Support age

utilitywarehouse · Aug 5, 2024 · 3ba79bb · 3ba79bb
1 parent d0fde49
commit 3ba79bb
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 30 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,7 @@ RUN apk --no-cache add git gcc make musl-dev curl bash openssh-client
 ENV \
   KUBECTL_VERSION=v1.30.1 \
   KUSTOMIZE_VERSION=v5.4.1 \
-  STRONGBOX_VERSION=1.1.0
+  STRONGBOX_VERSION=2.0.0-RC4
 
 RUN os=$(go env GOOS) && arch=$(go env GOARCH) \
   && curl -Ls -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/${os}/${arch}/kubectl \
@@ -27,7 +27,7 @@ RUN go get -t ./... \
   && make test \
   && CGO_ENABLED=0 && go build -o /kube-applier .
 
-FROM alpine:3.17
+FROM alpine:3.20
 RUN apk --no-cache add git openssh-client tini
 COPY templates/ /templates/
 COPY static/ /static/

diff --git a/README.md b/README.md
@@ -82,15 +82,16 @@ at first in order to bootstrap the kube-applier integration in a namespace.
 #### Integration with `strongbox`
 
 [strongbox](https://github.com/uw-labs/strongbox) is an encryption tool, geared
-towards git repositories and working as a git filter.
+towards Git repositories and working as a Git filter.
 
 If `strongboxKeyringSecretRef` is defined in the Waybill spec (it is an object
 that contains the attributes `name` and `namespace`), it should reference a
-Secret resource which contains a key named `.strongbox_keyring` with its value
-being a valid strongbox keyring file. That keyring is subsequently used when
-applying the Waybill, allowing for decryption of files under the
-`repositoryPath`. If the attribute `namespace` for `strongboxKeyringSecretRef`
-is not specified then it defaults to the same namespace as the Waybill itself.
+Secret resource which contains a key named `.strongbox_keyring` or
+`.strongbox_identity` with the value being a valid Strongbox keyring or
+identity file. That keyring/identity is subsequently used when applying the
+Waybill, allowing for decryption of files under the `repositoryPath`. If the
+attribute `namespace` for `strongboxKeyringSecretRef` is not specified then it
+defaults to the same namespace as the Waybill itself.
 
 This secret should be readable by the ServiceAccount of kube-applier. If
 deployed using the provided kustomize bases, kube-applier's ServiceAccount will
@@ -104,22 +105,35 @@ the Secret should have an annotation called
 all the namespaces that are allowed to use it.
 
 For example, the following secret can be used by namespaces "ns-a", "ns-b" and
-"ns-c":
+"ns-c", assuming its deployed in `ns-a`:
 
-```
-kind: Secret
-apiVersion: v1
-metadata:
-  name: kube-applier-strongbox-keyring
-  namespace: ns-a
-  annotations:
-    kube-applier.io/allowed-namespaces: "ns-b, ns-c"
-stringData:
-  .strongbox_keyring: |-
-    keyentries:
-    - description: mykey
-      key-id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-      key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+```bash
+# ./kustomization.yaml
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+secretGenerator:
+  - name: kube-applier-strongbox-keyring
+    files:
+      - .strongbox_keyring=strongbox-keyring
+      - .strongbox_identity=strongbox-identity
+    options:
+      annotations:
+        kube-applier.io/allowed-namespaces: "ns-b, ns-c"
+
+# ./strongbox-keyring
+
+keyentries:
+- description: mykey
+  key-id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+  key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+# ./strongbox-identity
+
+# description: ident1
+# public key: age1ex4ph3ryaathfac0xpjhxk50utn50mtprke7h0vsmdlh6j63q5dsafxehs
+AGE-SECRET-KEY-1GNC98E3WNPAXE49FATT434CFC2THV5Q0SLW45T3VNYUVZ4F8TY6SREQR9Q
 ```
 
 Each item in the list of allowed namespaces supports [shell pattern
@@ -399,7 +413,7 @@ $ make release VERSION=v3.3.3-rc.3
 
 Copyright 2016 Box, Inc. All rights reserved.
 
-Copyright (c) 2017-2023 Utility Warehouse Ltd.
+Copyright (c) 2017-2024 Utility Warehouse Ltd.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/run/runner.go b/run/runner.go
@@ -339,7 +339,7 @@ func (r *Runner) setupRepositoryClone(ctx context.Context, waybill *kubeapplierv
 		repositoryPath = waybill.Namespace
 	}
 	subpath := filepath.Join(r.RepoPath, repositoryPath)
-	// Point strongbox home to the temporary home to be able to decrypt files based on waybill cnfiguratn
+	// Point Strongbox home to the temporary home to be able to decrypt files based on Waybill configuration
 	hash, err := r.Repository.CloneLocal(ctx, []string{fmt.Sprintf("STRONGBOX_HOME=%s", tmpHomeDir)}, tmpRepoDir, subpath)
 	if err != nil {
 		return "", "", err

diff --git a/run/strongbox.go b/run/strongbox.go
@@ -34,12 +34,20 @@ func (sb *strongboxBase) SetupStrongboxKeyring(ctx context.Context, kubeClient *
 	if err := checkSecretIsAllowed(waybill, secret); err != nil {
 		return err
 	}
-	strongboxData, ok := secret.Data[".strongbox_keyring"]
-	if !ok {
-		return fmt.Errorf(`secret "%s/%s" does not contain key '.strongbox_keyring'`, secret.Namespace, secret.Name)
+	keyring, ok1 := secret.Data[".strongbox_keyring"]
+	if ok1 {
+		if err := os.WriteFile(filepath.Join(homeDir, ".strongbox_keyring"), keyring, 0400); err != nil {
+			return err
+		}
 	}
-	if err := os.WriteFile(filepath.Join(homeDir, ".strongbox_keyring"), strongboxData, 0400); err != nil {
-		return err
+	identity, ok2 := secret.Data[".strongbox_identity"]
+	if ok2 {
+		if err := os.WriteFile(filepath.Join(homeDir, ".strongbox_identity"), identity, 0400); err != nil {
+			return err
+		}
+	}
+	if !ok1 && !ok2 {
+		return fmt.Errorf(`secret "%s/%s" does not contain key '.strongbox_keyring' or '.strongbox_identity'`, secret.Namespace, secret.Name)
 	}
 	return nil
 }