diff --git a/README.md b/README.md index fd222e2..1e2f314 100644 --- a/README.md +++ b/README.md @@ -43,8 +43,7 @@ resources: Secret name containing Strongbox keyring/identity file MUST be `argocd-voodoobox-strongbox-keyring`. -`STRONGBOX_SECRET_KEY` - set a custom "key name" for keyring data. The default value is `.strongbox_keyring`. - +Key name for keyring MUST be `.strongbox_keyring` For age, the key name MUST be `.strongbox_identity`. `STRONGBOX_SECRET_NAMESPACE` If you need to deploy a shared strongbox keyring to use in multiple namespaces, then it can be set by this ENV. @@ -258,7 +257,6 @@ subjects: | ARGOCD_APP_NAME | set by argocd | name of application | | ARGOCD_APP_NAMESPACE | set by argocd | application's destination namespace | | STRONGBOX_ENABLED | "true" | Enable Strongbox for decryption | -| STRONGBOX_KEYRING_KEY | .strongbox_keyring | the name of the secret data key which contains a valid strongbox keyring file | | STRONGBOX_SECRET_NAMESPACE | | the name of a namespace where secret resource containing strongbox keyring is located, defaults to current | | GIT_SSH_CUSTOM_KEY_ENABLED | "false" | Enable Git SSH building using custom (non global) key | | GIT_SSH_SECRET_NAMESPACE | | the value should be the name of a namespace where secret resource containing ssh keys are located, defaults to current | diff --git a/decrypt.go b/decrypt.go index 166e1f6..1e42296 100644 --- a/decrypt.go +++ b/decrypt.go @@ -17,7 +17,8 @@ import ( ) const ( - stronboxIdentityFilename = ".strongbox_identity" + strongboxIdentityFilename = ".strongbox_identity" + strongboxKeyringFilename = ".strongbox_keyring" ) var ( @@ -47,7 +48,7 @@ func ensureDecryption(ctx context.Context, cwd string, app applicationInfo) erro } if identityData != nil { - identityPath := filepath.Join(cwd, stronboxIdentityFilename) + identityPath := filepath.Join(cwd, strongboxIdentityFilename) if err := os.WriteFile(identityPath, identityData, 0644); err != nil { return err } @@ -65,7 +66,7 @@ func secretData(ctx context.Context, destinationNamespace string, si secretInfo) return nil, nil, err } - return secret.Data[si.key], secret.Data[stronboxIdentityFilename], nil + return secret.Data[strongboxKeyringFilename], secret.Data[strongboxIdentityFilename], nil } // runStrongboxDecryption will try to decrypt files in cwd using given keyRing file diff --git a/decrypt_test.go b/decrypt_test.go index 942d238..b4b84b7 100644 --- a/decrypt_test.go +++ b/decrypt_test.go @@ -18,7 +18,6 @@ var ( encryptedTestDir1 = "./testData/app-with-secrets-test1" encryptedTestDir2 = "./testData/app-with-secrets-test2" withRemoteBaseTestDir = "./testData/app-with-remote-base-test1" - // withRemoteBase = "./testData/app-with-remote-base" ) func getFileContent(t *testing.T, fileName string) []byte { @@ -87,7 +86,7 @@ func Test_secretData(t *testing.T) { Namespace: "age", }, Data: map[string][]byte{ - stronboxIdentityFilename: []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), + strongboxIdentityFilename: []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), }, }, &v1.Secret{ @@ -96,8 +95,8 @@ func Test_secretData(t *testing.T) { Namespace: "age-and-siv", }, Data: map[string][]byte{ - ".strongbox_keyring": []byte("keyring-data-bar"), - stronboxIdentityFilename: []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), + ".strongbox_keyring": []byte("keyring-data-bar"), + strongboxIdentityFilename: []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), }, }, ) @@ -110,12 +109,11 @@ func Test_secretData(t *testing.T) { identity []byte wantErr bool }{ - {"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), nil, false}, + {"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret"}, []byte("keyring-data-bar"), nil, false}, {"age-ok", "age", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, nil, []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false}, - {"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false}, - {"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret", key: ".strongbox_keyring"}, nil, nil, false}, - {"foo-siv-ok", "foo", secretInfo{name: "strongbox-secret", key: "randomKey"}, []byte("keyring-data-foo"), nil, false}, - {"default-missing", "default", secretInfo{name: "strongbox-secret", key: "randomKey"}, nil, nil, true}, + {"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false}, + {"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret"}, nil, nil, false}, + {"default-missing", "default", secretInfo{name: "strongbox-secret"}, nil, nil, true}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -150,7 +148,7 @@ func Test_ensureDecryption(t *testing.T) { Namespace: "bar", }, Data: map[string][]byte{ - "keyring": kr, + ".strongbox_keyring": kr, }, }, &v1.Secret{ @@ -159,7 +157,7 @@ func Test_ensureDecryption(t *testing.T) { Namespace: "foo", }, Data: map[string][]byte{ - "keyring": kr, + ".strongbox_keyring": kr, }, }, &v1.Secret{ @@ -171,7 +169,7 @@ func Test_ensureDecryption(t *testing.T) { }, }, Data: map[string][]byte{ - "keyring": kr, + ".strongbox_keyring": kr, }, }, ) @@ -183,7 +181,6 @@ func Test_ensureDecryption(t *testing.T) { destinationNamespace: "bar", keyringSecret: secretInfo{ name: "strongbox-secret", - key: "keyring", }, } t.Run("no-encrypted-files-with-secret", func(t *testing.T) { @@ -204,7 +201,6 @@ func Test_ensureDecryption(t *testing.T) { destinationNamespace: "foo", keyringSecret: secretInfo{ name: "strongbox-secret", - key: "keyring", }, } t.Run("encrypted-files-with-secret", func(t *testing.T) { @@ -239,7 +235,6 @@ func Test_ensureDecryption(t *testing.T) { keyringSecret: secretInfo{ namespace: "not-baz", name: "strongbox-secret", - key: "keyring", }, } t.Run("encrypted-files-with-secret-from-diff-ns", func(t *testing.T) { diff --git a/main.go b/main.go index 5259af5..048b406 100644 --- a/main.go +++ b/main.go @@ -43,7 +43,6 @@ type applicationInfo struct { type secretInfo struct { namespace string name string - key string } var flags = []cli.Flag{ @@ -100,13 +99,6 @@ to get comma-separated list of all the namespaces that are allowed to use it`, Usage: `set 'STRONGBOX_SECRET_NAMESPACE' in argocd application as plugin ENV. the value should be the name of a namespace where secret resource containing strongbox keyring is located`, }, - &cli.StringFlag{ - Name: "app-strongbox-secret-key", - EnvVars: []string{argocdAppEnvPrefix + "STRONGBOX_SECRET_KEY"}, - Usage: `set 'STRONGBOX_KEYRING_KEY' in argocd application as plugin ENV, the value should be the -name of the secret data key which contains a valid strongbox keyring file`, - Value: strongboxKeyRingFile, - }, // do not set `EnvVars` for secret name flag // To keep service account's permission minimum, the name of the secret is static across ALL applications. // this value should only be set by admins of argocd as part of plugin setup @@ -177,7 +169,6 @@ func main() { if c.Bool("app-strongbox-enabled") { app.keyringSecret = secretInfo{ - key: c.String("app-strongbox-secret-key"), name: c.String("app-strongbox-secret-name"), namespace: c.String("app-strongbox-secret-namespace"), }