Remove file reading from bootstrap package

Signed-off-by: Philip Laine <philip.laine@gmail.com>
2026-02-06 19:05:55 +00:00 · 2022-10-24 11:11:33 +02:00
parent 2c267c95e5
commit a4734d7e30
17 changed files with 270 additions and 168 deletions
--- a/pkg/bootstrap/bootstrap_plain_git.go
+++ b/pkg/bootstrap/bootstrap_plain_git.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"

+	"github.com/ProtonMail/go-crypto/openpgp"
 	gogit "github.com/go-git/go-git/v5"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -56,9 +57,9 @@ type PlainGitBootstrapper struct {
 	author                git.Author
 	commitMessageAppendix string

-	gpgKeyRingPath string
-	gpgPassphrase  string
-	gpgKeyID       string
+	gpgKeyRing    openpgp.EntityList
+	gpgPassphrase string
+	gpgKeyID      string

 	restClientGetter  genericclioptions.RESTClientGetter
 	restClientOptions *runclient.Options
@@ -139,7 +140,7 @@ func (b *PlainGitBootstrapper) ReconcileComponents(ctx context.Context, manifest
 	}

 	// Git commit generated
-	gpgOpts := git.WithGpgSigningOption(b.gpgKeyRingPath, b.gpgPassphrase, b.gpgKeyID)
+	gpgOpts := git.WithGpgSigningOption(b.gpgKeyRing, b.gpgPassphrase, b.gpgKeyID)
 	commitMsg := fmt.Sprintf("Add Flux %s component manifests", options.Version)
 	if b.commitMessageAppendix != "" {
 		commitMsg = commitMsg + "\n\n" + b.commitMessageAppendix
@@ -195,7 +196,7 @@ func (b *PlainGitBootstrapper) ReconcileSourceSecret(ctx context.Context, option
 	}

 	// Return early if exists and no custom config is passed
-	if ok && len(options.CAFilePath+options.PrivateKeyPath+options.Username+options.Password) == 0 {
+	if ok && options.Keypair == nil && len(options.CAFile) == 0 && len(options.Username+options.Password) == 0 {
 		b.logger.Successf("source secret up to date")
 		return nil
 	}
@@ -284,7 +285,7 @@ func (b *PlainGitBootstrapper) ReconcileSyncConfig(ctx context.Context, options
 	b.logger.Successf("generated sync manifests")

 	// Git commit generated
-	gpgOpts := git.WithGpgSigningOption(b.gpgKeyRingPath, b.gpgPassphrase, b.gpgKeyID)
+	gpgOpts := git.WithGpgSigningOption(b.gpgKeyRing, b.gpgPassphrase, b.gpgKeyID)
 	commitMsg := fmt.Sprintf("Add Flux sync manifests")
 	if b.commitMessageAppendix != "" {
 		commitMsg = commitMsg + "\n\n" + b.commitMessageAppendix
--- a/pkg/bootstrap/git/commit_options.go
+++ b/pkg/bootstrap/git/commit_options.go
@@ -1,5 +1,9 @@
 package git

+import (
+	"github.com/ProtonMail/go-crypto/openpgp"
+)
+
 // Option is a some configuration that modifies options for a commit.
 type Option interface {
 	// ApplyToCommit applies this configuration to a given commit option.
@@ -13,9 +17,9 @@ type CommitOptions struct {

 // GPGSigningInfo contains information for signing a commit.
 type GPGSigningInfo struct {
-	KeyRingPath string
-	Passphrase  string
-	KeyID       string
+	KeyRing    openpgp.EntityList
+	Passphrase string
+	KeyID      string
 }

 type GpgSigningOption struct {
@@ -26,17 +30,17 @@ func (w GpgSigningOption) ApplyToCommit(in *CommitOptions) {
 	in.GPGSigningInfo = w.GPGSigningInfo
 }

-func WithGpgSigningOption(path, passphrase, keyID string) Option {
+func WithGpgSigningOption(keyRing openpgp.EntityList, passphrase, keyID string) Option {
 	// Return nil if no path is set, even if other options are configured.
-	if path == "" {
+	if len(keyRing) == 0 {
 		return GpgSigningOption{}
 	}

 	return GpgSigningOption{
 		GPGSigningInfo: &GPGSigningInfo{
-			KeyRingPath: path,
-			Passphrase:  passphrase,
-			KeyID:       keyID,
+			KeyRing:    keyRing,
+			Passphrase: passphrase,
+			KeyID:      keyID,
 		},
 	}
 }
--- a/pkg/bootstrap/git/gogit/gogit.go
+++ b/pkg/bootstrap/git/gogit/gogit.go
@@ -258,23 +258,13 @@ func isRemoteBranchNotFoundErr(err error, ref string) bool {
 }

 func getOpenPgpEntity(info git.GPGSigningInfo) (*openpgp.Entity, error) {
-	r, err := os.Open(info.KeyRingPath)
-	if err != nil {
-		return nil, fmt.Errorf("unable to open GPG key ring: %w", err)
-	}
-
-	entityList, err := openpgp.ReadKeyRing(r)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(entityList) == 0 {
+	if len(info.KeyRing) == 0 {
 		return nil, fmt.Errorf("empty GPG key ring")
 	}

 	var entity *openpgp.Entity
 	if info.KeyID != "" {
-		for _, ent := range entityList {
+		for _, ent := range info.KeyRing {
 			if ent.PrimaryKey.KeyIdString() == info.KeyID {
 				entity = ent
 			}
@@ -284,10 +274,10 @@ func getOpenPgpEntity(info git.GPGSigningInfo) (*openpgp.Entity, error) {
 			return nil, fmt.Errorf("no GPG private key matching key id '%s' found", info.KeyID)
 		}
 	} else {
-		entity = entityList[0]
+		entity = info.KeyRing[0]
 	}

-	err = entity.PrivateKey.Decrypt([]byte(info.Passphrase))
+	err := entity.PrivateKey.Decrypt([]byte(info.Passphrase))
 	if err != nil {
 		return nil, fmt.Errorf("unable to decrypt GPG private key: %w", err)
 	}
--- a/pkg/bootstrap/git/gogit/gogit_test.go
+++ b/pkg/bootstrap/git/gogit/gogit_test.go
@@ -4,8 +4,10 @@
 package gogit

 import (
+	"os"
 	"testing"

+	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/fluxcd/flux2/pkg/bootstrap/git"
 )

@@ -49,10 +51,21 @@ func TestGetOpenPgpEntity(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			var entityList openpgp.EntityList
+			if tt.keyPath != "" {
+				r, err := os.Open(tt.keyPath)
+				if err != nil {
+					t.Errorf("unexpected error: %s", err)
+				}
+				entityList, err = openpgp.ReadKeyRing(r)
+				if err != nil {
+					t.Errorf("unexpected error: %s", err)
+				}
+			}
 			gpgInfo := git.GPGSigningInfo{
-				KeyRingPath: tt.keyPath,
-				Passphrase:  tt.passphrase,
-				KeyID:       tt.id,
+				KeyRing:    entityList,
+				Passphrase: tt.passphrase,
+				KeyID:      tt.id,
 			}

 			_, err := getOpenPgpEntity(gpgInfo)
--- a/pkg/bootstrap/options.go
+++ b/pkg/bootstrap/options.go
@@ -17,8 +17,12 @@ limitations under the License.
 package bootstrap

 import (
+	"fmt"
+	"os"
+
 	"k8s.io/cli-runtime/pkg/genericclioptions"

+	"github.com/ProtonMail/go-crypto/openpgp"
 	runclient "github.com/fluxcd/pkg/runtime/client"

 	"github.com/fluxcd/flux2/pkg/bootstrap/git"
@@ -131,22 +135,22 @@ func (o loggerOption) applyGitProvider(b *GitProviderBootstrapper) {
 	b.logger = o.logger
 }

-func WithGitCommitSigning(path, passphrase, keyID string) Option {
+func WithGitCommitSigning(gpgKeyRing openpgp.EntityList, passphrase, keyID string) Option {
 	return gitCommitSigningOption{
-		gpgKeyRingPath: path,
-		gpgPassphrase:  passphrase,
-		gpgKeyID:       keyID,
+		gpgKeyRing:    gpgKeyRing,
+		gpgPassphrase: passphrase,
+		gpgKeyID:      keyID,
 	}
 }

 type gitCommitSigningOption struct {
-	gpgKeyRingPath string
-	gpgPassphrase  string
-	gpgKeyID       string
+	gpgKeyRing    openpgp.EntityList
+	gpgPassphrase string
+	gpgKeyID      string
 }

 func (o gitCommitSigningOption) applyGit(b *PlainGitBootstrapper) {
-	b.gpgKeyRingPath = o.gpgKeyRingPath
+	b.gpgKeyRing = o.gpgKeyRing
 	b.gpgPassphrase = o.gpgPassphrase
 	b.gpgKeyID = o.gpgKeyID
 }
@@ -154,3 +158,18 @@ func (o gitCommitSigningOption) applyGit(b *PlainGitBootstrapper) {
 func (o gitCommitSigningOption) applyGitProvider(b *GitProviderBootstrapper) {
 	o.applyGit(b.PlainGitBootstrapper)
 }
+
+func LoadEntityListFromPath(path string) (openpgp.EntityList, error) {
+	if path == "" {
+		return nil, nil
+	}
+	r, err := os.Open(path)
+	if err != nil {
+		return nil, fmt.Errorf("unable to open GPG key ring: %w", err)
+	}
+	entityList, err := openpgp.ReadKeyRing(r)
+	if err != nil {
+		return nil, err
+	}
+	return entityList, nil
+}