GPG decryption in contained environment

fluxcd · Sep 2, 2020 · 07f13e5 · 07f13e5
1 parent 2f33ba0
commit 07f13e5
Show file tree

Hide file tree

Showing 8 changed files with 952 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -19,6 +19,7 @@ RUN go mod download
 # copy source code
 COPY main.go main.go
 COPY controllers/ controllers/
+COPY internal/ internal/
 
 # build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o kustomize-controller main.go

diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -393,7 +393,11 @@ func (r *KustomizationReconciler) build(kustomization kustomizev1.Kustomization,
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	dec := NewDecryptor(r.Client, kustomization)
+	dec, cleanup, err := NewTempDecryptor(r.Client, kustomization)
+	if err != nil {
+		return nil, err
+	}
+	defer cleanup()
 
 	// import OpenPGP keys if any
 	if err := dec.ImportKeys(ctx); err != nil {

diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
@@ -12,29 +12,44 @@ import (
 	"go.mozilla.org/sops/v3/aes"
 	"go.mozilla.org/sops/v3/cmd/sops/common"
 	"go.mozilla.org/sops/v3/cmd/sops/formats"
+	"go.mozilla.org/sops/v3/keyservice"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/yaml"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
+	intkeyservice "github.com/fluxcd/kustomize-controller/internal/sops/keyservice"
 )
 
 const DecryptionProviderSOPS = "sops"
 
 type KustomizeDecryptor struct {
 	client.Client
 	kustomization kustomizev1.Kustomization
+	homeDir       string
 }
 
-func NewDecryptor(kubeClient client.Client, kustomization kustomizev1.Kustomization) *KustomizeDecryptor {
+func NewDecryptor(kubeClient client.Client,
+	kustomization kustomizev1.Kustomization, homeDir string) *KustomizeDecryptor {
 	return &KustomizeDecryptor{
 		Client:        kubeClient,
 		kustomization: kustomization,
+		homeDir:       homeDir,
 	}
 }
 
+func NewTempDecryptor(kubeClient client.Client,
+	kustomization kustomizev1.Kustomization) (*KustomizeDecryptor, func(), error) {
+	tmpDir, err := ioutil.TempDir("", fmt.Sprintf("decryptor-%s-", kustomization.Name))
+	if err != nil {
+		return nil, nil, fmt.Errorf("tmp dir error: %w", err)
+	}
+	cleanup := func() { os.RemoveAll(tmpDir) }
+	return NewDecryptor(kubeClient, kustomization, tmpDir), cleanup, nil
+}
+
 func (kd *KustomizeDecryptor) Decrypt(res *resource.Resource) (*resource.Resource, error) {
 	out, err := res.AsYAML()
 	if err != nil {
@@ -50,7 +65,11 @@ func (kd *KustomizeDecryptor) Decrypt(res *resource.Resource) (*resource.Resourc
 			return nil, fmt.Errorf("LoadEncryptedFile: %w", err)
 		}
 
-		key, err := tree.Metadata.GetDataKey()
+		key, err := tree.Metadata.GetDataKeyWithKeyServices(
+			[]keyservice.KeyServiceClient{
+				intkeyservice.NewLocalClient(intkeyservice.NewServer(false, kd.homeDir)),
+			},
+		)
 		if err != nil {
 			return nil, fmt.Errorf("GetDataKey: %w", err)
 		}
@@ -95,6 +114,7 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 		if err != nil {
 			return fmt.Errorf("tmp dir error: %w", err)
 		}
+		defer os.RemoveAll(tmpDir)
 
 		for name, key := range secret.Data {
 			keyPath := path.Join(tmpDir, name)
@@ -111,7 +131,11 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 }
 
 func (kd *KustomizeDecryptor) gpgImport(path string) error {
-	cmd := exec.Command("gpg", "--import", path)
+	args := []string{"--import", path}
+	if kd.homeDir != "" {
+		args = append([]string{"--homedir", kd.homeDir}, args...)
+	}
+	cmd := exec.Command("gpg", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("gpg import error: %s", string(out))

diff --git a/go.mod b/go.mod
@@ -13,9 +13,14 @@ require (
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/source-controller/api v0.0.11
 	github.com/go-logr/logr v0.1.0
+	github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c
 	github.com/onsi/ginkgo v1.12.1
 	github.com/onsi/gomega v1.10.1
+	go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a
 	go.mozilla.org/sops/v3 v3.6.0
+	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
+	golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7
+	google.golang.org/grpc v1.26.0
 	k8s.io/api v0.18.8
 	k8s.io/apimachinery v0.18.8
 	k8s.io/client-go v0.18.8