Class: Hiera::Backend::Eyaml::Encryptors::Gkms

Inherits:
Encryptor
  • Object
show all
Defined in:
lib/hiera/backend/eyaml/encryptors/gkms.rb

Overview

Google KMS plugin for hiera-eyaml

Constant Summary collapse

VERSION =
::Hiera::Backend::Eyaml::Encryptors::GkmsVersion::VERSION

Class Method Summary collapse

Class Method Details

.decrypt(ciphertext) ⇒ Object



90
91
92
# File 'lib/hiera/backend/eyaml/encryptors/gkms.rb', line 90

def self.decrypt(ciphertext)
  kms_client.decrypt(name: key_path, ciphertext: ciphertext).plaintext
end

.encrypt(plaintext) ⇒ Object



86
87
88
# File 'lib/hiera/backend/eyaml/encryptors/gkms.rb', line 86

def self.encrypt(plaintext)
  kms_client.encrypt(name: key_path, plaintext: plaintext).ciphertext
end

.key_pathObject

Raises:

  • (StandardError)


70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/hiera/backend/eyaml/encryptors/gkms.rb', line 70

def self.key_path
  project = option :project
  location = option :location
  key_ring = option :keyring
  crypto_key = option :crypto_key

  raise StandardError, 'gkms_project is not defined' unless project
  raise StandardError, 'gkms_keyring is not defined' unless key_ring
  raise StandardError, 'gkms_crypto_key is not defined' unless crypto_key

  kms_client.crypto_key_path project: project,
                             location: location,
                             key_ring: key_ring,
                             crypto_key: crypto_key
end

.kms_clientObject



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/hiera/backend/eyaml/encryptors/gkms.rb', line 52

def self.kms_client
  auth_type = option :auth_type

  if auth_type == 'serviceaccount'
    credentials = option :credentials
    raise StandardError, 'gkms_credentials is not defined' unless credentials

    Google::Cloud::Kms.configure do |config|
      config.credentials = credentials
      config.timeout = 10.0
    end
  else
    ENV['GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS'] = '1'
  end

  ::Google::Cloud::Kms.key_management_service
end