Replace the logging of failed encryption and decryption attempts from
error to info level.
This to address a regression in which an encryption or decryption
attempt with a series of keys would result in a list of failed attempts
logged to stderr even when the operation itself eventually succeeded.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.0
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.0
This includes dealing with some breaking changes, which should be the
last ones for the foreseeable future as they tagged it as the first
MAJOR.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This should be the last major change in their SDK with regard to
changing method signatures and/or the way the client is constructed.
I manually ran the integration test suite which passes without any
issues.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the Azure SDK to latest[1], while dropping the custom
authentication flow in favor of the SDK default[2]. It includes
integration tests, which require the `integration` Go build tag and
a set of environmental variables to be configured to be run:
```
PASS
coverage: 81.2% of statements
ok go.mozilla.org/sops/v3/azkv 5.376s coverage: 81.2% of statements
```
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential managment without relying on runtime environment variables.
- Azure SDK has been updated to latest, including integration test
coverage.
- Custom authentication flow has been dropped in favor of the SDK
default[2]. This should work well on almost any system and is
generally the go-to way of setting this up, including on cloud
environments, etc.
- It introduces a `TokenCredential` type which holds an
`azcore.TokenCredential`, and can be applied to a `MasterKey`.
When applied, the token is used instead of the SDK default. This is
most useful when working with SOPS as an SDK, in combination with
e.g. a local key service server implementation.
- Extensive test coverage.
The forked version of this has compatibility tests to ensure it works
with current SOPS:
- 327a3560b3/internal/sops/azkv/keysource_integration_test.go (L89)
- 327a3560b3/internal/sops/azkv/keysource_integration_test.go (L117)
[1]: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/keyvault/azkeys
[2]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential
Signed-off-by: Hidde Beydals <hello@hidde.co>
Vasily Marnopolsky
Boris Kreitchman
Hidde Beydals
Hidde Beydals
Mikhail Katychev
AJ Bahnken
Aaron Wislang
Adriano
Calle Pettersson