Merge "Adding a phase to help importing external secrets"

2021-05-22 03:25:26 +00:00 · 2021-05-22 03:25:26 +00:00 · 7e992e38f7
commit 7e992e38f7
parent 4dd7465af7 cce32b5d16
15 changed files with 38 additions and 44 deletions
--- a/docs/source/secrets-guidelines.md
+++ b/docs/source/secrets-guidelines.md
@ -212,19 +212,14 @@ Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-con
 - `SOPS_IMPORT_PGP`
 - `SOPS_PGP_FP`

-Possible option how to encrypt `externally provided secrets`:
-This feature is already in place - it's possible to update improted secrtets manually.
-Futher possible improvements are to make as many phases as needed, each phase will cover its separate procedure, e.g.: change of LDAP credentials, update some external passwords.
-The only limitation is that each procedure has to have it’s own VariableCatalogues - that just allows not to decrypte/re-encrypt values from all VariableCatalogues.
+There is another a separate set of secrets that are provided externally and that shouldn't be generated. They're called `externally provided secrets`.
+For that set there is a separate folder in the target/encrypted/results, called `imported`.

-We should use some unencrypted VariableCatalogue as a resource and be able to encrypt that and put to imported secrets.
+There is a speical phase called `secret-import` that may be used to update the set of externally provided secrets:
+just put a new unencrypted secrets.yaml to target/encrypted/results/imported/ instead of encrypted one and run that phase.
+This phase will encrypt that file using provided public key set by `SOPS_IMPORT_PGP` and `SOPS_PGP_FP`.

-Moreover, it’s possible to combine several secret sources in 1 phase, e.g. if we need to encrypt generated and externally provided secrets, just create another directory with kustomization, and put there different resources:
-
-1. Local files with `externally provided secrets` in form of unencrypted variable catalogues
-2. Directory `target/encrypted`.
-
-Update phase’s documentEntryPoint with the new path to the created directory. Now when you run the phase - all these files along with newly generated secrets will be encrypted.
+Note: if you try to run this phase for already encrypted secrets.yaml this phase will return error saying that file is already encrypted.

 ## Decryption of secrets and using them

--- a/manifests/phases/phases.yaml
+++ b/manifests/phases/phases.yaml
@ -216,6 +216,17 @@ config:
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
+metadata:
+  name: secret-import
+config:
+  executorRef:
+    apiVersion: airshipit.org/v1alpha1
+    kind: GenericContainer
+    name: encrypter
+  documentEntryPoint: target/encrypted/importer
+---
+apiVersion: airshipit.org/v1alpha1
+kind: Phase
 metadata:
  name: secret-show
 config:
--- a/manifests/site/test-site/target/encrypted/generator/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/generator/kustomization.yaml
@ -1,4 +1,4 @@
 generators:
- overridegeneration
+- ../../../../../type/gating/target/generator/
 transformers:
- overrideplacement
+- ../../../../../type/gating/target/generator/fileplacement/
--- a/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml
@ -1,2 +0,0 @@
-resources:
- ../../../../../../type/gating/target/generator/
--- a/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml
@ -1,2 +0,0 @@
-resources:
-  - ../../../../../../type/gating/target/generator/fileplacement
--- a/manifests/site/test-site/target/encrypted/importer/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/importer/kustomization.yaml
@ -0,0 +1,4 @@
+resources:
+  - ../results/imported/
+transformers:
+  - ../../../../../type/gating/target/importer/fileplacement/
--- a/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml
@ -1,2 +0,0 @@
-resources:
-  - ../../../../../../type/gating/target/importer/fileplacement
--- a/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+  - secrets.yaml
--- a/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+  - secrets.yaml
--- a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
+++ b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
@ -4,18 +4,17 @@ metadata:
    labels:
        airshipit.org/deploy-k8s: "false"
    name: imported-secrets
-dummySecrets: ENC[AES256_GCM,data:wksRVJ1SVPJ8wIcnVA00,iv:wt6FmbfFh+31g/pBcTTlerrwHoUoF8Hv3Cw9q//bSWs=,tag:PTidwzah8PiqAtGnYSa1+w==,type:str]
+dummySecret: ENC[AES256_GCM,data:cLoVpHYvGAByZjXElzhX,iv:Pr44gXBRUTLAzcxgduqAwV36S1rb/WRbiQ3WnnOSwqE=,tag:A4kcrnRdWiYzgKJAotG7qQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
-    lastmodified: "2021-04-14T16:28:51Z"
-    mac: ENC[AES256_GCM,data:sHiCLqMg7TU4eXgThM5q+0Jq67uWoDunk1AbTqXOCKUA9gBHtKflgfgxLvhz8am7pOGf/i8UikFJx5Gb/TiAyf4GGKsfFbKDXc+JwnMYbKoibRJ1cxfRKgcwXdCohcb1g4bSiX2iHmEaVKHlF5ydvfn1OMWR5hQpavSgrb8JemA=,iv:3fg3EgYQjaLCluTL9Yu1axyucAOWwH0SREQMyvMeuak=,tag:lhA5n06vB2adYiv+cGskuA==,type:str]
+    lastmodified: '2021-05-18T19:11:20Z'
+    mac: ENC[AES256_GCM,data:E0Uts+6wzSM201vWGMMmyBhRgOZ+JnzVSuiP8m4nZCdLSmbZlcTDTWLC895i08iZ624vxcTVlwbiF8HyRFKkFCNIhYkiyjA61CVEXRxrQXfC+Wo/RJdvXjHnIEBRfM+jSYAd8IdZVDOcMaKR42Gvik0D2J5lu0SiyYJrGzVqbIs=,iv:IT4U5A95rC4Ms6aa9SfS+rYhTwyzgJnUeOUAlp5+HSE=,tag:AsM6RWnbq7YTC4oQ67H/uA==,type:str]
    pgp:
-        - created_at: "2021-04-14T16:28:50Z"
-          enc: |-
+    -   created_at: '2021-04-14T16:28:50Z'
+        enc: |-
            -----BEGIN PGP MESSAGE-----

            wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD
@ -28,6 +27,6 @@ sops:
            MORhPC2ylZX46XzMj9DTfMN44rvitTcA
            =mdwS
            -----END PGP MESSAGE-----
-          fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
    unencrypted_regex: ^(kind|apiVersion|group|metadata)$
    version: 3.7.1
--- a/manifests/site/test-site/target/encrypted/results/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/results/kustomization.yaml
@ -1,8 +1,8 @@
 resources:
-  - generated/secrets.yaml
-  - imported/secrets.yaml
+  - generated/
+  - imported/

 transformers:
-  - decrypt-secrets
-  - ../generator/overrideplacement
-  - ../importer/overrideplacement
+  - ../../../../../type/gating/target/decrypt-secrets/
+  - ../../../../../type/gating/target/generator/fileplacement/
+  - ../../../../../type/gating/target/importer/fileplacement/
--- a/manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml
+++ b/manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml
--- a/manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml
+++ b/manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml
--- a/manifests/type/gating/target/importer/cleanup/kustomization.yaml
+++ b/manifests/type/gating/target/importer/cleanup/kustomization.yaml
@ -1,2 +0,0 @@
-resources:
- secret-cleanup.yaml
--- a/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
+++ b/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
@ -1,11 +0,0 @@
-apiVersion: builtin
-kind: PatchStrategicMergeTransformer
-metadata:
-  name: smp_cleanup_imported
-patches: |-
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: imported-secrets
-  $patch: delete