diff --git a/docs/source/secrets-guidelines.md b/docs/source/secrets-guidelines.md index 972b77c37..b3811b596 100644 --- a/docs/source/secrets-guidelines.md +++ b/docs/source/secrets-guidelines.md @@ -212,19 +212,14 @@ Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-con - `SOPS_IMPORT_PGP` - `SOPS_PGP_FP` -Possible option how to encrypt `externally provided secrets`: -This feature is already in place - it's possible to update improted secrtets manually. -Futher possible improvements are to make as many phases as needed, each phase will cover its separate procedure, e.g.: change of LDAP credentials, update some external passwords. -The only limitation is that each procedure has to have it’s own VariableCatalogues - that just allows not to decrypte/re-encrypt values from all VariableCatalogues. +There is another a separate set of secrets that are provided externally and that shouldn't be generated. They're called `externally provided secrets`. +For that set there is a separate folder in the target/encrypted/results, called `imported`. -We should use some unencrypted VariableCatalogue as a resource and be able to encrypt that and put to imported secrets. +There is a speical phase called `secret-import` that may be used to update the set of externally provided secrets: +just put a new unencrypted secrets.yaml to target/encrypted/results/imported/ instead of encrypted one and run that phase. +This phase will encrypt that file using provided public key set by `SOPS_IMPORT_PGP` and `SOPS_PGP_FP`. -Moreover, it’s possible to combine several secret sources in 1 phase, e.g. if we need to encrypt generated and externally provided secrets, just create another directory with kustomization, and put there different resources: - -1. Local files with `externally provided secrets` in form of unencrypted variable catalogues -2. Directory `target/encrypted`. - -Update phase’s documentEntryPoint with the new path to the created directory. Now when you run the phase - all these files along with newly generated secrets will be encrypted. +Note: if you try to run this phase for already encrypted secrets.yaml this phase will return error saying that file is already encrypted. ## Decryption of secrets and using them diff --git a/manifests/phases/phases.yaml b/manifests/phases/phases.yaml index 80b4276f3..5c657a92a 100644 --- a/manifests/phases/phases.yaml +++ b/manifests/phases/phases.yaml @@ -216,6 +216,17 @@ config: --- apiVersion: airshipit.org/v1alpha1 kind: Phase +metadata: + name: secret-import +config: + executorRef: + apiVersion: airshipit.org/v1alpha1 + kind: GenericContainer + name: encrypter + documentEntryPoint: target/encrypted/importer +--- +apiVersion: airshipit.org/v1alpha1 +kind: Phase metadata: name: secret-show config: diff --git a/manifests/site/test-site/target/encrypted/generator/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/kustomization.yaml index def69d406..4ddb1d09b 100644 --- a/manifests/site/test-site/target/encrypted/generator/kustomization.yaml +++ b/manifests/site/test-site/target/encrypted/generator/kustomization.yaml @@ -1,4 +1,4 @@ generators: -- overridegeneration +- ../../../../../type/gating/target/generator/ transformers: -- overrideplacement +- ../../../../../type/gating/target/generator/fileplacement/ diff --git a/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml deleted file mode 100644 index 49f9e642c..000000000 --- a/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- ../../../../../../type/gating/target/generator/ diff --git a/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml deleted file mode 100644 index 171142bb9..000000000 --- a/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - ../../../../../../type/gating/target/generator/fileplacement diff --git a/manifests/site/test-site/target/encrypted/importer/kustomization.yaml b/manifests/site/test-site/target/encrypted/importer/kustomization.yaml new file mode 100644 index 000000000..3ad5ab4e8 --- /dev/null +++ b/manifests/site/test-site/target/encrypted/importer/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - ../results/imported/ +transformers: + - ../../../../../type/gating/target/importer/fileplacement/ diff --git a/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml b/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml deleted file mode 100644 index 8991cff06..000000000 --- a/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - ../../../../../../type/gating/target/importer/fileplacement diff --git a/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml new file mode 100644 index 000000000..d68c20c09 --- /dev/null +++ b/manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - secrets.yaml diff --git a/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml new file mode 100644 index 000000000..d68c20c09 --- /dev/null +++ b/manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - secrets.yaml diff --git a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml index a85210904..0ead0caa0 100644 --- a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml +++ b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml @@ -4,18 +4,17 @@ metadata: labels: airshipit.org/deploy-k8s: "false" name: imported-secrets -dummySecrets: ENC[AES256_GCM,data:wksRVJ1SVPJ8wIcnVA00,iv:wt6FmbfFh+31g/pBcTTlerrwHoUoF8Hv3Cw9q//bSWs=,tag:PTidwzah8PiqAtGnYSa1+w==,type:str] +dummySecret: ENC[AES256_GCM,data:cLoVpHYvGAByZjXElzhX,iv:Pr44gXBRUTLAzcxgduqAwV36S1rb/WRbiQ3WnnOSwqE=,tag:A4kcrnRdWiYzgKJAotG7qQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] - lastmodified: "2021-04-14T16:28:51Z" - mac: ENC[AES256_GCM,data:sHiCLqMg7TU4eXgThM5q+0Jq67uWoDunk1AbTqXOCKUA9gBHtKflgfgxLvhz8am7pOGf/i8UikFJx5Gb/TiAyf4GGKsfFbKDXc+JwnMYbKoibRJ1cxfRKgcwXdCohcb1g4bSiX2iHmEaVKHlF5ydvfn1OMWR5hQpavSgrb8JemA=,iv:3fg3EgYQjaLCluTL9Yu1axyucAOWwH0SREQMyvMeuak=,tag:lhA5n06vB2adYiv+cGskuA==,type:str] + lastmodified: '2021-05-18T19:11:20Z' + mac: ENC[AES256_GCM,data:E0Uts+6wzSM201vWGMMmyBhRgOZ+JnzVSuiP8m4nZCdLSmbZlcTDTWLC895i08iZ624vxcTVlwbiF8HyRFKkFCNIhYkiyjA61CVEXRxrQXfC+Wo/RJdvXjHnIEBRfM+jSYAd8IdZVDOcMaKR42Gvik0D2J5lu0SiyYJrGzVqbIs=,iv:IT4U5A95rC4Ms6aa9SfS+rYhTwyzgJnUeOUAlp5+HSE=,tag:AsM6RWnbq7YTC4oQ67H/uA==,type:str] pgp: - - created_at: "2021-04-14T16:28:50Z" - enc: |- + - created_at: '2021-04-14T16:28:50Z' + enc: |- -----BEGIN PGP MESSAGE----- wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD @@ -28,6 +27,6 @@ sops: MORhPC2ylZX46XzMj9DTfMN44rvitTcA =mdwS -----END PGP MESSAGE----- - fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 + fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 unencrypted_regex: ^(kind|apiVersion|group|metadata)$ version: 3.7.1 diff --git a/manifests/site/test-site/target/encrypted/results/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/kustomization.yaml index 48884fbb7..1c294ca9e 100644 --- a/manifests/site/test-site/target/encrypted/results/kustomization.yaml +++ b/manifests/site/test-site/target/encrypted/results/kustomization.yaml @@ -1,8 +1,8 @@ resources: - - generated/secrets.yaml - - imported/secrets.yaml + - generated/ + - imported/ transformers: - - decrypt-secrets - - ../generator/overrideplacement - - ../importer/overrideplacement + - ../../../../../type/gating/target/decrypt-secrets/ + - ../../../../../type/gating/target/generator/fileplacement/ + - ../../../../../type/gating/target/importer/fileplacement/ diff --git a/manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml b/manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml similarity index 100% rename from manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml rename to manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml diff --git a/manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml b/manifests/type/gating/target/decrypt-secrets/kustomization.yaml similarity index 100% rename from manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml rename to manifests/type/gating/target/decrypt-secrets/kustomization.yaml diff --git a/manifests/type/gating/target/importer/cleanup/kustomization.yaml b/manifests/type/gating/target/importer/cleanup/kustomization.yaml deleted file mode 100644 index 5d28ccd4a..000000000 --- a/manifests/type/gating/target/importer/cleanup/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- secret-cleanup.yaml diff --git a/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml b/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml deleted file mode 100644 index 7f1073b56..000000000 --- a/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: builtin -kind: PatchStrategicMergeTransformer -metadata: - name: smp_cleanup_imported -patches: |- - --- - apiVersion: airshipit.org/v1alpha1 - kind: VariableCatalogue - metadata: - name: imported-secrets - $patch: delete