this will allow for setting of parameters specific to each store, such
as indentation level for YAML
Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com>
Signed-off-by: James J. Goodhouse <jgoodhouse@newrelic.com>
Deprecation of `io/ioutil`, removal of unused functions, possible nil
pointer dereference, and other tiny nits.
There are (many) more, but these would require their own (commit)
context.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData|spec)$'
age: 'agePubKey1,agePubKey2'
```
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
* Add another test (that currently fails).
* First shot at using yaml.v3 for reading YAML files with comments.
* Allow parsing multi-document YAML files.
* Use Decoder to parse multi-part documents.
* Use yaml.v3 for config and audit.
* First step of serializing YAML using yaml.v3.
* Always serialize with yaml.v3.
* Remove debug prints.
* Remove traces of github.com/mozilla-services/yaml.
* Improve serialization of documents consisting only of comments.
* Improve handling of some empty documents.
* Adjust to latest changes in go-yaml/yaml#684.
* Bump yaml.v3 version, temporarily disable failing tests.
* Run go mod tidy.
* Fix CI.
* feat: initial adding of vualt transit backend to sops
initial work on integration
feat(vault): added cli coomands working for vualt"
fix(vault): fixed config with correct tests
fix(vault): added vault to keygroup and to keyservice server
fixed metadata load
* feat(docs): added docs in README.md and in command help
fix(doc): fix rst formatting"
fix(doc): fix rst formatting
* fix(vault): addressed typos and fixes from autrilla
feat(cli): moved vault to hc-vault naming
* fix(test): typo while rebasing
* fix typos and imporve error messages for vault kms
* rename package from vault to hcvault
* refactor vault keysource url validation
* add negative test cases for vault keysource
* add hc vault transit config option via objects
additional to URIs
* remove vault_example.yml
* streamline key name to snake case
* rename `BackendPath` to `EnginePath` for hc vault
* correction in hc-vault-transit commands
Signed-off-by: vnzongzna <github@vaibhavk.in>
* resolving conflict
Signed-off-by: vnzongzna <github@vaibhavk.in>
* Apply suggestions from code review
Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com>
* allowing only hc_vault_transit_uri as input
Co-Authored-By: gitirabassi
Co-Authored-By: ldue
Signed-off-by: vnzongzna <github@vaibhavk.in>
Co-authored-by: gitirabassi <giacomo@tirabassi.eu>
Co-authored-by: ldue <larsduennwald@gmail.com>
Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com>
Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
* Add vault/api to vendor/
* Adds support for sops publish-ing to Vault
* Adds support for publishing secrets (unencrypted) to Vault
* Adds a new EmitAsMap for TreeBanches
* Adds documentation about sops publish-ing to Vault
* Initial integration/functional test for publishing to vault
* Implement `sops publish` command
Publishes a file to a pre-configured destination (this lives in the sops
config file). Additionally, support re-encryption rules that work
just like the creation rules. Initial support for S3/GCS.
This is a part of the sops-workspace v2.0 project
Includes the addition of a new dependency:
github.com/googleapis/gax-go/v2
* code review changes; support global --verbose flag
* Switch to recreation_rule with full support
Reencryption rule is now recreation rule and supports everything that a
creation rule does. Now, when you load a config for a file, you load
either the creation rule or the destination rule. I'm not sure about
this style long term, but it allows for support to be added for the
recreation rules without a bigger refactor of how the config file works.
* split loadForFileFromBytes into two functions
remove branching based on destination rule or not, create one for
creation rules and one for destination rules
* pretty diff for keygroup updates in sops publish
