Add encryption support to sysdump.

go.mod

@@ -29,6 +29,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mholt/archiver/v3 v3.5.0
 	github.com/spf13/cobra v1.1.1
+	golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee
 	google.golang.org/grpc v1.34.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	k8s.io/api v0.19.11

internal/cli/cmd/sysdump.go

@@ -67,6 +67,12 @@ func newCmdSysdump() *cobra.Command {
 	cmd.Flags().BoolVar(&sysdumpOptions.Debug,
 		"debug", sysdump.DefaultDebug,
 		"Whether to enable debug logging")
+	cmd.Flags().BoolVar(&sysdumpOptions.Encrypt,
+		"encrypt", sysdump.DefaultEncrypt,
+		"Whether to encrypt the resulting zip file")
+	cmd.Flags().StringSliceVar(&sysdumpOptions.EncryptionKeys,
+		"encryption-key", []string{sysdump.DefaultEncryptionKey},
+		"The path to the OpenPGP-compliant public key to use for encrypting the resulting zip file. Defaults to an embeded OpenPGP-compliant public key")
 	cmd.Flags().StringVar(&sysdumpOptions.HubbleLabelSelector,
 		"hubble-label-selector", sysdump.DefaultHubbleLabelSelector,
 		"The labels used to target Hubble pods")

sysdump/constants.go

@@ -58,6 +58,7 @@ const (
 	kubernetesServicesFileName               = "k8s-services-<ts>.yaml"
 	kubernetesVersionInfoFileName            = "k8s-version-<ts>.txt"
 	timestampPlaceholderFileName             = "<ts>"
+	outputZipFilename                        = "cilium-sysdump-<ts>.zip"
 )
 
 const (

sysdump/defaults.go

@@ -30,6 +30,8 @@ const (
 	DefaultCiliumOperatorLabelSelector = "io.cilium/app=operator"
 	DefaultCiliumOperatorNamespace     = DefaultCiliumNamespace
 	DefaultDebug                       = false
+	DefaultEncrypt                     = false
+	DefaultEncryptionKey               = "root"
 	DefaultHubbleLabelSelector         = labelPrefix + "hubble"
 	DefaultHubbleNamespace             = DefaultCiliumNamespace
 	DefaultHubbleRelayLabelSelector    = labelPrefix + "hubble-relay"

sysdump/encryption.go

@@ -0,0 +1,88 @@
+// Copyright 2021 Authors of Cilium
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sysdump
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"time"
+
+	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/openpgp/packet"
+)
+
+//go:embed pubkey.gpg
+var rootPubKey []byte
+
+func createEncryptedZipFile(pathToZipFile string, pathsToEncryptionKey []string) (string, error) {
+	// Read the destination entity.
+	var entityList []*openpgp.Entity
+	for _, k := range pathsToEncryptionKey {
+		e, err := readDestinationEntity(k)
+		if err != nil {
+			return "", fmt.Errorf("failed to read encryption key %q: %w", k, err)
+		}
+		entityList = append(entityList, e)
+	}
+	// Create the destination file.
+	d := pathToZipFile + ".gpg"
+	o, err := os.Create(d)
+	if err != nil {
+		return "", err
+	}
+	// Encrypt the zip file.
+	h := &openpgp.FileHints{
+		FileName: filepath.Base(pathToZipFile),
+		IsBinary: true,
+		ModTime:  time.Now(),
+	}
+	encOut, err := openpgp.Encrypt(o, entityList, nil, h, nil)
+	if err != nil {
+		return "", err
+	}
+	defer encOut.Close()
+	i, err := os.Open(pathToZipFile)
+	if err != nil {
+		return "", err
+	}
+	r, err := io.ReadAll(i)
+	if err != nil {
+		return "", err
+	}
+	if _, err = encOut.Write(r); err != nil {
+		return "", err
+	}
+	// Return the path to the encrypted file.
+	return d, nil
+}
+
+func readDestinationEntity(pathToEncryptionKey string) (*openpgp.Entity, error) {
+	var r io.Reader
+	switch pathToEncryptionKey {
+	case DefaultEncryptionKey:
+		r = bytes.NewReader(rootPubKey)
+	default:
+		k, err := os.Open(pathToEncryptionKey)
+		if err != nil {
+			return nil, err
+		}
+		r = k
+	}
+	return openpgp.ReadEntity(packet.NewReader(r))
+}

sysdump/sysdump.go

@@ -47,6 +47,10 @@ type Options struct {
 	CiliumOperatorNamespace string
 	// Whether to enable debug logging.
 	Debug bool
+	// Whether to encrypt the resulting zip file.
+	Encrypt bool
+	// The path to the OpenPGP-compliant public key to use for encrypting the resulting zip file.
+	EncryptionKeys []string
 	// The labels used to target Hubble pods.
 	HubbleLabelSelector string
 	// The namespace Hubble is running in.
@@ -668,14 +672,10 @@ func (c *Collector) Run() error {
 	}
 
 	// Create the zip file in the current directory.
-	c.log("🗳 Compiling sysdump")
-	p, err := os.Getwd()
+	c.log("🗳 Archiving sysdump")
+	f, err := c.createOutputFile(d, absoluteTempPath)
 	if err != nil {
-		return fmt.Errorf("failed to get current directory: %w", err)
-	}
-	f := filepath.Join(p, replaceTimestamp(c.options.OutputFileName)+".zip")
-	if err := archiver.Archive([]string{d}, f); err != nil {
-		return fmt.Errorf("failed to create zip file: %w", err)
+		return fmt.Errorf("failed to create output: %w", err)
 	}
 	c.log("✅ The sysdump has been saved to %s", f)
 
@@ -687,6 +687,46 @@ func (c *Collector) Run() error {
 	return nil
 }
 
+func (c *Collector) createOutputFile(d string, path func(string) string) (string, error) {
+	// Create the zip file.
+	f := path(outputZipFilename)
+	if err := archiver.Archive([]string{d}, f); err != nil {
+		return "", fmt.Errorf("failed to create zip file: %w", err)
+	}
+	// Encrypt it if asked to.
+	if c.options.Encrypt {
+		e, err := createEncryptedZipFile(f, c.options.EncryptionKeys)
+		if err != nil {
+			return "", fmt.Errorf("failed to encrypt zip file: %w", err)
+		}
+		f = e
+	}
+	// Copy the output file to the current directory.
+	// The original one will be deleted once the temporary directory is cleaned up.
+	p, err := os.Getwd()
+	if err != nil {
+		return "", fmt.Errorf("failed to get current directory: %w", err)
+	}
+	r, err := os.Open(f)
+	if err != nil {
+		return "", fmt.Errorf("failed to open sysdump file: %w", err)
+	}
+	defer r.Close()
+	o := filepath.Join(p, filepath.Base(f))
+	w, err := os.Create(o)
+	if err != nil {
+		return "", fmt.Errorf("failed to create sysdump file: %w", err)
+	}
+	defer w.Close()
+	if _, err := io.Copy(w, r); err != nil {
+		return "", fmt.Errorf("failed to copy sysdump file: %w", err)
+	}
+	if err := w.Sync(); err != nil {
+		return "", fmt.Errorf("failed to flush sysdump file: %w", err)
+	}
+	return o, nil
+}
+
 func (c *Collector) log(msg string, args ...interface{}) {
 	fmt.Fprintf(c.options.Writer, msg+"\n", args...)
 }