airship/airshipctl
Code Issues Proposed changes

Merge "Adding a phase to help importing external secrets"

Browse Source
This commit is contained in:
Zuul 2021-05-22 03:25:26 +00:00 committed by Gerrit Code Review
commit 7e992e38f7
15 changed files with 38 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/source/secrets-guidelines.md
View File

@ -212,19 +212,14 @@ Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-con
- `SOPS_IMPORT_PGP` - `SOPS_IMPORT_PGP`
- `SOPS_PGP_FP` - `SOPS_PGP_FP`
Possible option how to encrypt `externally provided secrets`: There is another a separate set of secrets that are provided externally and that shouldn't be generated. They're called `externally provided secrets`.
This feature is already in place - it's possible to update improted secrtets manually. For that set there is a separate folder in the target/encrypted/results, called `imported`.
Futher possible improvements are to make as many phases as needed, each phase will cover its separate procedure, e.g.: change of LDAP credentials, update some external passwords.
The only limitation is that each procedure has to have its own VariableCatalogues - that just allows not to decrypte/re-encrypt values from all VariableCatalogues.
We should use some unencrypted VariableCatalogue as a resource and be able to encrypt that and put to imported secrets. There is a speical phase called `secret-import` that may be used to update the set of externally provided secrets:
just put a new unencrypted secrets.yaml to target/encrypted/results/imported/ instead of encrypted one and run that phase.
This phase will encrypt that file using provided public key set by `SOPS_IMPORT_PGP` and `SOPS_PGP_FP`.
Moreover, its possible to combine several secret sources in 1 phase, e.g. if we need to encrypt generated and externally provided secrets, just create another directory with kustomization, and put there different resources: Note: if you try to run this phase for already encrypted secrets.yaml this phase will return error saying that file is already encrypted.
1. Local files with `externally provided secrets` in form of unencrypted variable catalogues
2. Directory `target/encrypted`.
Update phases documentEntryPoint with the new path to the created directory. Now when you run the phase - all these files along with newly generated secrets will be encrypted.
## Decryption of secrets and using them ## Decryption of secrets and using them

11
manifests/phases/phases.yaml
View File

@ -216,6 +216,17 @@ config:
--- ---
apiVersion: airshipit.org/v1alpha1 apiVersion: airshipit.org/v1alpha1
kind: Phase kind: Phase
metadata:
name: secret-import
config:
executorRef:
apiVersion: airshipit.org/v1alpha1
kind: GenericContainer
name: encrypter
documentEntryPoint: target/encrypted/importer
---
apiVersion: airshipit.org/v1alpha1
kind: Phase
metadata: metadata:
name: secret-show name: secret-show
config: config:

4
manifests/site/test-site/target/encrypted/generator/kustomization.yaml
View File

@ -1,4 +1,4 @@
generators: generators:
- overridegeneration - ../../../../../type/gating/target/generator/
transformers: transformers:
- overrideplacement - ../../../../../type/gating/target/generator/fileplacement/

2
manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml
View File

@ -1,2 +0,0 @@
resources:
- ../../../../../../type/gating/target/generator/

2
manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml
View File

@ -1,2 +0,0 @@
resources:
- ../../../../../../type/gating/target/generator/fileplacement

4
manifests/site/test-site/target/encrypted/importer/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
resources:
- ../results/imported/
transformers:
- ../../../../../type/gating/target/importer/fileplacement/

2
manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml
View File

@ -1,2 +0,0 @@
resources:
- ../../../../../../type/gating/target/importer/fileplacement

2
manifests/site/test-site/target/encrypted/results/generated/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- secrets.yaml

2
manifests/site/test-site/target/encrypted/results/imported/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- secrets.yaml

13
manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
View File

@ -4,18 +4,17 @@ metadata:
labels: labels:
airshipit.org/deploy-k8s: "false" airshipit.org/deploy-k8s: "false"
name: imported-secrets name: imported-secrets
dummySecrets: ENC[AES256_GCM,data:wksRVJ1SVPJ8wIcnVA00,iv:wt6FmbfFh+31g/pBcTTlerrwHoUoF8Hv3Cw9q//bSWs=,tag:PTidwzah8PiqAtGnYSa1+w==,type:str] dummySecret: ENC[AES256_GCM,data:cLoVpHYvGAByZjXElzhX,iv:Pr44gXBRUTLAzcxgduqAwV36S1rb/WRbiQ3WnnOSwqE=,tag:A4kcrnRdWiYzgKJAotG7qQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] lastmodified: '2021-05-18T19:11:20Z'
lastmodified: "2021-04-14T16:28:51Z" mac: ENC[AES256_GCM,data:E0Uts+6wzSM201vWGMMmyBhRgOZ+JnzVSuiP8m4nZCdLSmbZlcTDTWLC895i08iZ624vxcTVlwbiF8HyRFKkFCNIhYkiyjA61CVEXRxrQXfC+Wo/RJdvXjHnIEBRfM+jSYAd8IdZVDOcMaKR42Gvik0D2J5lu0SiyYJrGzVqbIs=,iv:IT4U5A95rC4Ms6aa9SfS+rYhTwyzgJnUeOUAlp5+HSE=,tag:AsM6RWnbq7YTC4oQ67H/uA==,type:str]
mac: ENC[AES256_GCM,data:sHiCLqMg7TU4eXgThM5q+0Jq67uWoDunk1AbTqXOCKUA9gBHtKflgfgxLvhz8am7pOGf/i8UikFJx5Gb/TiAyf4GGKsfFbKDXc+JwnMYbKoibRJ1cxfRKgcwXdCohcb1g4bSiX2iHmEaVKHlF5ydvfn1OMWR5hQpavSgrb8JemA=,iv:3fg3EgYQjaLCluTL9Yu1axyucAOWwH0SREQMyvMeuak=,tag:lhA5n06vB2adYiv+cGskuA==,type:str]
pgp: pgp:
- created_at: "2021-04-14T16:28:50Z" - created_at: '2021-04-14T16:28:50Z'
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD
@ -28,6 +27,6 @@ sops:
MORhPC2ylZX46XzMj9DTfMN44rvitTcA MORhPC2ylZX46XzMj9DTfMN44rvitTcA
=mdwS =mdwS
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
unencrypted_regex: ^(kind|apiVersion|group|metadata)$ unencrypted_regex: ^(kind|apiVersion|group|metadata)$
version: 3.7.1 version: 3.7.1

10
manifests/site/test-site/target/encrypted/results/kustomization.yaml
View File

@ -1,8 +1,8 @@
resources: resources:
- generated/secrets.yaml - generated/
- imported/secrets.yaml - imported/
transformers: transformers:
- decrypt-secrets - ../../../../../type/gating/target/decrypt-secrets/
- ../generator/overrideplacement - ../../../../../type/gating/target/generator/fileplacement/
- ../importer/overrideplacement - ../../../../../type/gating/target/importer/fileplacement/

0
manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml → manifests/type/gating/target/decrypt-secrets/configurable-decryption.yaml
View File

0
manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml → manifests/type/gating/target/decrypt-secrets/kustomization.yaml
View File

2
manifests/type/gating/target/importer/cleanup/kustomization.yaml
View File

@ -1,2 +0,0 @@
resources:
- secret-cleanup.yaml

11
manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
View File

@ -1,11 +0,0 @@
apiVersion: builtin
kind: PatchStrategicMergeTransformer
metadata:
name: smp_cleanup_imported
patches: |-
---
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
name: imported-secrets
$patch: delete