation +// decryptKustomizationSources returns a visitKustomization implementation // which attempts to decrypt any EnvSources entry it finds in the Kustomization // file with which it is called. // After decrypting successfully, it adds the absolute path of the file to the // given map. -func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{}) visitKustomization { +func (d *Decryptor) decryptKustomizationSources(visited map[string]struct{}) visitKustomization { return func(root, path string, kus *kustypes.Kustomization) error { visitRef := func(sourcePath string, format formats.Format) error { if !filepath.IsAbs(sourcePath) { @@ -426,19 +426,19 @@ func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{}) if _, ok := visited[absRef]; ok { return nil } - if err := d.sopsDecryptFile(absRef, format, format); err != nil { return securePathErr(root, err) } - // Explicitly set _after_ the decryption operation, this makes // visited work as a list of actually decrypted files visited[absRef] = struct{}{} return nil } + // Iterate over all SecretGenerator entries in the Kustomization file and attempt to decrypt their FileSources and EnvSources. for _, gen := range kus.SecretGenerator { for _, fileSrc := range gen.FileSources { + // Split the source path from any associated key, defaulting to the key if not specified. parts := strings.SplitN(fileSrc, "=", 2) key := parts[0] var filePath string @@ -447,21 +447,36 @@ func (d *Decryptor) decryptKustomizationEnvSources(visited map[string]struct{}) } else { filePath = key } + // Visit the file reference and attempt to decrypt it. if err := visitRef(filePath, formatForPath(key)); err != nil { return err } } for _, envFile := range gen.EnvSources { + // Determine the format for the environment file, defaulting to Dotenv if not specified. format := formatForPath(envFile) if format == formats.Binary { // Default to dotenv format = formats.Dotenv } + // Visit the environment file reference and attempt to decrypt it. if err := visitRef(envFile, format); err != nil { return err } } } + // Iterate over all patches in the Kustomization file and attempt to decrypt their paths if they are encrypted. + for _, patch := range kus.Patches { + if patch.Path == "" { + continue + } + // Determine the format for the patch, defaulting to YAML if not specified. + format := formatForPath(patch.Path) + // Visit the patch reference and attempt to decrypt it. + if err := visitRef(patch.Path, format); err != nil { + return err + } + } return nil } } diff --git a/internal/decryptor/decryptor_test.go b/internal/decryptor/decryptor_test.go index 57a54942..41761ee5 100644 --- a/internal/decryptor/decryptor_test.go +++ b/internal/decryptor/decryptor_test.go @@ -747,7 +747,7 @@ func TestDecryptor_DecryptResource(t *testing.T) { }) } -func TestDecryptor_decryptKustomizationEnvSources(t *testing.T) { +func TestDecryptor_decryptKustomizationSources(t *testing.T) { type file struct { name string symlink string @@ -910,7 +910,7 @@ func TestDecryptor_decryptKustomizationEnvSources(t *testing.T) { } visited := make(map[string]struct{}, 0) - visit := d.decryptKustomizationEnvSources(visited) + visit := d.decryptKustomizationSources(visited) kus := &kustypes.Kustomization{SecretGenerator: tt.secretGenerator} err = visit(root, tt.path, kus)