Use a static Secret keyname for keyring

Works the same way as Age now, less code
utilitywarehouse · Oct 7, 2024 · bf73e77 · bf73e77
1 parent e5c3236
commit bf73e77
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -43,8 +43,7 @@ resources:
 
 Secret name containing Strongbox keyring/identity file MUST be `argocd-voodoobox-strongbox-keyring`.
 
-`STRONGBOX_SECRET_KEY` - set a custom "key name" for keyring data. The default value is `.strongbox_keyring`.
-
+Key name for keyring MUST be `.strongbox_keyring`
 For age, the key name MUST be `.strongbox_identity`.
 
 `STRONGBOX_SECRET_NAMESPACE` If you need to deploy a shared strongbox keyring to use in multiple namespaces, then it can be set by this ENV.
@@ -258,7 +257,6 @@ subjects:
 | ARGOCD_APP_NAME | set by argocd | name of application |
 | ARGOCD_APP_NAMESPACE | set by argocd | application's destination namespace |
 | STRONGBOX_ENABLED | "true" | Enable Strongbox for decryption |
-| STRONGBOX_KEYRING_KEY | .strongbox_keyring | the name of the secret data key which contains a valid strongbox keyring file |
 | STRONGBOX_SECRET_NAMESPACE | | the name of a namespace where secret resource containing strongbox keyring is located, defaults to current |
 | GIT_SSH_CUSTOM_KEY_ENABLED | "false" | Enable Git SSH building using custom (non global) key |
 | GIT_SSH_SECRET_NAMESPACE | | the value should be the name of a namespace where secret resource containing ssh keys are located, defaults to current |
diff --git a/decrypt.go b/decrypt.go
@@ -18,6 +18,7 @@ import (
 
 const (
 	stronboxIdentityFilename = ".strongbox_identity"
+	stronboxKeyringFilename  = ".strongbox_keyring"
 )
 
 var (
@@ -65,7 +66,7 @@ func secretData(ctx context.Context, destinationNamespace string, si secretInfo)
 		return nil, nil, err
 	}
 
-	return secret.Data[si.key], secret.Data[stronboxIdentityFilename], nil
+	return secret.Data[stronboxKeyringFilename], secret.Data[stronboxIdentityFilename], nil
 }
 
 // runStrongboxDecryption will try to decrypt files in cwd using given keyRing file

diff --git a/decrypt_test.go b/decrypt_test.go
@@ -18,7 +18,6 @@ var (
 	encryptedTestDir1     = "./testData/app-with-secrets-test1"
 	encryptedTestDir2     = "./testData/app-with-secrets-test2"
 	withRemoteBaseTestDir = "./testData/app-with-remote-base-test1"
-	// withRemoteBase        = "./testData/app-with-remote-base"
 )
 
 func getFileContent(t *testing.T, fileName string) []byte {
@@ -110,12 +109,11 @@ func Test_secretData(t *testing.T) {
 		identity             []byte
 		wantErr              bool
 	}{
-		{"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), nil, false},
+		{"bar-siv-ok", "bar", secretInfo{name: "argocd-strongbox-secret"}, []byte("keyring-data-bar"), nil, false},
 		{"age-ok", "age", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, nil, []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
-		{"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring", key: ".strongbox_keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
-		{"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret", key: ".strongbox_keyring"}, nil, nil, false},
-		{"foo-siv-ok", "foo", secretInfo{name: "strongbox-secret", key: "randomKey"}, []byte("keyring-data-foo"), nil, false},
-		{"default-missing", "default", secretInfo{name: "strongbox-secret", key: "randomKey"}, nil, nil, true},
+		{"age-and-siv-ok", "age-and-siv", secretInfo{name: "argocd-voodoobox-strongbox-keyring"}, []byte("keyring-data-bar"), []byte("AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q"), false},
+		{"foo-wrong-key", "foo", secretInfo{name: "strongbox-secret"}, nil, nil, false},
+		{"default-missing", "default", secretInfo{name: "strongbox-secret"}, nil, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -150,7 +148,7 @@ func Test_ensureDecryption(t *testing.T) {
 				Namespace: "bar",
 			},
 			Data: map[string][]byte{
-				"keyring": kr,
+				".strongbox_keyring": kr,
 			},
 		},
 		&v1.Secret{
@@ -159,7 +157,7 @@ func Test_ensureDecryption(t *testing.T) {
 				Namespace: "foo",
 			},
 			Data: map[string][]byte{
-				"keyring": kr,
+				".strongbox_keyring": kr,
 			},
 		},
 		&v1.Secret{
@@ -171,7 +169,7 @@ func Test_ensureDecryption(t *testing.T) {
 				},
 			},
 			Data: map[string][]byte{
-				"keyring": kr,
+				".strongbox_keyring": kr,
 			},
 		},
 	)
@@ -183,7 +181,6 @@ func Test_ensureDecryption(t *testing.T) {
 		destinationNamespace: "bar",
 		keyringSecret: secretInfo{
 			name: "strongbox-secret",
-			key:  "keyring",
 		},
 	}
 	t.Run("no-encrypted-files-with-secret", func(t *testing.T) {
@@ -204,7 +201,6 @@ func Test_ensureDecryption(t *testing.T) {
 		destinationNamespace: "foo",
 		keyringSecret: secretInfo{
 			name: "strongbox-secret",
-			key:  "keyring",
 		},
 	}
 	t.Run("encrypted-files-with-secret", func(t *testing.T) {
@@ -239,7 +235,6 @@ func Test_ensureDecryption(t *testing.T) {
 		keyringSecret: secretInfo{
 			namespace: "not-baz",
 			name:      "strongbox-secret",
-			key:       "keyring",
 		},
 	}
 	t.Run("encrypted-files-with-secret-from-diff-ns", func(t *testing.T) {

diff --git a/main.go b/main.go
@@ -43,7 +43,6 @@ type applicationInfo struct {
 type secretInfo struct {
 	namespace string
 	name      string
-	key       string
 }
 
 var flags = []cli.Flag{
@@ -100,13 +99,6 @@ to get comma-separated list of all the namespaces that are allowed to use it`,
 		Usage: `set 'STRONGBOX_SECRET_NAMESPACE' in argocd application as plugin ENV. the value should be the
 name of a namespace where secret resource containing strongbox keyring is located`,
 	},
-	&cli.StringFlag{
-		Name:    "app-strongbox-secret-key",
-		EnvVars: []string{argocdAppEnvPrefix + "STRONGBOX_SECRET_KEY"},
-		Usage: `set 'STRONGBOX_KEYRING_KEY' in argocd application as plugin ENV, the value should be the
-name of the secret data key which contains a valid strongbox keyring file`,
-		Value: strongboxKeyRingFile,
-	},
 	// do not set `EnvVars` for secret name flag
 	// To keep service account's permission minimum, the name of the secret is static across ALL applications.
 	// this value should only be set by admins of argocd as part of plugin setup
@@ -177,7 +169,6 @@ func main() {
 
 					if c.Bool("app-strongbox-enabled") {
 						app.keyringSecret = secretInfo{
-							key:       c.String("app-strongbox-secret-key"),
 							name:      c.String("app-strongbox-secret-name"),
 							namespace: c.String("app-strongbox-secret-namespace"),
 						}