pipe-cd · pipecd-bot · Nov 15, 2021 · Nov 15, 2021
@@ -536,7 +536,7 @@ func (p *piped) loadConfig(ctx context.Context) (*config.PipedSpec, error) {
 }
 
 func (p *piped) initializeSecretDecrypter(cfg *config.PipedSpec) (crypto.Decrypter, error) {
-	sm := cfg.GetSecretManagement()
+	sm := cfg.SecretManagement
 	if sm == nil {
 		return nil, nil
 	}
@@ -598,7 +598,7 @@ func (p *piped) sendPipedMeta(ctx context.Context, client pipedservice.Client, c
 	}
 
 	// Configure secret management.
-	if sm := cfg.GetSecretManagement(); sm != nil {
+	if sm := cfg.SecretManagement; sm != nil {
 		switch sm.Type {
 		case model.SecretManagementTypeSealingKey:
 			fallthrough

@@ -172,13 +172,6 @@ func (p *provider) prepare(ctx context.Context, lw io.Writer) (*DeploySource, er
 	fmt.Fprintln(lw, "Successfully loaded the deployment configuration file")
 
 	// Decrypt the sealed secrets if needed.
-	if len(gdc.SealedSecrets) > 0 && p.secretDecrypter != nil {
-		if err := sourcedecrypter.DecryptSealedSecrets(appDir, gdc.SealedSecrets, p.secretDecrypter); err != nil {
-			fmt.Fprintf(lw, "Unable to decrypt the sealed secrets (%v)\n", err)
-			return nil, err
-		}
-		fmt.Fprintf(lw, "Successfully decrypted %d sealed secrets\n", len(gdc.SealedSecrets))
-	}
 	if gdc.Encryption != nil && p.secretDecrypter != nil && len(gdc.Encryption.DecryptionTargets) > 0 {
 		if err := sourcedecrypter.DecryptSecrets(appDir, *gdc.Encryption, p.secretDecrypter); err != nil {
 			fmt.Fprintf(lw, "Unable to decrypt the secrets (%v)\n", err)

@@ -226,12 +226,7 @@ func (d *detector) loadHeadManifests(ctx context.Context, app *model.Application
 			return nil, fmt.Errorf("unsupport application kind %s", cfg.Kind)
 		}
 
-		var (
-			shouldDecryptSealedSecrets = d.secretDecrypter != nil && len(gds.SealedSecrets) > 0
-			shouldDecryptSecrets       = d.secretDecrypter != nil && gds.Encryption != nil
-		)
-
-		if shouldDecryptSealedSecrets || shouldDecryptSecrets {
+		if d.secretDecrypter != nil && gds.Encryption != nil {
 			// We have to copy repository into another directory because
 			// decrypting the sealed secrets might change the git repository.
 			dir, err := os.MkdirTemp("", "detector-git-decrypt")
@@ -247,15 +242,8 @@ func (d *detector) loadHeadManifests(ctx context.Context, app *model.Application
 			repoDir = repo.GetPath()
 			appDir = filepath.Join(repoDir, app.GitPath.Path)
 
-			if shouldDecryptSealedSecrets {
-				if err := sourcedecrypter.DecryptSealedSecrets(appDir, gds.SealedSecrets, d.secretDecrypter); err != nil {
-					return nil, fmt.Errorf("failed to decrypt sealed secrets (%w)", err)
-				}
-			}
-			if shouldDecryptSecrets {
-				if err := sourcedecrypter.DecryptSecrets(appDir, *gds.Encryption, d.secretDecrypter); err != nil {
-					return nil, fmt.Errorf("failed to decrypt secrets (%w)", err)
-				}
+			if err := sourcedecrypter.DecryptSecrets(appDir, *gds.Encryption, d.secretDecrypter); err != nil {
+				return nil, fmt.Errorf("failed to decrypt secrets (%w)", err)
 			}
 		}
 

@@ -74,41 +74,3 @@ func DecryptSecrets(appDir string, enc config.SecretEncryption, dcr secretDecryp
 
 	return nil
 }
-
-func DecryptSealedSecrets(appDir string, secrets []config.SealedSecretMapping, dcr secretDecrypter) error {
-	for _, s := range secrets {
-		secretPath := filepath.Join(appDir, s.Path)
-		cfg, err := config.LoadFromYAML(secretPath)
-		if err != nil {
-			return fmt.Errorf("unable to read sealed secret file %s (%w)", s.Path, err)
-		}
-		if cfg.Kind != config.KindSealedSecret {
-			return fmt.Errorf("unexpected kind in sealed secret file %s, want %q but got %q", s.Path, config.KindSealedSecret, cfg.Kind)
-		}
-
-		content, err := cfg.SealedSecretSpec.RenderOriginalContent(dcr)
-		if err != nil {
-			return fmt.Errorf("unable to render the original content of the sealed secret file %s (%w)", s.Path, err)
-		}
-
-		outDir, outFile := filepath.Split(s.Path)
-		if s.OutFilename != "" {
-			outFile = s.OutFilename
-		}
-		if s.OutDir != "" {
-			outDir = s.OutDir
-		}
-		// TODO: Ensure that the output directory must be inside the application directory.
-		if outDir != "" {
-			if err := os.MkdirAll(filepath.Join(appDir, outDir), 0700); err != nil {
-				return fmt.Errorf("unable to write decrypted content of sealed secret file %s to directory %s (%w)", s.Path, outDir, err)
-			}
-		}
-		outPath := filepath.Join(appDir, outDir, outFile)
-
-		if err := os.WriteFile(outPath, content, 0644); err != nil {
-			return fmt.Errorf("unable to write decrypted content of sealed secret file %s (%w)", s.Path, err)
-		}
-	}
-	return nil
-}
@@ -168,90 +168,3 @@ func TestDecryptSecrets(t *testing.T) {
 		})
 	}
 }
-
-func TestDecryptSealedSecrets(t *testing.T) {
-	dir, err := os.MkdirTemp("", "test-decrypt-sealed-secrets")
-	require.NoError(t, err)
-	defer os.RemoveAll(dir)
-
-	err = os.WriteFile(filepath.Join(dir, "replacing.yaml"), []byte(`
-apiVersion: "pipecd.dev/v1beta1"
-kind: SealedSecret
-spec:
-  template: |
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: mysecret
-    type: Opaque
-    data:
-      username: {{ .encryptedItems.username }}
-      password: {{ .encryptedItems.password }}
-  encryptedItems:
-    username: encrypted-username
-    password: encrypted-password
-`),
-		0644,
-	)
-	require.NoError(t, err)
-
-	err = os.WriteFile(filepath.Join(dir, "copy.yaml"), []byte(`
-apiVersion: "pipecd.dev/v1beta1"
-kind: SealedSecret
-spec:
-  encryptedData: encrypted-data
-`),
-		0644,
-	)
-
-	require.NoError(t, err)
-
-	secrets := []config.SealedSecretMapping{
-		{
-			Path: "replacing.yaml",
-		},
-		{
-			Path:        "copy.yaml",
-			OutFilename: "new-copy.yaml",
-		},
-		{
-			Path:   "copy.yaml",
-			OutDir: ".credentials",
-		},
-	}
-	dcr := testSecretDecrypter{
-		prefix: "decrypted-",
-	}
-
-	err = DecryptSealedSecrets(dir, secrets, dcr)
-	require.NoError(t, err)
-
-	data, err := os.ReadFile(filepath.Join(dir, "replacing.yaml"))
-	require.NoError(t, err)
-	assert.Equal(t,
-		`apiVersion: v1
-kind: Secret
-metadata:
-  name: mysecret
-type: Opaque
-data:
-  username: decrypted-encrypted-username
-  password: decrypted-encrypted-password
-`,
-		string(data),
-	)
-
-	data, err = os.ReadFile(filepath.Join(dir, "new-copy.yaml"))
-	require.NoError(t, err)
-	assert.Equal(t,
-		`decrypted-encrypted-data`,
-		string(data),
-	)
-
-	data, err = os.ReadFile(filepath.Join(dir, ".credentials/copy.yaml"))
-	require.NoError(t, err)
-	assert.Equal(t,
-		`decrypted-encrypted-data`,
-		string(data),
-	)
-}
@@ -35,8 +35,6 @@ type GenericDeploymentSpec struct {
 	CommitMatcher DeploymentCommitMatcher `json:"commitMatcher"`
 	// Pipeline for deploying progressively.
 	Pipeline *DeploymentPipeline `json:"pipeline"`
-	// The list of sealed secrets that should be decrypted.
-	SealedSecrets []SealedSecretMapping `json:"sealedSecrets"`
 	// List of directories or files where their changes will trigger the deployment.
 	// Regular expression can be used.
 	// Deprecated: use Trigger.Paths instead.

@@ -70,24 +70,25 @@ func TestTerraformDeploymentConfig(t *testing.T) {
 			expectedError: nil,
 		},
 		{
-			fileName:           "testdata/application/terraform-app-sealed-secret.yaml",
+			fileName:           "testdata/application/terraform-app-secret-management.yaml",
 			expectedKind:       KindTerraformApp,
 			expectedAPIVersion: "pipecd.dev/v1beta1",
 			expectedSpec: &TerraformDeploymentSpec{
 				GenericDeploymentSpec: GenericDeploymentSpec{
-					SealedSecrets: []SealedSecretMapping{
-						{
-							Path:        "sealed-service-account.yaml",
-							OutDir:      ".terraform-credentials",
-							OutFilename: "service-account.yaml",
-						},
-					},
 					Timeout: Duration(6 * time.Hour),
 					Trigger: Trigger{
 						OnCommit: OnCommit{
 							Disabled: false,
 						},
 					},
+					Encryption: &SecretEncryption{
+						EncryptedSecrets: map[string]string{
+							"serviceAccount": "ENCRYPTED_DATA_GENERATED_FROM_WEB",
+						},
+						DecryptionTargets: []string{
+							"service-account.yaml",
+						},
+					},
 				},
 				Input: TerraformDeploymentInput{
 					Workspace:        "dev",

@@ -61,10 +61,6 @@ type PipedSpec struct {
 	AnalysisProviders []PipedAnalysisProvider `json:"analysisProviders"`
 	// Sending notification to Slack, Webhook…
 	Notifications Notifications `json:"notifications"`
-	// How the sealed secret should be managed.
-	// Deprecated.
-	// TODO: Remove sealedSecretManagement field in the future.
-	SealedSecretManagement *SecretManagement `json:"sealedSecretManagement"`
 	// What secret management method should be used.
 	SecretManagement *SecretManagement `json:"secretManagement"`
 	// Optional settings for event watcher.
@@ -91,11 +87,6 @@ func (s *PipedSpec) Validate() error {
 	if s.SyncInterval < 0 {
 		return errors.New("syncInterval must be greater than or equal to 0")
 	}
-	if s.SealedSecretManagement != nil {
-		if err := s.SealedSecretManagement.Validate(); err != nil {
-			return err
-		}
-	}
 	if s.SecretManagement != nil {
 		if err := s.SecretManagement.Validate(); err != nil {
 			return err
@@ -188,13 +179,6 @@ func (s *PipedSpec) IsInsecureChartRepository(name string) bool {
 	return false
 }
 
-func (s *PipedSpec) GetSecretManagement() *SecretManagement {
-	if s.SealedSecretManagement != nil {
-		return s.SealedSecretManagement
-	}
-	return s.SecretManagement
-}
-
 func (s *PipedSpec) LoadPipedKey() ([]byte, error) {
 	if s.PipedKeyData != "" {
 		return base64.StdEncoding.DecodeString(s.PipedKeyData)

@@ -195,13 +195,6 @@ func TestPipedConfig(t *testing.T) {
 						},
 					},
 				},
-				SealedSecretManagement: &SecretManagement{
-					Type: model.SecretManagementTypeKeyPair,
-					KeyPair: &SecretManagementKeyPair{
-						PrivateKeyFile: "/etc/piped-secret/sealing-private-key",
-						PublicKeyFile:  "/etc/piped-secret/sealing-public-key",
-					},
-				},
 				SecretManagement: &SecretManagement{
 					Type: model.SecretManagementTypeKeyPair,
 					KeyPair: &SecretManagementKeyPair{

@@ -0,0 +1,11 @@
+apiVersion: pipecd.dev/v1beta1
+kind: TerraformApp
+spec:
+  input:
+    workspace: dev
+    terraformVersion: 0.12.23
+  encryption:
+    encryptedSecrets:
+      serviceAccount: ENCRYPTED_DATA_GENERATED_FROM_WEB
+    decryptionTargets:
+      - service-account.yaml
@@ -108,16 +108,6 @@ spec:
           url: https://pipecd.dev/dev-hook
           signatureValue: random-signature-string
 
-  sealedSecretManagement:
-    type: SEALING_KEY
-    config:
-      privateKeyFile: /etc/piped-secret/sealing-private-key
-      publicKeyFile: /etc/piped-secret/sealing-public-key
-    # type: GCP_KMS
-    # config:
-    #   keyName: key-name
-    #   decryptServiceAccountFile: /etc/piped-secret/decrypt-service-account.json 
-    #   encryptServiceAccountFile: /etc/piped-secret/encrypt-service-account.json
   secretManagement:
     type: KEY_PAIR
     config: