Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a static Secret keyname for keyring #105

Merged
merged 2 commits into from
Oct 7, 2024
Merged

Use a static Secret keyname for keyring #105

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bf73e77
Use a static Secret keyname for keyring
george-angel Oct 7, 2024
d316bfe
Fix typo
george-angel Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ resources:

Secret name containing Strongbox keyring/identity file MUST be `argocd-voodoobox-strongbox-keyring`.

`STRONGBOX_SECRET_KEY` - set a custom "key name" for keyring data. The default value is `.strongbox_keyring`.

Key name for keyring MUST be `.strongbox_keyring`
For age, the key name MUST be `.strongbox_identity`.

`STRONGBOX_SECRET_NAMESPACE` If you need to deploy a shared strongbox keyring to use in multiple namespaces, then it can be set by this ENV.
Expand Down Expand Up @@ -258,7 +257,6 @@ subjects:
| ARGOCD_APP_NAME | set by argocd | name of application |
| ARGOCD_APP_NAMESPACE | set by argocd | application's destination namespace |
| STRONGBOX_ENABLED | "true" | Enable Strongbox for decryption |
| STRONGBOX_KEYRING_KEY | .strongbox_keyring | the name of the secret data key which contains a valid strongbox keyring file |
| STRONGBOX_SECRET_NAMESPACE | | the name of a namespace where secret resource containing strongbox keyring is located, defaults to current |
| GIT_SSH_CUSTOM_KEY_ENABLED | "false" | Enable Git SSH building using custom (non global) key |
| GIT_SSH_SECRET_NAMESPACE | | the value should be the name of a namespace where secret resource containing ssh keys are located, defaults to current |
3 changes: 2 additions & 1 deletion decrypt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (

const (
stronboxIdentityFilename = ".strongbox_identity"
stronboxKeyringFilename = ".strongbox_keyring"
)

var (
Expand Down Expand Up @@ -65,7 +66,7 @@ func secretData(ctx context.Context, destinationNamespace string, si secretInfo)
return nil, nil, err
}

return secret.Data[si.key], secret.Data[stronboxIdentityFilename], nil
return secret.Data[stronboxKeyringFilename], secret.Data[stronboxIdentityFilename], nil
}

// runStrongboxDecryption will try to decrypt files in cwd using given keyRing file
Expand Down
19 changes: 7 additions & 12 deletions decrypt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ var (
encryptedTestDir1 = "./testData/app-with-secrets-test1"
encryptedTestDir2 = "./testData/app-with-secrets-test2"
withRemoteBaseTestDir = "./testData/app-with-remote-base-test1"
// withRemoteBase = "./testData/app-with-remote-base"
)

func getFileContent(t *testing.T, fileName string) []byte {
Expand Down Expand Up @@ -110,12 +109,11 @@ func Test_secretData(t *testing.T) {
identity []byte
wantErr bool
}{
{"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), nil, false},
{"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret"}, []byte("keyring-data-bar"), nil, false},
{"age-ok", "age", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, nil, []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
{"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
{"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret", key: ".strongbox_keyring"}, nil, nil, false},
{"foo-siv-ok", "foo", secretInfo{name: "strongbox-secret", key: "randomKey"}, []byte("keyring-data-foo"), nil, false},
{"default-missing", "default", secretInfo{name: "strongbox-secret", key: "randomKey"}, nil, nil, true},
{"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
{"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret"}, nil, nil, false},
{"default-missing", "default", secretInfo{name: "strongbox-secret"}, nil, nil, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down Expand Up @@ -150,7 +148,7 @@ func Test_ensureDecryption(t *testing.T) {
Namespace: "bar",
},
Data: map[string][]byte{
"keyring": kr,
".strongbox_keyring": kr,
},
},
&v1.Secret{
Expand All @@ -159,7 +157,7 @@ func Test_ensureDecryption(t *testing.T) {
Namespace: "foo",
},
Data: map[string][]byte{
"keyring": kr,
".strongbox_keyring": kr,
},
},
&v1.Secret{
Expand All @@ -171,7 +169,7 @@ func Test_ensureDecryption(t *testing.T) {
},
},
Data: map[string][]byte{
"keyring": kr,
".strongbox_keyring": kr,
},
},
)
Expand All @@ -183,7 +181,6 @@ func Test_ensureDecryption(t *testing.T) {
destinationNamespace: "bar",
keyringSecret: secretInfo{
name: "strongbox-secret",
key: "keyring",
},
}
t.Run("no-encrypted-files-with-secret", func(t *testing.T) {
Expand All @@ -204,7 +201,6 @@ func Test_ensureDecryption(t *testing.T) {
destinationNamespace: "foo",
keyringSecret: secretInfo{
name: "strongbox-secret",
key: "keyring",
},
}
t.Run("encrypted-files-with-secret", func(t *testing.T) {
Expand Down Expand Up @@ -239,7 +235,6 @@ func Test_ensureDecryption(t *testing.T) {
keyringSecret: secretInfo{
namespace: "not-baz",
name: "strongbox-secret",
key: "keyring",
},
}
t.Run("encrypted-files-with-secret-from-diff-ns", func(t *testing.T) {
Expand Down
9 changes: 0 additions & 9 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ type applicationInfo struct {
type secretInfo struct {
namespace string
name string
key string
}

var flags = []cli.Flag{
Expand Down Expand Up @@ -100,13 +99,6 @@ to get comma-separated list of all the namespaces that are allowed to use it`,
Usage: `set 'STRONGBOX_SECRET_NAMESPACE' in argocd application as plugin ENV. the value should be the
name of a namespace where secret resource containing strongbox keyring is located`,
},
&cli.StringFlag{
Name: "app-strongbox-secret-key",
EnvVars: []string{argocdAppEnvPrefix + "STRONGBOX_SECRET_KEY"},
Usage: `set 'STRONGBOX_KEYRING_KEY' in argocd application as plugin ENV, the value should be the
name of the secret data key which contains a valid strongbox keyring file`,
Value: strongboxKeyRingFile,
},
// do not set `EnvVars` for secret name flag
// To keep service account's permission minimum, the name of the secret is static across ALL applications.
// this value should only be set by admins of argocd as part of plugin setup
Expand Down Expand Up @@ -177,7 +169,6 @@ func main() {

if c.Bool("app-strongbox-enabled") {
app.keyringSecret = secretInfo{
key: c.String("app-strongbox-secret-key"),
name: c.String("app-strongbox-secret-name"),
namespace: c.String("app-strongbox-secret-namespace"),
}
Expand Down