Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SOPS: Add support for HashiCorp Vault token-based authentication #538

Merged
merged 1 commit into from
Jan 20, 2022

Conversation

souleb
Copy link
Member

@souleb souleb commented Jan 17, 2022

fixes #516

If implemented, the kustomize controller will be able to retrieve a secret containing a VAULT TOKEN and use it to decrypt the sops encrypted master key. Which will then be used to decrypt the data key that will decrypt the final data.

The kustomize-controller retrieve the secret specified in the kustomization in the same namespace. We keep the behaviour set by age and pgp decryption.

In case a token does not exist for a HashiCorp vault encrypted token, we fall back to the default server to try decrypting/encrypting the data. This will preserve the behaviour for customer relying on VAULT_TOKEN env var.

Signed-off-by: Soule BA bah.soule@gmail.com

@souleb souleb force-pushed the issue-516 branch 3 times, most recently from 18665cf to 7763f50 Compare January 18, 2022 08:05
@stefanprodan stefanprodan added area/sops SOPS related issues and pull requests enhancement New feature or request labels Jan 18, 2022
@stefanprodan stefanprodan changed the title add native support for sops decryption/encryption with Vault SOPS: Add support HashiCorp Vault token-based authentication Jan 18, 2022
@stefanprodan stefanprodan changed the title SOPS: Add support HashiCorp Vault token-based authentication SOPS: Add support for HashiCorp Vault token-based authentication Jan 18, 2022
controllers/kustomization_decryptor.go Outdated Show resolved Hide resolved
controllers/kustomization_decryptor.go Outdated Show resolved Hide resolved
internal/sops/hcvault/keysource.go Outdated Show resolved Hide resolved
internal/sops/hcvault/keysource.go Show resolved Hide resolved
internal/sops/hcvault/keysource.go Outdated Show resolved Hide resolved
internal/sops/hcvault/keysource.go Outdated Show resolved Hide resolved
@souleb
Copy link
Member Author

souleb commented Jan 18, 2022

@hiddeco I have checked the Azure Vault PR. We should probably make the func NewServer(prompt bool, homeDir, vaultToken string, agePrivateKeys []string) keyservice.KeyServiceServer accept options, if we are to keep adding parameters.

docs/spec/v1beta2/kustomization.md Outdated Show resolved Hide resolved
controllers/kustomization_decryptor.go Outdated Show resolved Hide resolved
@souleb souleb force-pushed the issue-516 branch 2 times, most recently from 4f64515 to e1b0f68 Compare January 19, 2022 12:33
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No further comments from me, nice work @souleb 🙇

If implemented, the kustomize controller will be able to retrieve a
secret containing a VAULT TOKEN and use it to decrypt the sops encrypted
master key. It will then use it to decrypt the data key and finally use the data
key to decrypt the final data.

Signed-off-by: Soule BA <bah.soule@gmail.com>
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @souleb 🏅

@stefanprodan stefanprodan merged commit 6658d78 into fluxcd:main Jan 20, 2022
@souleb souleb deleted the issue-516 branch January 24, 2022 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/sops SOPS related issues and pull requests enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support loading a secret with a HashiCorp Vault token to decrypt sops secrets.
3 participants