diff --git a/pkg/app/piped/cmd/piped/piped.go b/pkg/app/piped/cmd/piped/piped.go index e2d3121d6e..8c2ca14ff9 100644 --- a/pkg/app/piped/cmd/piped/piped.go +++ b/pkg/app/piped/cmd/piped/piped.go @@ -536,7 +536,7 @@ func (p *piped) loadConfig(ctx context.Context) (*config.PipedSpec, error) { } func (p *piped) initializeSecretDecrypter(cfg *config.PipedSpec) (crypto.Decrypter, error) { - sm := cfg.GetSecretManagement() + sm := cfg.SecretManagement if sm == nil { return nil, nil } @@ -598,7 +598,7 @@ func (p *piped) sendPipedMeta(ctx context.Context, client pipedservice.Client, c } // Configure secret management. - if sm := cfg.GetSecretManagement(); sm != nil { + if sm := cfg.SecretManagement; sm != nil { switch sm.Type { case model.SecretManagementTypeSealingKey: fallthrough diff --git a/pkg/app/piped/deploysource/deploysource.go b/pkg/app/piped/deploysource/deploysource.go index c92a6607ed..42290cb919 100644 --- a/pkg/app/piped/deploysource/deploysource.go +++ b/pkg/app/piped/deploysource/deploysource.go @@ -172,13 +172,6 @@ func (p *provider) prepare(ctx context.Context, lw io.Writer) (*DeploySource, er fmt.Fprintln(lw, "Successfully loaded the deployment configuration file") // Decrypt the sealed secrets if needed. - if len(gdc.SealedSecrets) > 0 && p.secretDecrypter != nil { - if err := sourcedecrypter.DecryptSealedSecrets(appDir, gdc.SealedSecrets, p.secretDecrypter); err != nil { - fmt.Fprintf(lw, "Unable to decrypt the sealed secrets (%v)\n", err) - return nil, err - } - fmt.Fprintf(lw, "Successfully decrypted %d sealed secrets\n", len(gdc.SealedSecrets)) - } if gdc.Encryption != nil && p.secretDecrypter != nil && len(gdc.Encryption.DecryptionTargets) > 0 { if err := sourcedecrypter.DecryptSecrets(appDir, *gdc.Encryption, p.secretDecrypter); err != nil { fmt.Fprintf(lw, "Unable to decrypt the secrets (%v)\n", err) diff --git a/pkg/app/piped/driftdetector/kubernetes/detector.go b/pkg/app/piped/driftdetector/kubernetes/detector.go index 8d560fe0c7..a3aeb1eae4 100644 --- a/pkg/app/piped/driftdetector/kubernetes/detector.go +++ b/pkg/app/piped/driftdetector/kubernetes/detector.go @@ -226,12 +226,7 @@ func (d *detector) loadHeadManifests(ctx context.Context, app *model.Application return nil, fmt.Errorf("unsupport application kind %s", cfg.Kind) } - var ( - shouldDecryptSealedSecrets = d.secretDecrypter != nil && len(gds.SealedSecrets) > 0 - shouldDecryptSecrets = d.secretDecrypter != nil && gds.Encryption != nil - ) - - if shouldDecryptSealedSecrets || shouldDecryptSecrets { + if d.secretDecrypter != nil && gds.Encryption != nil { // We have to copy repository into another directory because // decrypting the sealed secrets might change the git repository. dir, err := os.MkdirTemp("", "detector-git-decrypt") @@ -247,15 +242,8 @@ func (d *detector) loadHeadManifests(ctx context.Context, app *model.Application repoDir = repo.GetPath() appDir = filepath.Join(repoDir, app.GitPath.Path) - if shouldDecryptSealedSecrets { - if err := sourcedecrypter.DecryptSealedSecrets(appDir, gds.SealedSecrets, d.secretDecrypter); err != nil { - return nil, fmt.Errorf("failed to decrypt sealed secrets (%w)", err) - } - } - if shouldDecryptSecrets { - if err := sourcedecrypter.DecryptSecrets(appDir, *gds.Encryption, d.secretDecrypter); err != nil { - return nil, fmt.Errorf("failed to decrypt secrets (%w)", err) - } + if err := sourcedecrypter.DecryptSecrets(appDir, *gds.Encryption, d.secretDecrypter); err != nil { + return nil, fmt.Errorf("failed to decrypt secrets (%w)", err) } } diff --git a/pkg/app/piped/sourcedecrypter/decrypter.go b/pkg/app/piped/sourcedecrypter/decrypter.go index fdd583043b..b01a232d61 100644 --- a/pkg/app/piped/sourcedecrypter/decrypter.go +++ b/pkg/app/piped/sourcedecrypter/decrypter.go @@ -74,41 +74,3 @@ func DecryptSecrets(appDir string, enc config.SecretEncryption, dcr secretDecryp return nil } - -func DecryptSealedSecrets(appDir string, secrets []config.SealedSecretMapping, dcr secretDecrypter) error { - for _, s := range secrets { - secretPath := filepath.Join(appDir, s.Path) - cfg, err := config.LoadFromYAML(secretPath) - if err != nil { - return fmt.Errorf("unable to read sealed secret file %s (%w)", s.Path, err) - } - if cfg.Kind != config.KindSealedSecret { - return fmt.Errorf("unexpected kind in sealed secret file %s, want %q but got %q", s.Path, config.KindSealedSecret, cfg.Kind) - } - - content, err := cfg.SealedSecretSpec.RenderOriginalContent(dcr) - if err != nil { - return fmt.Errorf("unable to render the original content of the sealed secret file %s (%w)", s.Path, err) - } - - outDir, outFile := filepath.Split(s.Path) - if s.OutFilename != "" { - outFile = s.OutFilename - } - if s.OutDir != "" { - outDir = s.OutDir - } - // TODO: Ensure that the output directory must be inside the application directory. - if outDir != "" { - if err := os.MkdirAll(filepath.Join(appDir, outDir), 0700); err != nil { - return fmt.Errorf("unable to write decrypted content of sealed secret file %s to directory %s (%w)", s.Path, outDir, err) - } - } - outPath := filepath.Join(appDir, outDir, outFile) - - if err := os.WriteFile(outPath, content, 0644); err != nil { - return fmt.Errorf("unable to write decrypted content of sealed secret file %s (%w)", s.Path, err) - } - } - return nil -} diff --git a/pkg/app/piped/sourcedecrypter/decrypter_test.go b/pkg/app/piped/sourcedecrypter/decrypter_test.go index aef87f4176..59a4ae2d42 100644 --- a/pkg/app/piped/sourcedecrypter/decrypter_test.go +++ b/pkg/app/piped/sourcedecrypter/decrypter_test.go @@ -168,90 +168,3 @@ func TestDecryptSecrets(t *testing.T) { }) } } - -func TestDecryptSealedSecrets(t *testing.T) { - dir, err := os.MkdirTemp("", "test-decrypt-sealed-secrets") - require.NoError(t, err) - defer os.RemoveAll(dir) - - err = os.WriteFile(filepath.Join(dir, "replacing.yaml"), []byte(` -apiVersion: "pipecd.dev/v1beta1" -kind: SealedSecret -spec: - template: | - apiVersion: v1 - kind: Secret - metadata: - name: mysecret - type: Opaque - data: - username: {{ .encryptedItems.username }} - password: {{ .encryptedItems.password }} - encryptedItems: - username: encrypted-username - password: encrypted-password -`), - 0644, - ) - require.NoError(t, err) - - err = os.WriteFile(filepath.Join(dir, "copy.yaml"), []byte(` -apiVersion: "pipecd.dev/v1beta1" -kind: SealedSecret -spec: - encryptedData: encrypted-data -`), - 0644, - ) - - require.NoError(t, err) - - secrets := []config.SealedSecretMapping{ - { - Path: "replacing.yaml", - }, - { - Path: "copy.yaml", - OutFilename: "new-copy.yaml", - }, - { - Path: "copy.yaml", - OutDir: ".credentials", - }, - } - dcr := testSecretDecrypter{ - prefix: "decrypted-", - } - - err = DecryptSealedSecrets(dir, secrets, dcr) - require.NoError(t, err) - - data, err := os.ReadFile(filepath.Join(dir, "replacing.yaml")) - require.NoError(t, err) - assert.Equal(t, - `apiVersion: v1 -kind: Secret -metadata: - name: mysecret -type: Opaque -data: - username: decrypted-encrypted-username - password: decrypted-encrypted-password -`, - string(data), - ) - - data, err = os.ReadFile(filepath.Join(dir, "new-copy.yaml")) - require.NoError(t, err) - assert.Equal(t, - `decrypted-encrypted-data`, - string(data), - ) - - data, err = os.ReadFile(filepath.Join(dir, ".credentials/copy.yaml")) - require.NoError(t, err) - assert.Equal(t, - `decrypted-encrypted-data`, - string(data), - ) -} diff --git a/pkg/config/deployment.go b/pkg/config/deployment.go index e9659c0435..6619f54f9d 100644 --- a/pkg/config/deployment.go +++ b/pkg/config/deployment.go @@ -35,8 +35,6 @@ type GenericDeploymentSpec struct { CommitMatcher DeploymentCommitMatcher `json:"commitMatcher"` // Pipeline for deploying progressively. Pipeline *DeploymentPipeline `json:"pipeline"` - // The list of sealed secrets that should be decrypted. - SealedSecrets []SealedSecretMapping `json:"sealedSecrets"` // List of directories or files where their changes will trigger the deployment. // Regular expression can be used. // Deprecated: use Trigger.Paths instead. diff --git a/pkg/config/deployment_terraform_test.go b/pkg/config/deployment_terraform_test.go index a79ef43209..878880ee41 100644 --- a/pkg/config/deployment_terraform_test.go +++ b/pkg/config/deployment_terraform_test.go @@ -70,24 +70,25 @@ func TestTerraformDeploymentConfig(t *testing.T) { expectedError: nil, }, { - fileName: "testdata/application/terraform-app-sealed-secret.yaml", + fileName: "testdata/application/terraform-app-secret-management.yaml", expectedKind: KindTerraformApp, expectedAPIVersion: "pipecd.dev/v1beta1", expectedSpec: &TerraformDeploymentSpec{ GenericDeploymentSpec: GenericDeploymentSpec{ - SealedSecrets: []SealedSecretMapping{ - { - Path: "sealed-service-account.yaml", - OutDir: ".terraform-credentials", - OutFilename: "service-account.yaml", - }, - }, Timeout: Duration(6 * time.Hour), Trigger: Trigger{ OnCommit: OnCommit{ Disabled: false, }, }, + Encryption: &SecretEncryption{ + EncryptedSecrets: map[string]string{ + "serviceAccount": "ENCRYPTED_DATA_GENERATED_FROM_WEB", + }, + DecryptionTargets: []string{ + "service-account.yaml", + }, + }, }, Input: TerraformDeploymentInput{ Workspace: "dev", diff --git a/pkg/config/piped.go b/pkg/config/piped.go index 646a86a6cd..baa493038e 100644 --- a/pkg/config/piped.go +++ b/pkg/config/piped.go @@ -61,10 +61,6 @@ type PipedSpec struct { AnalysisProviders []PipedAnalysisProvider `json:"analysisProviders"` // Sending notification to Slack, Webhook… Notifications Notifications `json:"notifications"` - // How the sealed secret should be managed. - // Deprecated. - // TODO: Remove sealedSecretManagement field in the future. - SealedSecretManagement *SecretManagement `json:"sealedSecretManagement"` // What secret management method should be used. SecretManagement *SecretManagement `json:"secretManagement"` // Optional settings for event watcher. @@ -91,11 +87,6 @@ func (s *PipedSpec) Validate() error { if s.SyncInterval < 0 { return errors.New("syncInterval must be greater than or equal to 0") } - if s.SealedSecretManagement != nil { - if err := s.SealedSecretManagement.Validate(); err != nil { - return err - } - } if s.SecretManagement != nil { if err := s.SecretManagement.Validate(); err != nil { return err @@ -188,13 +179,6 @@ func (s *PipedSpec) IsInsecureChartRepository(name string) bool { return false } -func (s *PipedSpec) GetSecretManagement() *SecretManagement { - if s.SealedSecretManagement != nil { - return s.SealedSecretManagement - } - return s.SecretManagement -} - func (s *PipedSpec) LoadPipedKey() ([]byte, error) { if s.PipedKeyData != "" { return base64.StdEncoding.DecodeString(s.PipedKeyData) diff --git a/pkg/config/piped_test.go b/pkg/config/piped_test.go index e29bdf28f2..e5006973f2 100644 --- a/pkg/config/piped_test.go +++ b/pkg/config/piped_test.go @@ -195,13 +195,6 @@ func TestPipedConfig(t *testing.T) { }, }, }, - SealedSecretManagement: &SecretManagement{ - Type: model.SecretManagementTypeKeyPair, - KeyPair: &SecretManagementKeyPair{ - PrivateKeyFile: "/etc/piped-secret/sealing-private-key", - PublicKeyFile: "/etc/piped-secret/sealing-public-key", - }, - }, SecretManagement: &SecretManagement{ Type: model.SecretManagementTypeKeyPair, KeyPair: &SecretManagementKeyPair{ diff --git a/pkg/config/testdata/application/terraform-app-sealed-secret.yaml b/pkg/config/testdata/application/terraform-app-sealed-secret.yaml deleted file mode 100644 index 7c0997ae11..0000000000 --- a/pkg/config/testdata/application/terraform-app-sealed-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: pipecd.dev/v1beta1 -kind: TerraformApp -spec: - input: - workspace: dev - terraformVersion: 0.12.23 - sealedSecrets: - - path: sealed-service-account.yaml - outDir: .terraform-credentials - outFilename: service-account.yaml diff --git a/pkg/config/testdata/application/terraform-app-secret-management.yaml b/pkg/config/testdata/application/terraform-app-secret-management.yaml new file mode 100644 index 0000000000..6eefc445f0 --- /dev/null +++ b/pkg/config/testdata/application/terraform-app-secret-management.yaml @@ -0,0 +1,11 @@ +apiVersion: pipecd.dev/v1beta1 +kind: TerraformApp +spec: + input: + workspace: dev + terraformVersion: 0.12.23 + encryption: + encryptedSecrets: + serviceAccount: ENCRYPTED_DATA_GENERATED_FROM_WEB + decryptionTargets: + - service-account.yaml \ No newline at end of file diff --git a/pkg/config/testdata/piped/piped-config.yaml b/pkg/config/testdata/piped/piped-config.yaml index 987b46c1e3..024853dff0 100644 --- a/pkg/config/testdata/piped/piped-config.yaml +++ b/pkg/config/testdata/piped/piped-config.yaml @@ -108,16 +108,6 @@ spec: url: https://pipecd.dev/dev-hook signatureValue: random-signature-string - sealedSecretManagement: - type: SEALING_KEY - config: - privateKeyFile: /etc/piped-secret/sealing-private-key - publicKeyFile: /etc/piped-secret/sealing-public-key - # type: GCP_KMS - # config: - # keyName: key-name - # decryptServiceAccountFile: /etc/piped-secret/decrypt-service-account.json - # encryptServiceAccountFile: /etc/piped-secret/encrypt-service-account.json secretManagement: type: KEY_PAIR config: