in pkg/bundle/encryption.go [37:104]
func PartialLock(ctx context.Context, b *bundlev1.Bundle, transformerMap map[string]value.Transformer, skipUnresolved bool) error {
// Check bundle
if b == nil {
return fmt.Errorf("unable to process nil bundle")
}
if transformerMap == nil {
return fmt.Errorf("unable to process nil transformer map")
}
// For each packages
for _, p := range b.Packages {
// Check annotation usage
keyAlias, hasKeyAlias := p.Annotations[packageEncryptionAnnotation]
if !hasKeyAlias {
// Skip package processing
continue
}
// Check key alias declaration
transformer, hasTransformer := transformerMap[keyAlias]
if !hasTransformer {
if skipUnresolved {
// Skip unresolved transformer alias.
continue
}
return fmt.Errorf("package encryption annotation found, but no key alias for '%s' provided", keyAlias)
}
if types.IsNil(transformer) {
return fmt.Errorf("key alias '%s' refers to a nil transformer", keyAlias)
}
// Convert secret as a map
secrets := map[string]interface{}{}
for _, s := range p.Secrets.Data {
var out interface{}
if err := secret.Unpack(s.Value, &out); err != nil {
return fmt.Errorf("unable to load secret value, corrupted bundle: %w", err)
}
// Assign to secret map
secrets[s.Key] = out
}
// Export secrets as JSON
content, err := json.Marshal(secrets)
if err != nil {
return fmt.Errorf("unable to extract secret map as json")
}
// Apply transformer
out, err := transformer.To(ctx, content)
if err != nil {
return fmt.Errorf("unable to apply secret transformer: %w", err)
}
// Cleanup
memguard.WipeBytes(content)
p.Secrets.Data = nil
// Assign locked secret
p.Secrets.Locked = &wrappers.BytesValue{
Value: out,
}
}
// No error
return nil
}