fluxcd · stefanprodan · Jun 27, 2019 · Jun 13, 2019 · Jun 27, 2019
diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -114,6 +114,7 @@ func main() {
 		gitEmail     = fs.String("git-email", "support@weave.works", "email to use as git committer")
 		gitSetAuthor = fs.Bool("git-set-author", false, "if set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer.")
 		gitLabel     = fs.String("git-label", "", "label to keep track of sync progress; overrides both --git-sync-tag and --git-notes-ref")
+		gitSecret    = fs.Bool("git-secret", false, `if set, git-secret will be run on every git checkout. A gpg key must be imported using  --git-gpg-key-import or by mounting a keyring containing it directly`)
 		// Old git config; still used if --git-label is not supplied, but --git-label is preferred.
 		gitSyncTag     = fs.String("git-sync-tag", defaultGitSyncTag, "tag to use to mark sync progress for this cluster")
 		gitNotesRef    = fs.String("git-notes-ref", defaultGitNotesRef, "ref to use for keeping commit annotations in git notes")
@@ -290,6 +291,10 @@ func main() {
 	}
 	mandatoryRegistry := stringset(*registryRequire)
 
+	if *gitSecret && len(*gitImportGPG) == 0  {
+		logger.Log("warning", fmt.Sprintf("--git-secret is enabled but there is no GPG key(s) provided using --git-gpg-key-import, we assume you mounted the keyring directly and continue"))
+	}
+
 	// Mechanical components.
 
 	// When we can receive from this channel, it indicates that we
@@ -540,6 +545,7 @@ func main() {
 		SigningKey:  *gitSigningKey,
 		SetAuthor:   *gitSetAuthor,
 		SkipMessage: *gitSkipMessage,
+		GitSecret:   *gitSecret,
 	}
 
 	repo := git.NewRepo(gitRemote, git.PollInterval(*gitPollInterval), git.Timeout(*gitTimeout), git.Branch(*gitBranch))
@@ -562,6 +568,7 @@ func main() {
 		"sync-tag", *gitSyncTag,
 		"notes-ref", *gitNotesRef,
 		"set-author", *gitSetAuthor,
+		"git-secret", *gitSecret,
 	)
 
 	var jobs *job.Queue

diff --git a/docker/Dockerfile.flux b/docker/Dockerfile.flux
@@ -2,7 +2,8 @@ FROM alpine:3.9
 
 WORKDIR /home/flux
 
-RUN apk add --no-cache openssh-client ca-certificates tini 'git>=2.12.0' 'gnutls>=3.6.7' gnupg
+RUN apk add --no-cache openssh-client ca-certificates tini 'git>=2.12.0' 'gnutls>=3.6.7' gnupg gawk
+RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing git-secret
 
 # Add git hosts to known hosts file so we can use
 # StrickHostKeyChecking with git+ssh

diff --git a/git/operations.go b/git/operations.go
@@ -25,7 +25,7 @@ var exemptedTraceCommands = []string{
 }
 
 // Env vars that are allowed to be inherited from the os
-var allowedEnvVars = []string{"http_proxy", "https_proxy", "no_proxy", "HOME", "GNUPGHOME"}
+var allowedEnvVars = []string{"http_proxy", "https_proxy", "no_proxy", "HOME", "GNUPGHOME", "SECRETS_DIR", "SECRETS_EXTENSION"}
 
 type gitCmdConfig struct {
 	dir string
@@ -99,6 +99,14 @@ func checkPush(ctx context.Context, workingDir, upstream, branch string) error {
 	return execGitCmd(ctx, args, gitCmdConfig{dir: workingDir})
 }
 
+func secretUnseal(ctx context.Context, workingDir string) error {
+	args := []string{"secret", "reveal", "-f"}
+	if err := execGitCmd(ctx, args, gitCmdConfig{dir: workingDir}); err != nil {
+		return errors.Wrap(err, "git secret reveal -f")
+	}
+	return nil
+}
+
 func commit(ctx context.Context, workingDir string, commitAction CommitAction) error {
 	args := []string{"commit", "--no-verify", "-a", "-m", commitAction.Message}
 	var env []string

diff --git a/git/working.go b/git/working.go
@@ -23,6 +23,7 @@ type Config struct {
 	SigningKey  string
 	SetAuthor   bool
 	SkipMessage string
+	GitSecret   bool
 }
 
 // Checkout is a local working clone of the remote repo. It is
@@ -89,6 +90,12 @@ func (r *Repo) Clone(ctx context.Context, conf Config) (*Checkout, error) {
 	}
 	r.mu.RUnlock()
 
+	if conf.GitSecret {
+		if err := secretUnseal(ctx, repoDir); err != nil {
+			return nil, err
+		}
+	}
+
 	return &Checkout{
 		dir:          repoDir,
 		upstream:     upstream,

diff --git a/site/daemon.md b/site/daemon.md
@@ -64,6 +64,7 @@ fluxd requires setup and offers customization though a multitude of flags.
 | --git-notes-ref                                  | `flux`                   | ref to use for keeping commit annotations in git notes
 | --git-poll-interval                              | `5m`                     | period at which to fetch any new commits from the git repo
 | --git-timeout                                    | `20s`                    | duration after which git operations time out
+| --git-secret                                     | false                    | if set, git-secret will be run on every git checkout. A gpg key must be imported using  --git-gpg-key-import or by mounting a keyring containing it directly
 | **syncing:** control over how config is applied to the cluster
 | --sync-interval                                  | `5m`                     | apply the git config to the cluster at least this often. New commits may provoke more frequent syncs
 | --sync-garbage-collection                        | `false`                  | experimental: when set, fluxd will delete resources that it created, but are no longer present in git (see [garbage collection](./garbagecollection.md))