Class: KubeKrypt::Encryptor

Inherits:

Object

• Object
• KubeKrypt::Encryptor

Defined in:

lib/kubekrypt/encryptor.rb

Instance Attribute Summary

• #client ⇒ Object readonly

  Returns the value of attribute client.

• #key_name ⇒ Object readonly

  Returns the value of attribute key_name.

Class Method Summary

• .call(content:, key_name:) ⇒ Object

Instance Method Summary

• #call(plaintext) ⇒ Object
• #initialize(key_name) ⇒ Encryptor constructor

  A new instance of Encryptor.

Constructor Details

#initialize(key_name) ⇒ Encryptor

Returns a new instance of Encryptor.

# File 'lib/kubekrypt/encryptor.rb', line 5

def initialize(key_name)
  @client = Google::Cloud::Kms.key_management_service
  @key_name = key_name
end

Instance Attribute Details

#client ⇒ Object (readonly)

Returns the value of attribute client.

# File 'lib/kubekrypt/encryptor.rb', line 3

def client
  @client
end

#key_name ⇒ Object (readonly)

Returns the value of attribute key_name.

# File 'lib/kubekrypt/encryptor.rb', line 3

def key_name
  @key_name
end

Class Method Details

.call(content:, key_name:) ⇒ Object

# File 'lib/kubekrypt/encryptor.rb', line 16

def self.call(content:, key_name:)
  unless content["data"]
    raise InvalidSecretError,
      "no data key found — refusing to write the manifest through unencrypted"
  end

  encryptor = new(key_name)

  content["data"].transform_values! { |plaintext| encryptor.call(plaintext) }

  content[METADATA_KEY] = {
    KMS_KEY.to_s => key_name,
    "version" => VERSION,
    "modified_at" => Time.now.utc.iso8601
  }

  content.to_yaml
end

Instance Method Details

#call(plaintext) ⇒ Object

# File 'lib/kubekrypt/encryptor.rb', line 10

def call(plaintext)
  ciphertext = client.encrypt(name: key_name, plaintext:).ciphertext

  "#{ENC_PREFIX}:#{Base64.strict_encode64(ciphertext)}"
end