in tooling/secret-sync/main.go [175:250]
func main() {
if len(os.Args) != 2 {
log.Fatal("Need to provide mode parameter encrypt/decrypt")
}
mode := os.Args[1]
switch mode {
case "encrypt":
{
encryptedChunks := make([][]byte, 0)
plainChunks, err := readAndChunkData(os.Stdin)
if err != nil {
log.Fatal(err)
}
for _, c := range plainChunks {
encryptedChunk, err := encryptData(c)
if err != nil {
log.Fatal(err)
}
encryptedChunks = append(encryptedChunks, encryptedChunk)
}
fmt.Printf("Encrypted data, persisting to: %s\n", os.Getenv(outputFileEnvKey))
if os.Getenv(dryRunEnvKey) == "true" {
fmt.Println("... skiped due to dry run")
} else {
if err := persistEncryptedChunks(encryptedChunks); err != nil {
log.Fatal(err)
}
}
os.Exit(0)
}
case "decrypt":
{
chain, err := azauth.GetAzureTokenCredentials()
if err != nil {
log.Fatal(fmt.Errorf("error getting credentials %v", err))
}
keyClient, err := azkeys.NewClient(fmt.Sprintf("https://%s.vault.azure.net", os.Getenv(vaultNameEnvKey)), chain, nil)
if err != nil {
log.Fatal(fmt.Errorf("error getting azkeys client %v", err))
}
decryptedChunks := make([][]byte, 0)
encryptedChunks, err := readEncryptedChunks()
if err != nil {
log.Fatal(err)
}
for _, c := range encryptedChunks {
if len(c) > 0 {
dst := make([]byte, base64.StdEncoding.DecodedLen(len(c)))
if _, err = base64.StdEncoding.Decode(dst, c); err != nil {
log.Fatal(err)
}
decryptedChunk, err := decryptData(keyClient, dst)
if err != nil {
log.Fatal(err)
}
decryptedChunks = append(decryptedChunks, decryptedChunk)
}
}
secretsClient, err := azsecrets.NewClient(fmt.Sprintf("https://%s.vault.azure.net", os.Getenv(vaultNameEnvKey)), chain, nil)
if err != nil {
log.Fatal(fmt.Errorf("error getting azsecrets client %v", err))
}
joinedMessage := bytes.Join(decryptedChunks, []byte{})
fmt.Printf("Data decrypted, persisting to: %s\n", os.Getenv(secretToSetEnvKey))
if err := persistSecret(secretsClient, joinedMessage); err != nil {
log.Fatal(err)
}
os.Exit(0)
}
default:
log.Fatalf("Invalid mode %s", mode)
}
}