inclusivity(VSecM): update log message to use more inclusive language (…

…vmware-tanzu#555)

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>

🌟 enhancement(VSecM): helm template changes (vmware-tanzu#558)

Tested in the build server — everything appears to be in order.
Landing this.

* 🌟 enhancement(VSecM): helm template changes

This PR introduces the ability for VSecM Safe to use a persistent volume if
provided.

There are also additional variable renames and refactorings to make the code
clearer.

In addition, certain missing environment variables have been added to Helm
charts and certain environment variables that were not being used (*and
appear to have been mistakenly injected*) to containers have been removed.

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

* 💄 cosmetic(VSecM): code refactoring

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

* test function rename

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

* 💄 cosmetic(VSecM): method and var renames for clarity

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

* minor

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

---------

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>
Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>

app/keygen/cmd/decrypt.go

@@ -22,7 +22,7 @@ import (
  "strings"
 )
 
-func ageKeyTriplet(content string) (string, string, string) {
+func rootKeyTriplet(content string) (string, string, string) {
  if content == "" {
  return "", "", ""
  }
@@ -46,7 +46,7 @@ func keys() (string, string, string) {
 
  trimmed := strings.TrimSpace(string(content))
 
- return ageKeyTriplet(trimmed)
+ return rootKeyTriplet(trimmed)
 }
 
 func decrypt(value []byte, algorithm crypto.Algorithm) (string, error) {

app/safe/internal/bootstrap/bootstrap.go

@@ -25,12 +25,12 @@ import (
  "github.com/vmware-tanzu/secrets-manager/core/validation"
 )
 
-// NotifyTimeout waits for the duration specified by env.SafeBootstrapTimeout()
+// NotifyTimeout waits for the duration specified by env.BootstrapTimeoutForSafe()
 // and then sends a 'true' value to the provided 'timedOut' channel. This function
 // can be used to notify other parts of the application when a specific timeout
 // has been reached.
 func NotifyTimeout(timedOut chan<- bool) {
- time.Sleep(env.SafeBootstrapTimeout())
+ time.Sleep(env.BootstrapTimeoutForSafe())
  timedOut <- true
 }
 
@@ -70,7 +70,7 @@ func Monitor(
  go probe.CreateReadiness()
  log.AuditLn(correlationId, "VSecM Safe is ready to serve.")
  }
- // Updated the master key:
+ // Updated the root key:
  case <-channels.UpdatedSecret:
  log.DebugLn(correlationId, "Updated age key.")
  counter--
@@ -149,14 +149,14 @@ func AcquireSource(
 // the cluster, the function generates a new key pair, persists them, and
 // signals the updatedSecret channel.
 func CreateCryptoKey(id *string, updatedSecret chan<- bool) {
- if env.SafeManualKeyInput() {
+ if env.RootKeyInputModeManual() {
  log.InfoLn(id, "Manual key input enabled. Skipping automatic key generation.")
  updatedSecret <- true
  return
  }
 
  // This is a Kubernetes Secret, mounted as a file.
- keyPath := env.SafeAgeKeyPath()
+ keyPath := env.RootKeyPathForSafe()
 
  if _, err := os.Stat(keyPath); os.IsNotExist(err) {
  log.FatalLn(id, "CreateCryptoKey: Secret key not mounted at", keyPath)
@@ -171,9 +171,9 @@ func CreateCryptoKey(id *string, updatedSecret chan<- bool) {
 
  secret := string(data)
 
- if secret != state.BlankAgeKeyValue {
+ if secret != state.BlankRootKeyValue {
  log.InfoLn(id, "Secret has been set in the cluster, will reuse it")
- state.SetMasterKey(secret)
+ state.SetRootKey(secret)
  updatedSecret <- true
  return
  }

app/safe/internal/bootstrap/privates.go

@@ -48,7 +48,7 @@ func persistKeys(privateKey, publicKey, aesSeed string) error {
  APIVersion: "v1",
  },
  ObjectMeta: metaV1.ObjectMeta{
- Name: env.SafeAgeKeySecretName(),
+ Name: env.RootKeySecretNameForSafe(),
  Namespace: env.SystemNamespace(),
  },
  Data: data,
@@ -69,7 +69,7 @@ func persistKeys(privateKey, publicKey, aesSeed string) error {
  APIVersion: "v1",
  },
  ObjectMeta: metaV1.ObjectMeta{
- Name: env.SafeAgeKeySecretName(),
+ Name: env.RootKeySecretNameForSafe(),
  Namespace: env.SystemNamespace(),
  Annotations: map[string]string{
  "kubectl.kubernetes.io/last-applied-configuration": string(secretConfigJSON),
@@ -91,7 +91,7 @@ func persistKeys(privateKey, publicKey, aesSeed string) error {
  return errors.Wrap(err, "Error creating the secret")
  }
 
- state.SetMasterKey(keysCombined)
+ state.SetRootKey(keysCombined)
 
  return nil
 }

app/safe/internal/server/handle/handle.go

@@ -114,7 +114,7 @@ func InitializeRoutes(source *workloadapi.X509Source) {
  return
  }
 
- // Route to define the master key when VSECM_SAFE_MANUAL_KEY_INPUT is set.
+ // Route to define the root key when VSECM_ROOT_KEY_INPUT_MODE_MANUAL is set.
  // Only VSecM Sentinel is allowed to call this API endpoint.
  // This method works only once. Once a key is set, there is no way to
  // update it. You will have to kill the VSecM Sentinel pod and restart it

app/safe/internal/server/route/audit.go

@@ -0,0 +1,31 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets… secret
+>/
+<>/' Copyright 2023–present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package route
+
+import (
+ "net/http"
+
+ "github.com/vmware-tanzu/secrets-manager/core/audit"
+ event "github.com/vmware-tanzu/secrets-manager/core/audit/state"
+ reqres "github.com/vmware-tanzu/secrets-manager/core/entity/reqres/safe/v1"
+)
+
+func createDefaultJournalEntry(cid, spiffeid string,
+ r *http.Request) audit.JournalEntry {
+ return audit.JournalEntry{
+ CorrelationId: cid,
+ Entity: reqres.SecretFetchRequest{},
+ Method: r.Method,
+ Url: r.RequestURI,
+ SpiffeId: spiffeid,
+ Event: event.Enter,
+ }
+}

app/safe/internal/server/route/audit_test.go

@@ -0,0 +1 @@
+package route

app/safe/internal/server/route/crypto.go

@@ -0,0 +1,77 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets… secret
+>/
+<>/' Copyright 2023–present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package route
+
+import (
+ "io"
+ "net/http"
+
+ "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state"
+ "github.com/vmware-tanzu/secrets-manager/core/audit"
+ event "github.com/vmware-tanzu/secrets-manager/core/audit/state"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+)
+
+func encryptValue(cid string, value string, j audit.JournalEntry,
+ w http.ResponseWriter) {
+ if value == "" {
+ j.Event = event.NoValue
+ audit.Log(j)
+
+ w.WriteHeader(http.StatusBadRequest)
+ _, err := io.WriteString(w, "")
+
+ if err != nil {
+ log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
+ }
+
+ return
+ }
+
+ encrypted, err := state.EncryptValue(value)
+ if err != nil {
+ j.Event = event.EncryptionFailed
+ audit.Log(j)
+
+ w.WriteHeader(http.StatusInternalServerError)
+ _, err2 := io.WriteString(w, "")
+ if err2 != nil {
+ log.InfoLn(&cid, "Secret: Problem sending response", err2.Error())
+ }
+
+ return
+ }
+
+ _, err = io.WriteString(w, encrypted)
+ if err != nil {
+ log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
+ }
+ return
+}
+
+func decryptValue(cid string, value string, j audit.JournalEntry,
+ w http.ResponseWriter) (string, bool) {
+ decrypted, err := state.DecryptValue(value)
+ if err != nil {
+ j.Event = event.DecryptionFailed
+ audit.Log(j)
+
+ w.WriteHeader(http.StatusInternalServerError)
+ _, err := io.WriteString(w, "")
+ if err != nil {
+ log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
+ }
+
+ return "", true
+ }
+
+ return decrypted, false
+}

app/safe/internal/server/route/crypto_test.go

@@ -0,0 +1,11 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets… secret
+>/
+<>/' Copyright 2023–present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package route

app/safe/internal/server/route/delete.go

@@ -20,33 +20,21 @@ import (
  event "github.com/vmware-tanzu/secrets-manager/core/audit/state"
  entity "github.com/vmware-tanzu/secrets-manager/core/entity/data/v1"
  reqres "github.com/vmware-tanzu/secrets-manager/core/entity/reqres/safe/v1"
- "github.com/vmware-tanzu/secrets-manager/core/env"
  log "github.com/vmware-tanzu/secrets-manager/core/log/std"
- "github.com/vmware-tanzu/secrets-manager/core/validation"
 )
 
-func isSentinel(j audit.JournalEntry, cid string, w http.ResponseWriter, spiffeid string) bool {
- audit.Log(j)
-
- if validation.IsSentinel(spiffeid) {
- return true
- }
-
- j.Event = event.BadSpiffeId
- audit.Log(j)
-
- w.WriteHeader(http.StatusBadRequest)
- _, err := io.WriteString(w, "")
- if err != nil {
- log.InfoLn(&cid, "Delete: Problem sending response", err.Error())
- }
-
- return false
-}
-
+// Delete handles the deletion of a secret identified by a workload ID.
+// It performs a series of checks and logging steps before carrying out the deletion.
+//
+// Parameters:
+// - cid: A string representing the correlation ID for the request, used for
+// tracking and logging purposes.
+// - w: An http.ResponseWriter object used to send responses back to the client.
+// - r: An http.Request object containing the request details from the client.
+// - spiffeid: A string representing the SPIFFE ID of the client making the request.
 func Delete(cid string, w http.ResponseWriter, r *http.Request, spiffeid string) {
- if env.SafeManualKeyInput() && !state.MasterKeySet() {
- log.InfoLn(&cid, "Delete: Master key not set")
+ if !state.RootKeySet() {
+ log.InfoLn(&cid, "Delete: Root key not set")
  return
  }
 

app/safe/internal/server/route/extract.go

@@ -0,0 +1,55 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets… secret
+>/
+<>/' Copyright 2023–present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package route
+
+import (
+ "encoding/json"
+ "strings"
+
+ entity "github.com/vmware-tanzu/secrets-manager/core/entity/data/v1"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+)
+
+func getWorkloadIDAndParts(spiffeid string) (string, []string) {
+ tmp := strings.Replace(spiffeid, env.WorkloadSpiffeIdPrefix(), "", 1)
+ parts := strings.Split(tmp, "/")
+ if len(parts) > 0 {
+ return parts[0], parts
+ }
+ return "", nil
+}
+
+func getSecretValue(cid string, secret *entity.SecretStored) string {
+ if secret.ValueTransformed != "" {
+ log.TraceLn(&cid, "Fetch: using transformed value")
+ return secret.ValueTransformed
+ }
+
+ // This part is for backwards compatibility.
+ // It probably won’t execute because `secret.ValueTransformed` will
+ // always be set.
+
+ log.TraceLn(&cid, "Fetch: using raw value")
+
+ if len(secret.Values) == 1 {
+ return secret.Values[0]
+ }
+
+ jsonData, err := json.Marshal(secret.Values)
+ if err != nil {
+ log.WarnLn(&cid, "Fetch: Problem marshaling values", err.Error())
+ } else {
+ return string(jsonData)
+ }
+
+ return ""
+}

app/safe/internal/server/route/extract_test.go

@@ -0,0 +1,11 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets… secret
+>/
+<>/' Copyright 2023–present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package route