mirror of https://github.com/fluxcd/flux2.git
Concept: `encrypt init` command for SOPS bootstrap
Signed-off-by: Hidde Beydals <hello@hidde.co>pull/1620/head
Hidde Beydals
4 years ago
parent
fd364828a1
commit
4c0987a9a6
@ -0,0 +1,39 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2021 The Flux authors
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/spf13/cobra"
|
||||||
|
)
|
||||||
|
|
||||||
|
var encryptCmd = &cobra.Command{
|
||||||
|
Use: "encrypt",
|
||||||
|
Short: "Encrypt secrets using SOPS",
|
||||||
|
Long: "The encrypt sub-commands initialise and manage Secret encryption using SOPS.",
|
||||||
|
}
|
||||||
|
|
||||||
|
type encryptFlags struct {
|
||||||
|
export bool
|
||||||
|
}
|
||||||
|
|
||||||
|
var encryptArgs encryptFlags
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
encryptCmd.PersistentFlags().BoolVar(&encryptArgs.export, "export", false, "export in YAML format to stdout")
|
||||||
|
|
||||||
|
rootCmd.AddCommand(encryptCmd)
|
||||||
|
}
|
||||||
@ -0,0 +1,113 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2021 The Flux authors
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
"filippo.io/age"
|
||||||
|
"github.com/fluxcd/flux2/internal/utils"
|
||||||
|
"github.com/go-git/go-git/v5"
|
||||||
|
"github.com/spf13/cobra"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
var encryptInitCmd = &cobra.Command{
|
||||||
|
Use: "init",
|
||||||
|
Short: "Init SOPS encryption with age identity",
|
||||||
|
Long: "The encryption init command creates a new age identity and writes a .sops.yaml file to the current working directory.",
|
||||||
|
Example: ` # Init SOPS encryption with a new age identity
|
||||||
|
flux encryption init`,
|
||||||
|
RunE: encryptInitCmdRun,
|
||||||
|
}
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
encryptCmd.AddCommand(encryptInitCmd)
|
||||||
|
}
|
||||||
|
|
||||||
|
func encryptInitCmdRun(cmd *cobra.Command, args []string) error {
|
||||||
|
// Confirm our current path is in a Git repository
|
||||||
|
path, err := os.Getwd()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err := git.PlainOpen(path); err != nil {
|
||||||
|
if err == git.ErrRepositoryNotExists {
|
||||||
|
err = fmt.Errorf("'%s' is not in a Git repository", path)
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Abort early if .sops.yaml already exists
|
||||||
|
sopsCfgPath := filepath.Join(path, ".sops.yaml")
|
||||||
|
if _, err := os.Stat(sopsCfgPath); err == nil || os.IsExist(err) {
|
||||||
|
return fmt.Errorf("'%s' already contains a .sops.yaml config", path)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate a new identity
|
||||||
|
i, err := age.GenerateX25519Identity()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
logger.Successf("Generated identity %s", i.Recipient().String())
|
||||||
|
|
||||||
|
// Attempt to configure identity in .sops.yaml
|
||||||
|
const sopsCfg = `creation_rules:
|
||||||
|
- path_regex: .*.yaml
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
age: %s
|
||||||
|
`
|
||||||
|
if err := ioutil.WriteFile(sopsCfgPath, []byte(fmt.Sprintf(sopsCfg, i.Recipient().String())), 0644); err != nil {
|
||||||
|
logger.Failuref("Failed to write recipient to .sops.yaml file")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
logger.Successf("Configured recipient in .sops.yaml file")
|
||||||
|
|
||||||
|
// Init client
|
||||||
|
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
||||||
|
defer cancel()
|
||||||
|
kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a secret
|
||||||
|
secret := &corev1.Secret{
|
||||||
|
ObjectMeta: v1.ObjectMeta{
|
||||||
|
Name: "sops-age",
|
||||||
|
Namespace: rootArgs.namespace,
|
||||||
|
},
|
||||||
|
StringData: map[string]string{
|
||||||
|
"flux-auto.age": i.String(),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
if err := kubeClient.Create(ctx, secret); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
logger.Successf(`Secret '%s' with private key created`, secret.Name)
|
||||||
|
|
||||||
|
// TODO(hidde): lookup kustomize based on path ref? Do direct cluster mutation? (Preferably not!)
|
||||||
|
// Feels something is missing in general to provide a user experience improving bridge between "die hard"
|
||||||
|
// `--export` and "please do not do this" direct-apply-to-cluster.
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue