Skip to content

Commit

Permalink
Allow providing cluster-wide age identity via controller env var
Browse files Browse the repository at this point in the history
Signed-off-by: mraerino <[email protected]>
  • Loading branch information
mraerino committed Jul 4, 2023
1 parent 0fe3783 commit adfa781
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
11 changes: 10 additions & 1 deletion internal/decryptor/decryptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/kustomize/api/konfig"
"sigs.k8s.io/kustomize/api/resource"
Expand Down Expand Up @@ -201,6 +202,15 @@ func (d *Decryptor) ImportKeys(ctx context.Context) error {
provider := d.kustomization.Spec.Decryption.Provider
switch provider {
case DecryptionProviderSOPS:
// load age key from env variable
globalAgeIdentities, err := age.GlobalIdentities()
if err != nil {
log := ctrl.LoggerFrom(ctx)
log.Info("failed to decrypt age identity from environment, ignoring", "error", err)
} else {
d.ageIdentities = append(d.ageIdentities, globalAgeIdentities...)
}

secretName := types.NamespacedName{
Namespace: d.kustomization.GetNamespace(),
Name: d.kustomization.Spec.Decryption.SecretRef.Name,
Expand All @@ -214,7 +224,6 @@ func (d *Decryptor) ImportKeys(ctx context.Context) error {
return fmt.Errorf("cannot get %s decryption Secret '%s': %w", provider, secretName, err)
}

var err error
for name, value := range secret.Data {
switch filepath.Ext(name) {
case DecryptionPGPExt:
Expand Down
20 changes: 20 additions & 0 deletions internal/sops/age/keysource.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,32 @@ import (
"bytes"
"fmt"
"io"
"os"
"strings"

"filippo.io/age"
"filippo.io/age/armor"
)

const (
// SopsAgeKeyEnv can be set as an environment variable to provide
// an additional key to use for decryption.
SopsAgeKeyEnv = "FLUX_SOPS_AGE_KEY"
)

// GlobalIdentities loads age identities from the [SopsAgeKeyEnv] environment variable.
func GlobalIdentities() ([]age.Identity, error) {
if globalKey, ok := os.LookupEnv(SopsAgeKeyEnv); ok {
parsed, err := age.ParseIdentities(strings.NewReader(globalKey))
if err != nil {
return nil, fmt.Errorf("failed to parse age identities from env var: %w", err)
}
return parsed, nil
}

return nil, nil
}

// MasterKey is an age key used to Encrypt and Decrypt SOPS' data key.
//
// Adapted from https://github.com/mozilla/sops/blob/v3.7.2/age/keysource.go
Expand Down

0 comments on commit adfa781

Please sign in to comment.