Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

controllers: improve decryptor and add tests #619

Merged
merged 1 commit into from
Apr 14, 2022
Merged

Conversation

hiddeco
Copy link
Member

@hiddeco hiddeco commented Apr 13, 2022

  • Refactored recursion while iterating over Kustomization files.
    References of files that have been visited are cached, and not
    visited again.
  • Optimized various bits around (un)marshalling (encrypted) data, and
    YAML -> JSON -> YAML roundtrips are prevented where not required.
  • Added support for decrypting INI Kustomize EnvSource references using
    the dedicated SOPS store for the format.
  • Introduced support for decrypting Kustomize FileSources:
    https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/types#DataSources

@hiddeco hiddeco added enhancement New feature or request area/sops SOPS related issues and pull requests labels Apr 13, 2022
@hiddeco hiddeco force-pushed the kustomize-decryptor-impr branch 2 times, most recently from db389a4 to 15a45e3 Compare April 13, 2022 22:37
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

- Refactored recursion while iterating over Kustomization files.
  References of files that have been visited are cached, and not
  visited again. In addition, symlinks are confirmed to not traverse
  outside the working directory.
- Optimized various bits around (un)marshalling (encrypted) data, and
  YAML -> JSON -> YAML roundtrips are prevented where not required.
- Added support for decrypting INI Kustomize EnvSource references using
  the dedicated SOPS store for the format.
- Introduced support for decrypting Kustomize FileSources:
  https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/types#DataSources

Signed-off-by: Hidde Beydals <[email protected]>
@hiddeco hiddeco force-pushed the kustomize-decryptor-impr branch from 15a45e3 to 105ebd9 Compare April 14, 2022 07:17
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Awesome improvements! Thanks @hiddeco 🥇

@hiddeco hiddeco merged commit ad91006 into main Apr 14, 2022
@hiddeco hiddeco deleted the kustomize-decryptor-impr branch April 14, 2022 07:36
@hiddeco hiddeco added this to the GA milestone Apr 14, 2022
// sopsFormatToMarkerBytes contains a list of formats and their byte
// order markers, used to detect if a Secret data field is SOPS' encrypted.
sopsFormatToMarkerBytes = map[formats.Format][]byte{
// formats.Binary is a JSON envelop at encrypted rest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// formats.Binary is a JSON envelop at encrypted rest
// formats.Binary is a JSON envelope.

// file it is called with.
// After a successful decrypt, the absolute path of the file is added to the
// given map.
func (d *KustomizeDecryptor) decryptKustomizationEnvSources(visited map[string]struct{}) visitKustomization {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #636 for a few revisions to this method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/sops SOPS related issues and pull requests enhancement New feature or request
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants