Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Add git-secret support #2159

Merged
merged 2 commits into from
Jun 27, 2019
Merged

Add git-secret support #2159

merged 2 commits into from
Jun 27, 2019

Conversation

arsiesys
Copy link
Contributor

Hello,

To answer to some needs, I made a change to handle the git repository using git-secret. This allow us to encrypt our secrets.
https://git-secret.io/

If the parameter --git-secret is set to true in fluxd configuration and a .gitsecret directory exist in the root of the git, flux will execute a "git secret reveal -f" in the working git.
Indeed, to make it work, you need to have the key in the gpg keystore, that's why we are using the --git-gpg-key-import option for that. Happy it was already there.

I am not fully comfortable with GO, so I am open to any suggestion that could be easily applied on my changes. For any more complicated changes, please take the handover on this PR if you are really interested or give me good clues :p.

Related Issues:
#1676

hiddeco
hiddeco reviewed Jun 14, 2019
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome to see how this benefits from the initial work for GPG signatures, and a sought after feature! 🎖️

Please take a look at my (minor) comments.

git/operations.go Outdated Show resolved Hide resolved
git/working.go Outdated Show resolved Hide resolved
@arsiesys
Copy link
Contributor Author

Awesome to see how this benefits from the initial work for GPG signatures, and a sought after feature! medal_military

Please take a look at my (minor) comments.

Thanks for your comments, I applied your recommendations! :)

hiddeco
hiddeco reviewed Jun 14, 2019
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small suggestion, and can you please add the new flag to the daemon documentation?

cmd/fluxd/main.go Outdated Show resolved Hide resolved
@aarnaud
Copy link

aarnaud commented Jun 14, 2019

Nice, I hope we will have this feature in the next release

@hiddeco hiddeco added this to the 1.14.0 milestone Jun 14, 2019
stefanprodan
stefanprodan suggested changes Jun 16, 2019
View reviewed changes
git/working.go Show resolved Hide resolved
@hiddeco
Copy link
Member

hiddeco commented Jun 26, 2019

@arsiesys couple of days have gone by since the last review, are you still planning to incorporate the feedback from Stefan and Michael?

@arsiesys
Copy link
Contributor Author

Hello, yes, I will. A bit lack of time to do that lately ! 😬

@hiddeco
Copy link
Member

hiddeco commented Jun 26, 2019

@arsiesys no worries, if it does not fit your schedule right now I'd be happy to make the adjustments. Just let me know.

Add git-secret support
cc52ec0 
If the parameter --git-secret is set to true
and a .gitsecret directory exist in the root of the git
then, reveal the secrets using gpg key stored in gpg store.
@stefanprodan stefanprodan merged commit 6d2755e into fluxcd:master Jun 27, 2019
@squaremo
Copy link
Member

Nice work @arsiesys !

@davidkarlsen
Copy link
Contributor

@stefanprodan should the chart be updated too? What do you need for it - simply a flag to activate --git-secret ?

@davidkarlsen davidkarlsen mentioned this pull request Aug 9, 2019
Closed
@stefanprodan
Copy link
Member

@davidkarlsen for experimental features there is an additional flag in the chart: https://github.com/fluxcd/flux/blob/master/chart/flux/values.yaml#L265

@PaulFarver PaulFarver mentioned this pull request Nov 5, 2019
Merged
@nij4t nij4t mentioned this pull request Feb 22, 2020
Merged
@robpou robpou mentioned this pull request Aug 9, 2020
Closed
@cedi cedi mentioned this pull request Aug 17, 2020
Closed
@hardvintage
Copy link

hardvintage commented Sep 9, 2020
edited
Loading

Can i ask a question here...
I enabled the options:

- --git-secret=true
- --git-gpg-key-import=/root/.gpg/

Imported successfully

ts=2020-09-07T12:21:22.416999372Z caller=main.go:347 info="imported GPG key(s) from /root/.gpg/" files=[xxx.gpg]

Get ERROR

ts=2020-09-07T12:17:56.882295512Z caller=images.go:17 component=sync-loop msg="polling for new images for automated workloads"
ts=2020-09-07T12:17:56.973595547Z caller=images.go:23 component=sync-loop error="getting unlocked automated resources: git secret reveal -f: gpg: decryption failed: No secret key\ngit-secret: abort: problem decrypting file with gpg: exit code 2: /tmp/flux-working161304987/xxx/xxx/xxx/config/local.json\n"

When open a shell of the pod , i can import the gpg key and do git reveal, could anybody help?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@squaremo squaremo squaremo left review comments

@hiddeco hiddeco hiddeco left review comments

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.
7 participants
@arsiesys @aarnaud @hiddeco @squaremo @davidkarlsen @stefanprodan @hardvintage