vmware-tanzu · v0lkan · Mar 27, 2024 · Mar 17, 2024 · v0lkan · Mar 18, 2024
@@ -188,7 +188,7 @@ func CreateCryptoKey(id *string, updatedSecret chan<- bool) {
 
  log.InfoLn(id, "Generated public key, private key, and aes seed")
 
- if err = persistKeys(privateKey, publicKey, aesSeed); err != nil {
+ if err = PersistKeys(privateKey, publicKey, aesSeed); err != nil {
  log.FatalLn(id, "Failed to persist keys", err.Error())
  }
 

@@ -26,7 +26,7 @@ import (
  "k8s.io/client-go/rest"
 )
 
-func persistKeys(privateKey, publicKey, aesSeed string) error {
+func PersistKeys(privateKey, publicKey, aesSeed string) error {
  config, err := rest.InClusterConfig()
  if err != nil {
  return errors.Wrap(err, "Error creating client config")

@@ -11,6 +11,8 @@
 package receive
 
 import (
+ "github.com/vmware-tanzu/secrets-manager/app/safe/internal/bootstrap"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
  "io"
  "net/http"
  "strings"
@@ -85,6 +87,12 @@ func Keys(cid string, w http.ResponseWriter, r *http.Request, spiffeid string) {
  keysCombined := agePrivateKey + "\n" + agePublicKey + "\n" + aesCipherKey
  state.SetRootKey(keysCombined)
 
+ if env.RootKeyInputModeManual() && env.ManualRootKeyUpdatesKubernetesSecret() {
+ if err := bootstrap.PersistKeys(agePrivateKey, agePublicKey, aesCipherKey); err != nil {
+ log.ErrorLn(&cid, "Keys: Problem persisting keys", err.Error())
+ }
+ }
+
  log.DebugLn(&cid, "Keys: before response")
 
  _, err := io.WriteString(w, "OK")

@@ -241,6 +241,22 @@ func RootKeyInputModeManual() bool {
  return false
 }
 
+// ManualRootKeyUpdatesK8sSecret returns a boolean indicating whether to
+// update the Kubernetes secret when the root key is provided manually to VSecM Safe.
+// If the environment variable is not set or its value is not "true", the function
+// returns false. Otherwise, the function returns true.
+func ManualRootKeyUpdatesK8sSecret() bool {
+ p := os.Getenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET")
+ if p == "" {
+ return false
+ }
+ if strings.ToLower(p) == "true" {
+ return true
+ }
+ return false
+
+}
+
 // DataPathForSafe returns the path to the safe data directory.
 // The path is determined by the VSECM_SAFE_DATA_PATH environment variable.
 // If the environment variable is not set, the default path "/data" is returned.

@@ -590,6 +590,69 @@ func TestRootKeyInputMode(t *testing.T) {
  }
 }
 
+func TestManualRootKeyUpdatesK8sSecrets(t *testing.T) {
+ tests := []struct {
+ name string
+ setup func() error
+ cleanup func() error
+ want bool
+ }{
+ {
+ name: "default_safe_manual_root_key_updates_k8s_secret",
+ want: false,
+ },
+ {
+ name: "safe_manual_root_key_updates_k8s_secret_from_env_true",
+ setup: func() error {
+ return os.Setenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET", "true")
+ },
+ cleanup: func() error {
+ return os.Unsetenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET")
+ },
+ want: true,
+ },
+ {
+ name: "safe_manual_root_key_updates_k8s_secret_from_env_false",
+ setup: func() error {
+ return os.Setenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET", "false")
+ },
+ cleanup: func() error {
+ return os.Unsetenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET")
+ },
+ want: false,
+ },
+ {
+ name: "invalid_safe_manual_root_key_updates_k8s_secret_from_env",
+ setup: func() error {
+ return os.Setenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET", "test")
+ },
+ cleanup: func() error {
+ return os.Unsetenv("VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET")
+ },
+ want: false,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ if tt.setup != nil {
+ if err := tt.setup(); err != nil {
+ t.Errorf("ManualRootKeyUpdatesK8sSecret() = failed to setup, with error: %+v", err)
+ }
+ }
+ defer func() {
+ if tt.cleanup != nil {
+ if err := tt.cleanup(); err != nil {
+ t.Errorf("ManualRootKeyUpdatesK8sSecret() = failed to cleanup, with error: %+v", err)
+ }
+ }
+ }()
+ if got := ManualRootKeyUpdatesK8sSecret(); got != tt.want {
+ t.Errorf("ManualRootKeyUpdatesK8sSecret() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
+
 func TestSafeDataPath(t *testing.T) {
  tests := []struct {
  name string

@@ -337,22 +337,24 @@ Using a Kubernetes `Secret` to store the *root key* is still secure,
 especially if you encrypt your `etcd` and establish a **tight RBAC** over the 
 Kubernetes `Secret`that stores the *root key*.
 
-> **Root Key Storage in Manual Input Mode**
-> 
-> As of *v0.21.5* of **VMware Secrets Manager**, the *root key* is not stored 
-> in a Kubernetes `Secret` if you use the manual key input approach. This 
-> behavior is subject to change in the future, depending on a configuration 
-> environment variable, the *root key* might be stored in a Kubernetes `Secret` 
-> even if you use the manual key input approach.
-> 
-> However, this means that if you use the manual key input approach, you will
-> have to re-enter the *root key* every time you restart **VSecM Safe** or
-> every time the pod is evicted by the scheduler.
-{: .block-warning}
-
 Also note that when this variable is set to `"true"`, **VSecM Safe** will **not**
 respond to API requests until a *root key* is provided, using **VSecM Sentinel**.
 
+### VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET
+
+**Used By**: *VSecM Safe*.
+
+`VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET` is a boolean indicating whether to update
+the Kubernetes secret when the root key is provided manually to **VSecM Safe**.
+
+If the environment variable is not set or its value is not `"true"`, **VSecM Safe**
+will **not** update the Kubernetes secret when the root key is provided manually.
+
+If this variable is set to `"true"` and **VSecM Safe** is in manual root key input
+mode (see: [VSECM_ROOT_KEY_INPUT_MODE_MANUAL](#vsecm_root_key_input_mode_manual)),
+then **VSecM Safe** will update the Kubernetes secret with the new root key
+when the root key is provided manually.
+
 ### VSECM_SAFE_SECRET_BACKUP_COUNT
 
 **Used By**: *VSecM Safe*.