[sops] Allow encode=base64 config for sops provider#1064
[sops] Allow encode=base64 config for sops provider#1064seuf wants to merge 1 commit intohelmfile:mainfrom
Conversation
seuf
requested review from
itscaro,
mumoshu,
xiaomudk and
yxxhero
as code owners
seuf
force-pushed
the
sops-provider-base64-encode
branch
from
7d9b70d to
0ab83d2
Compare
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
seuf
force-pushed
the
sops-provider-base64-encode
branch
from
0ab83d2 to
34d9133
Compare
There was a problem hiding this comment.
Pull request overview
Adds support to the sops provider for returning decrypted secret contents as a base64-encoded string via ?encode=base64, matching behavior already present in the file provider and addressing the use case described in issue #163.
Changes:
- Introduce an
encodeconfiguration option for the sops provider (default:raw). - Update
GetStringto optionally base64-encode decrypted bytes whenencode=base64. - Add unit tests verifying
Newreads theencodeconfig and defaults it appropriately.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/providers/sops/sops.go | Adds Encode config and applies it in GetString to return raw or base64 output. |
| pkg/providers/sops/sops_test.go | Adds tests for default and configured Encode value in provider construction. |
| switch p.Encode { | ||
| case "raw": | ||
| return string(cleartext), nil | ||
| case "base64": | ||
| return base64.StdEncoding.EncodeToString(cleartext), nil |
There was a problem hiding this comment.
New encode behavior in GetString isn’t covered by unit tests (no tests call GetString in this package). Please add a test that exercises encode=base64 (verifies output matches base64.StdEncoding.EncodeToString of decrypted bytes) and the unsupported encode error path; this may require making decrypt stub-able (e.g., via an injectable function field) or adding a small helper that can be tested directly.
| func TestNewProviderReadsEncodeBase64(t *testing.T) { | ||
| cfg := config.MapConfig{ | ||
| M: map[string]interface{}{ | ||
| "encode": "base64", | ||
| }, | ||
| } | ||
|
|
||
| p := New(log.New(log.Config{}), cfg, "") | ||
|
|
||
| if p.Encode != "base64" { | ||
| t.Errorf("Encode = %q, want %q", p.Encode, "base64") | ||
| } |
There was a problem hiding this comment.
These tests validate that New reads encode, but they don’t validate the externally observable behavior (that GetString returns base64 when encode=base64). Consider extending coverage to assert the actual returned value/error for each encode mode, so regressions in GetString aren’t missed.
When referencing a sops secret, allow vals tu return it as a base64 encoded string
the results is a base64 encoded string of the decrypted
config/config.enc.envfile.It's like issue #163 but for sops provider.