sopsutil

package
v7.9.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2026 License: GPL-3.0 Imports: 9 Imported by: 0

Documentation

Overview

Package sopsutil provides shared helpers for SOPS Age key resolution and secret building used by both the ArgoCD and Flux installers.

Index

Constants

View Source 
const AgeSecretKeyPrefix = "AGE-SECRET-KEY-"

AgeSecretKeyPrefix is the prefix for Age private keys.

View Source 
const (
	// SopsAgeSecretName is the name of the Kubernetes secret used for SOPS Age decryption.
	SopsAgeSecretName = "sops-age"
)

Variables

View Source 
var ErrNoMatchingAgeKey = errors.New(
	"no private key matches the configured public keys",
)

ErrNoMatchingAgeKey indicates public keys were configured but no matching private key was found.

View Source 
var ErrSOPSKeyNotFound = errors.New(
	"SOPS is enabled but no Age key found",
)

ErrSOPSKeyNotFound indicates SOPS is explicitly enabled but no key was found.

Functions

func BuildSopsAgeSecret 

func BuildSopsAgeSecret(namespace, ageKey string) *corev1.Secret

BuildSopsAgeSecret constructs the Kubernetes Secret for SOPS Age decryption in the given namespace. This shared helper is used by both the Flux and ArgoCD installers.

func ExtractAgeKey 

func ExtractAgeKey(input string) string

ExtractAgeKey finds and returns the first AGE-SECRET-KEY-... line from the input. Used for single-key extraction (e.g. from env var).

func ExtractAllAgeKeys added in v7.4.0 

func ExtractAllAgeKeys(input string) []string

ExtractAllAgeKeys extracts all AGE-SECRET-KEY-... lines from the input.

func FilterKeysByPublicKeys added in v7.4.0 

func FilterKeysByPublicKeys(privateKeys, publicKeys []string) ([]string, error)

FilterKeysByPublicKeys filters private keys to only those whose derived public key matches one of the given public keys. Uses age.ParseX25519Identity to derive the public key from each private key. Empty entries in publicKeys are silently skipped.

func ResolveAgeKey 

func ResolveAgeKey(sops v1alpha1.SOPS) (string, error)

ResolveAgeKey resolves the Age private key(s) from available sources. Priority: (1) environment variable, (2) local key file. When extracting from a key file, all keys are returned and optionally filtered by SOPS.Extract.PublicKeys. Returns the key(s) as a newline-joined string, or empty if not found.

func ResolveEnabledAgeKey 

func ResolveEnabledAgeKey(sops v1alpha1.SOPS) (string, error)

ResolveEnabledAgeKey checks the SOPS configuration and resolves the Age private key(s). It respects explicit enable/disable and falls back to auto-detection. Returns ("", nil) when SOPS should be skipped.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.