This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Most of the rewritten key sources introduced `WithError` calls, which
does not appear to go well with the UX of the CLI. This reverts it to
be the semi equal to current `master`.
During the diff, I noticed the current age implementation in master
does make use of `WithError`. Which makes me wonder if errors are not
returned twice at present in the CLI.
Signed-off-by: Hidde Beydals <hello@hidde.co>
By addressing the bug in the introduced logic around
the `GOOGLE_CREDENTIALS` environment variable.
The variable is now only taken into account when set, and actually
containing a value.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This appears to be a 7 year old, unmaintained, unused, artifact from
around the time things were still written in Python. As observed
earlier in #1234.
As this now actively triggers a security warning due to an outdated
dependency, remove it.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This appears to be only used for pushing Docker images to a registry we
no longer have access to.
As we need to rework the release process as a whole (using GitHub
Actions), remove it for now. As the only thing it yields at present
are failure notifications in my inbox.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
The generated password from `az` does no longer appear to be a UUID,
but returns a random generated string instead.
Given there is also a UUID attached to Secret object that holds this
value, it is better to be explict to guide users.
In addition, the tenant is always a UUID (and not _any_ ID).
Signed-off-by: Hidde Beydals <hello@hidde.co>
This should be the last major change in their SDK with regard to
changing method signatures and/or the way the client is constructed.
I manually ran the integration test suite which passes without any
issues.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates Go used for builds to 1.19, and updates a forgotten
Alpine 3.15 version in a `Dockerfile` to 3.16.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Bear minimum to get this going again, including an update of
dependencies.
It's worth noting that there is a detachment between the GitHub Action
workflow and running this locally. As there are assumptions around:
1. Having the `pgp/sops_functional_tests_key.asc` imported.
2. Having a Vault server running for two functional tests.
The `functional-tests` Make target does not facilitate this, and
putting something in place using a temporary `GNUPGHOME` and a
container image would likely be a welcome future improvement.
In addition, there is Rust code in `validation/` which appears to be an
artifact from an ancient Python library[1][2]. This should probably be
removed in the future.
[1]: https://github.com/getsops/sops/tree/python-sops
[2]: https://pypi.org/project/sops/
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
The application which enforces this (https://github.com/apps/dco)
has been added to the GitHub organization, and is enabled for all
repositories of the organization going forward.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This updates the Vault API and client to latest, adds more extensive
test coverage, and general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- Vault API and client have been updated to latest.
- It introduces a `Token` type which holds a Vault token, and can be
applied to the `MasterKey`. When applied, the token is used in the
Vault client configuration, instead of relying on the `VAULT_TOKEN`
environment variables, or the `.vault-token` file in the user's home
directory. This is most useful when working with SOPS as an SDK, in
combination with e.g. a local key service server implementation.
- Extensive test coverage.
The forked version of this has compatability tests to ensure it works
with current SOPS:
- 62fb2d96a2/internal/sops/hcvault/keysource_test.go (L130)
- 62fb2d96a2/internal/sops/hcvault/keysource_test.go (L202)
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the GCP KMS client to latest, adds more extensive test
coverage, and general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- Updates the deprecated `google.golang.org/api/cloudkms/v1` to
`cloud.google.com/go/kms/apiv1`.
- It introduces a `CredentialJSON` type which holds a Service Account
credential file, and can be applied to the `MasterKey`.
When applied, the provided credentials are used in the GCP KMS
service client configuration, instead of relying on
`GOOGLE_CREDENTIALS`, or the default client environment variables.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Test coverage.
The forked version of this has compatability (and integration) tests to
ensure it works with current SOPS:
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L39)
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L59)
Co-authored-by: Somtochi Onyekwere <somtochi@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This was only required for the test mocks for the V1 AWS SDK tests,
which have been removed with the rewrite to V2.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- AWS SDK has been updated to V2. There are still bits in `publish/`
which would need updating to drop the dependency on V1.
- It introduces a `CredentialsProvider` type which holds an
`aws.CredentialsProvider`, and can be applied to the `MasterKey`.
When applied, the provider is used in the AWS client configuration
instead of relying on the SDK default (environmental) values.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Extensive test coverage. STS session implementation details are not
tested due to mocking complexities, but the wiring is.
The forked version of this has compatibility tests to ensure it works
with current SOPS:
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L134)
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L200)
Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
