Skip to content

Commit

Permalink
Added mixed encryption example.
Browse files Browse the repository at this point in the history
  • Loading branch information
@vlasov-y
vlasov-y committed Nov 13, 2024
1 parent 964a4de commit 8163ee2
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ endif
export PATH:=$(GOBIN):${PATH}

# Allows for defining additional Go test args, e.g. '-tags integration'.
GO_TEST_ARGS ?= -run ^TestKustomizationReconciler_Decryptor$
GO_TEST_ARGS ?=

# Allows for defining additional Docker buildx arguments, e.g. '--push'.
BUILD_ARGS ?= --load
Expand Down
4 changes: 4 additions & 0 deletions internal/controller/kustomization_decryptor_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,10 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-patches-secret", Namespace: id}, &patchedSecret)).To(Succeed())
g.Expect(string(patchedSecret.Data["key"])).To(Equal("merge1"))
g.Expect(string(patchedSecret.Data["merge2"])).To(Equal("merge2"))

var pod corev1.Pod
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-mix-pod", Namespace: id}, &pod)).To(Succeed())
g.Expect(len(pod.Spec.Containers)).To(Equal(2))
})

t.Run("does not emit change events for identical secrets", func(t *testing.T) {
Expand Down
4 changes: 4 additions & 0 deletions internal/controller/testdata/sops/.sops.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ creation_rules:
encrypted_regex: ".*"
age: &age age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29

- path_regex: pod\.yaml$
encrypted_regex: env
age: *age

- path_regex: \.yaml$
encrypted_regex: *encrypted_regex
age: *age
Expand Down
1 change: 1 addition & 0 deletions internal/controller/testdata/sops/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@ resources:
- patches
- inside
- remote
- mix
components:
- ./component
7 changes: 7 additions & 0 deletions internal/controller/testdata/sops/mix/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: mix-
resources:
- pod.yaml
patches:
- path: patch.yaml
35 changes: 35 additions & 0 deletions internal/controller/testdata/sops/mix/patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: patched
image: nginx:stable-alpine
env:
- name: ThatEnvIsEncrypted
value: but the main one is not
resources:
limits:
memory: 50Mi
cpu: 50m
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNVF4Vm1kRGdnbGlqYTJX
c0swbms2OE5sTVFacVRwZHB1K0RaWlBtc0FFCkVTMVg5S1orVzVWMVpkdlEvNm9z
emx4N3Vncm1CSnIzNkJiZ2daVXg3dkkKLS0tIHBNT0ZwWFdhbTljNCtFVXkwNjli
MkNDWFQ4Yk5FRWJxcmg4Q1U5ZzRDZ2MKeDN0cOJYZmFYC5FtuQ1R5c1bbKAkFuPM
pHYRXCN457kJPKzjRVVfQO1VbgsPtSEkHxEqmbGJn5GSMI3nzUW4vQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-13T11:21:33Z"
mac: ENC[AES256_GCM,data:ufNIQBVUDIPPVIrhfdshNXJPyasZdLvf69CIiR7s1U4KpMaOfvt9X/tJpvHCD0BuQN0u1vHVLBaZsYUMIlqbpQ41eKccPBtK6fuEx21CmZ+hJI8Bwfuu37mxF2bg20vrwtWqC4qxmn+tQqkRO5mHQDqk7kVzCRlP4i+nVkanf8Y=,iv:yzj8EBZF6q1GpytMqdIOQtSsmcsLGUN6jNyopYHxSeg=,tag:l2WqEjihDCGEyvaIGHKZUw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.0
35 changes: 35 additions & 0 deletions internal/controller/testdata/sops/mix/pod.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: main
image: nginx:stable-alpine
env:
- name: ENC[AES256_GCM,data:vcqm/OT7suPAQTUDCMNw4wg=,iv:pY047fxZySu8rQ4Z/oYfZ80S7nbLUBWXHP6DU1kJMKg=,tag:xdAUqlNNdnxHxLjjl1Wyow==,type:str]
value: ENC[AES256_GCM,data:x9nGJZnm5rSsKh2iIxT5NFjRoJg=,iv:1bSCgQIV9+Z9rRcUSEpdPVQWMDVkM4OKxk8ea1bn0pk=,tag:AcE8iVIF+QoGKPBVAhBx8A==,type:str]
resources:
limits:
memory: 50Mi
cpu: 50m
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORkE5Q1V6NFlHM0tRc1Bp
aWVmTDJTZTRBZC9PczF1cE9wZlY4dGhGVmc0CndUR2FUdVhuNit1anY2ODFkQWM0
NUtWcjF3R3gzSHQwU2tzNytGQk5CaWsKLS0tIEd2MmZ2Z3phMUd5OTdkUnRJVXpN
U2VRS1gzcjN1N1BwdjJOdEE5Z2M3eE0KJ1ReVeaL83qTYGw/bO4nas8BQYhl1JpK
O1AMcJ4lmH/IrSkf65UnRIdVg645UuhwhNFSEiSyIkuqkACUZeiCMg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-13T11:21:30Z"
mac: ENC[AES256_GCM,data:sD/2WIG7KxAKV/eG2Ht2Y/iY/NBM8W21QgQYpuLVpChZSBlWEbHx14qWyH4HfMD7P53+cugCzqxbPTUZyb8yYFy0CxBbYKojAOvD3iEPDBXsdoIW00Lj8gWydibBz4CYywHdlmu1gdCjafueDeeQqe2oqPg2S4treqAE2oU4ys8=,iv:NQHfiJ7P+TcSGrvxFFPn3PIuuFuRzkS8E0JNh14ClB0=,tag:tByyknlD06zv4s7m/yXvuQ==,type:str]
pgp: []
encrypted_regex: env
version: 3.9.0

0 comments on commit 8163ee2

Please sign in to comment.