sops/keyservice: properly fallback to default

Signed-off-by: Hidde Beydals <[email protected]>
fluxcd · Mar 25, 2022 · 770bffe · 770bffe
1 parent 5d8bcf9
commit 770bffe
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 12 deletions.
diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
@@ -160,14 +160,6 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
  var ageIdentities []string
  var vaultToken string
  for name, value := range secret.Data {
- if name == DecryptionAzureAuthFile {
- azureConf := azkv.AADConfig{}
- if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
- return err
- }
- kd.azureAADConfig = &azureConf
- continue
- }
  switch filepath.Ext(name) {
  case ".asc":
  keyPath, err := securejoin.SecureJoin(tmpDir, name)
@@ -182,13 +174,23 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
  }
  case ".agekey":
  ageIdentities = append(ageIdentities, string(value))
- case ".vault-token":
- // Make sure we have the absolute file name
+ case filepath.Ext(DecryptionVaultTokenFileName):
+ // Make sure we have the absolute name
  if name == DecryptionVaultTokenFileName {
  token := string(value)
  token = strings.Trim(strings.TrimSpace(token), "\n")
  vaultToken = token
  }
+ case filepath.Ext(DecryptionAzureAuthFile):
+ // Make sure we have the absolute name
+ if name == DecryptionAzureAuthFile {
+ azureConf := azkv.AADConfig{}
+ if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
+ return err
+ }
+ kd.azureAADConfig = &azureConf
+ continue
+ }
  }
  }
 

diff --git a/internal/sops/keyservice/server.go b/internal/sops/keyservice/server.go
@@ -165,7 +165,7 @@ func (ks Server) Encrypt(ctx context.Context,
  // Fallback to default server if no custom settings are configured
  // to ensure backwards compatibility with global configurations
  if ks.AzureAADConfig == nil {
- return ks.Encrypt(ctx, req)
+ return ks.DefaultServer.Encrypt(ctx, req)
  }
  ciphertext, err := ks.encryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Plaintext)
  if err != nil {
@@ -252,7 +252,7 @@ func (ks Server) Decrypt(ctx context.Context,
  // Fallback to default server if no custom settings are configured
  // to ensure backwards compatibility with global configurations
  if ks.AzureAADConfig == nil {
- return ks.Decrypt(ctx, req)
+ return ks.DefaultServer.Decrypt(ctx, req)
  }
  plaintext, err := ks.decryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Ciphertext)
  if err != nil {