- github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.4.0
- github.com/ProtonMail/go-crypto to v0.0.0-20230923063757-afb1ddc0824c
- github.com/google/go-cmp to v0.6.0
- golang.org/x/net to v0.17.0
- google.golang.org/api to v0.146.0
- google.golang.org/genproto/googleapis/rpc to v0.0.0-20231009173412-8bfb1ae86b6c
- google.golang.org/grpc to v1.58.3
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- cloud.google.com/go/storage to v1.33.0
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.1
- github.com/ProtonMail/go-crypto to v0.0.0-20230828082145-3c4c8a2d2371
- github.com/aws/aws-sdk-go-v2/config to v1.18.39
- github.com/aws/aws-sdk-go-v2/credentials to v1.13.37
- github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.83
- github.com/hashicorp/vault/api to v1.10.0
- golang.org/x/net to v0.15.0
- golang.org/x/sys to v0.12.0
- golang.org/x/term to v0.12.0
- google.golang.org/api to v0.139.0
- google.golang.org/genproto/googleapis/rpc to v0.0.0-20230911183012-2d3300fd4832
- google.golang.org/grpc to v1.58.0
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This changes the logic of parsing the `version.go` file from a certain
branch to instead make use of the GitHub latest release redirect or
API[1] endpoints for checking if `sops` is on the latest version.
Detaching any future release of SOPS from specific file structures
and/or branches, and (theoretically) freeing it from the requirement of
having to bump the version in-code during release (as this is also done
using `-ldflags` during build). Were it not for the fact that we have
to maintain it for backwards compatibility.
[1]: https://docs.github.com/en/free-pro-team@latest/rest/releases/releases?apiVersion=2022-11-28#get-the-latest-release
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- cloud.google.com/go/storage to v1.32.0
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.3.1
- github.com/ProtonMail/go-crypto to v0.0.0-20230717121422-5aa5874ade95
- github.com/aws/aws-sdk-go-v2 to v1.21.0
- github.com/aws/aws-sdk-go-v2/config to v1.18.36
- github.com/aws/aws-sdk-go-v2/credentials to v1.13.35
- github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.80
- github.com/aws/aws-sdk-go-v2/service/kms to v1.24.5
- github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.5
- github.com/aws/aws-sdk-go-v2/service/sts to v1.21.5
- google.golang.org/api to v0.138.0
- google.golang.org/genproto to v0.0.0-20230822172742-b8732ec3820d
- google.golang.org/genproto/googleapis/rpc to v0.0.0-20230822172742-b8732ec3820d
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Deprecation of `io/ioutil`, removal of unused functions, possible nil
pointer dereference, and other tiny nits.
There are (many) more, but these would require their own (commit)
context.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.0
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.0
This includes dealing with some breaking changes, which should be the
last ones for the foreseeable future as they tagged it as the first
MAJOR.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- github.com/aws/aws-sdk-go-v2 to v1.20.1
- github.com/aws/aws-sdk-go-v2/config to v1.18.33
- github.com/aws/aws-sdk-go-v2/credentials to v1.13.32
- github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.77
- github.com/aws/aws-sdk-go-v2/service/kms to v1.24.2
- github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.2
- github.com/aws/aws-sdk-go-v2/service/sts to v1.21.2
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This should be the last major change in their SDK with regard to
changing method signatures and/or the way the client is constructed.
I manually ran the integration test suite which passes without any
issues.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the Vault API and client to latest, adds more extensive
test coverage, and general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- Vault API and client have been updated to latest.
- It introduces a `Token` type which holds a Vault token, and can be
applied to the `MasterKey`. When applied, the token is used in the
Vault client configuration, instead of relying on the `VAULT_TOKEN`
environment variables, or the `.vault-token` file in the user's home
directory. This is most useful when working with SOPS as an SDK, in
combination with e.g. a local key service server implementation.
- Extensive test coverage.
The forked version of this has compatability tests to ensure it works
with current SOPS:
- 62fb2d96a2/internal/sops/hcvault/keysource_test.go (L130)
- 62fb2d96a2/internal/sops/hcvault/keysource_test.go (L202)
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the GCP KMS client to latest, adds more extensive test
coverage, and general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- Updates the deprecated `google.golang.org/api/cloudkms/v1` to
`cloud.google.com/go/kms/apiv1`.
- It introduces a `CredentialJSON` type which holds a Service Account
credential file, and can be applied to the `MasterKey`.
When applied, the provided credentials are used in the GCP KMS
service client configuration, instead of relying on
`GOOGLE_CREDENTIALS`, or the default client environment variables.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Test coverage.
The forked version of this has compatability (and integration) tests to
ensure it works with current SOPS:
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L39)
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L59)
Co-authored-by: Somtochi Onyekwere <somtochi@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- AWS SDK has been updated to V2. There are still bits in `publish/`
which would need updating to drop the dependency on V1.
- It introduces a `CredentialsProvider` type which holds an
`aws.CredentialsProvider`, and can be applied to the `MasterKey`.
When applied, the provider is used in the AWS client configuration
instead of relying on the SDK default (environmental) values.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Extensive test coverage. STS session implementation details are not
tested due to mocking complexities, but the wiring is.
The forked version of this has compatibility tests to ensure it works
with current SOPS:
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L134)
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L200)
Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the Azure SDK to latest[1], while dropping the custom
authentication flow in favor of the SDK default[2]. It includes
integration tests, which require the `integration` Go build tag and
a set of environmental variables to be configured to be run:
```
PASS
coverage: 81.2% of statements
ok go.mozilla.org/sops/v3/azkv 5.376s coverage: 81.2% of statements
```
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential managment without relying on runtime environment variables.
- Azure SDK has been updated to latest, including integration test
coverage.
- Custom authentication flow has been dropped in favor of the SDK
default[2]. This should work well on almost any system and is
generally the go-to way of setting this up, including on cloud
environments, etc.
- It introduces a `TokenCredential` type which holds an
`azcore.TokenCredential`, and can be applied to a `MasterKey`.
When applied, the token is used instead of the SDK default. This is
most useful when working with SOPS as an SDK, in combination with
e.g. a local key service server implementation.
- Extensive test coverage.
The forked version of this has compatibility tests to ensure it works
with current SOPS:
- 327a3560b3/internal/sops/azkv/keysource_integration_test.go (L89)
- 327a3560b3/internal/sops/azkv/keysource_integration_test.go (L117)
[1]: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/keyvault/azkeys
[2]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential
Signed-off-by: Hidde Beydals <hello@hidde.co>
* Add another test (that currently fails).
* First shot at using yaml.v3 for reading YAML files with comments.
* Allow parsing multi-document YAML files.
* Use Decoder to parse multi-part documents.
* Use yaml.v3 for config and audit.
* First step of serializing YAML using yaml.v3.
* Always serialize with yaml.v3.
* Remove debug prints.
* Remove traces of github.com/mozilla-services/yaml.
* Improve serialization of documents consisting only of comments.
* Improve handling of some empty documents.
* Adjust to latest changes in go-yaml/yaml#684.
* Bump yaml.v3 version, temporarily disable failing tests.
* Run go mod tidy.
* Fix CI.
* Use age/armor for encrypted data key
Currently the encrypted data key is stored as a binary value, and this
results in SOPS encrypted DOTENV files having weird binary characters.
This changes the encrypt/decrypt methods to use the armor reader writer
provided by: filippo.io/age/armor
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
* upgrade filippo.io/age to v1.0.0-beta7
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
* add unit test
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
Co-authored-by: Andreas Amstutz <tullo@users.noreply.github.com>
dependabot[bot]
Hidde Beydals
Brian Kemper
Hidde Beydals
flx5
AJ Bahnken
AJ Bahnken
daurnimator
Josh Kaplinsky
David Jacob
Felix Fontein
Andreas