Documentation
¶
Index ¶
- Constants
- func DecryptFileWithSOPS(src, keyPath string) ([]byte, error)
- func EncryptFileWithSOPS(src, target, recipient string) error
- func IsSOPSEncryptedFile(path string) (bool, error)
- func LoadVaultData(vaultPath, ageKeyPath string) (*files.InstallVault, error)
- func ResolveAgeKey(explicitKeyFile, fallbackDir string) (recipient string, keyPath string, err error)
- type VaultSecretCreator
- type VaultTemplatingSecretStore
Constants ¶
const ( VaultSecretNamespace = "codesphere" VaultSecretName = "cs-vault" )
Variables ¶
This section is empty.
Functions ¶
func DecryptFileWithSOPS ¶
DecryptFileWithSOPS decrypts a SOPS-encrypted file and returns the plaintext bytes. If keyPath is non-empty, SOPS_AGE_KEY_FILE is set for the sops process.
func EncryptFileWithSOPS ¶
EncryptFileWithSOPS encrypts src with SOPS+age and writes ciphertext to target.
func IsSOPSEncryptedFile ¶
IsSOPSEncryptedFile checks whether the file at path is a SOPS-encrypted YAML document.
func LoadVaultData ¶
func LoadVaultData(vaultPath, ageKeyPath string) (*files.InstallVault, error)
LoadVaultData reads, SOPS-decrypts, and parses the vault at vaultPath using the age key at ageKeyPath, returning the decoded install vault.
func ResolveAgeKey ¶
func ResolveAgeKey(explicitKeyFile, fallbackDir string) (recipient string, keyPath string, err error)
ResolveAgeKey resolves an existing age key or generates a new one.
When explicitKeyFile is non-empty it takes priority over everything else: the recipient is read directly from that file and it is returned as the key path. This lets callers thread an explicit --age-key-file through without mutating the process environment.
Otherwise it checks (in order):
- SOPS_AGE_KEY environment variable (raw key content)
- SOPS_AGE_KEY_FILE environment variable (path to key file)
- Default location: ~/.config/sops/age/keys.txt
- Generate a new key and write it to <fallbackDir>/age_key.txt
Returns the age public key (recipient) and the path to the key file (empty when the key was supplied via SOPS_AGE_KEY).
Types ¶
type VaultSecretCreator ¶
type VaultSecretCreator struct {
// contains filtered or unexported fields
}
func NewVaultSecretCreator ¶
func NewVaultSecretCreator(c client.Client) *VaultSecretCreator
func (*VaultSecretCreator) CreateSecretFromFile ¶
func (v *VaultSecretCreator) CreateSecretFromFile(ctx context.Context, vaultFile, ageKeyPath, namespace, secretName string) error
CreateSecretFromFile decrypts a SOPS-encrypted vault file and creates or updates a Kubernetes secret with its contents in the target cluster.
Each vault entry is mapped to one or more secret keys:
- File entries produce a single key equal to the entry name.
- Field entries produce "entryName.password" and, when present, "entryName.username".
func (*VaultSecretCreator) CreateSecretFromVault ¶
func (v *VaultSecretCreator) CreateSecretFromVault(ctx context.Context, vault *files.InstallVault, namespace, secretName string) error
CreateSecretFromVault creates or updates a Kubernetes secret with the contents of a Vault in the target cluster.
Each vault entry is mapped to one or more secret keys:
- File entries produce a single key equal to the entry name.
- Field entries produce "entryName.password" and, when present, "entryName.username".
type VaultTemplatingSecretStore ¶
type VaultTemplatingSecretStore struct {
// contains filtered or unexported fields
}
VaultTemplatingSecretStore resolves secrets referenced from config templates against a SOPS-encrypted install vault. The vault can either be provided directly or loaded lazily from disk on first lookup.
func NewLazyVaultTemplatingSecretStore ¶
func NewLazyVaultTemplatingSecretStore(vaultPath, ageKeyPath string) *VaultTemplatingSecretStore
NewLazyVaultTemplatingSecretStore returns a store that decrypts and loads the vault from vaultPath using ageKeyPath on the first secret lookup.
func NewVaultTemplatingSecretStore ¶
func NewVaultTemplatingSecretStore(vault *files.InstallVault) *VaultTemplatingSecretStore
NewVaultTemplatingSecretStore returns a store backed by an already-decrypted vault.
func NewVaultTemplatingSecretStoreFromFile ¶
func NewVaultTemplatingSecretStoreFromFile(vaultPath, ageKeyPath string) (*VaultTemplatingSecretStore, error)
NewVaultTemplatingSecretStoreFromFile decrypts and loads the vault from vaultPath using ageKeyPath and returns a store backed by it.
func (*VaultTemplatingSecretStore) LookupSecret ¶
func (s *VaultTemplatingSecretStore) LookupSecret(name string, selector ...string) (string, error)
LookupSecret returns the value of the named secret, optionally narrowed by a field selector (e.g. "password", "file.content"). The vault is loaded lazily on first use when the store was created without a preloaded vault.