Skip to content

Commit

Permalink
Merge pull request #597 from fluxcd/fix-azkv-fallback
Browse files Browse the repository at this point in the history
  • Loading branch information
hiddeco authored Mar 25, 2022
2 parents ceb6a5d + dc5486f commit cf9b0fc
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 17 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,8 @@ jobs:
make docker-build IMG=test/kustomize-controller:latest \
BUILD_PLATFORMS=linux/amd64 \
BUILD_ARGS="--cache-from=type=local,src=/tmp/.buildx-cache \
--cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max"
--cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \
--load"
- # Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
Expand Down
3 changes: 1 addition & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ GOBIN=$(shell go env GOBIN)
endif

# Allows for defining additional Docker buildx arguments, e.g. '--push'.
BUILD_ARGS ?=
BUILD_ARGS ?= --load
# Architectures to build images for.
BUILD_PLATFORMS ?= linux/amd64

Expand Down Expand Up @@ -106,7 +106,6 @@ docker-build:
docker buildx build \
--platform=$(BUILD_PLATFORMS) \
-t ${IMG} \
--load \
${BUILD_ARGS} .

# Push the docker image
Expand Down
4 changes: 2 additions & 2 deletions config/default/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kustomize-system
resources:
- https://github.com/fluxcd/source-controller/releases/download/v0.22.0/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.22.0/source-controller.deployment.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.22.3/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.22.3/source-controller.deployment.yaml
- ../crd
- ../rbac
- ../manager
Expand Down
21 changes: 11 additions & 10 deletions controllers/kustomization_decryptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,14 +160,6 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
var ageIdentities []string
var vaultToken string
for name, value := range secret.Data {
if name == DecryptionAzureAuthFile {
azureConf := azkv.AADConfig{}
if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
return err
}
kd.azureAADConfig = &azureConf
continue
}
switch filepath.Ext(name) {
case ".asc":
keyPath, err := securejoin.SecureJoin(tmpDir, name)
Expand All @@ -182,13 +174,22 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
}
case ".agekey":
ageIdentities = append(ageIdentities, string(value))
case ".vault-token":
// Make sure we have the absolute file name
case filepath.Ext(DecryptionVaultTokenFileName):
// Make sure we have the absolute name
if name == DecryptionVaultTokenFileName {
token := string(value)
token = strings.Trim(strings.TrimSpace(token), "\n")
vaultToken = token
}
case filepath.Ext(DecryptionAzureAuthFile):
// Make sure we have the absolute name
if name == DecryptionAzureAuthFile {
azureConf := azkv.AADConfig{}
if err = azkv.LoadAADConfigFromBytes(value, &azureConf); err != nil {
return err
}
kd.azureAADConfig = &azureConf
}
}
}

Expand Down
6 changes: 4 additions & 2 deletions internal/sops/keyservice/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,8 +165,9 @@ func (ks Server) Encrypt(ctx context.Context,
// Fallback to default server if no custom settings are configured
// to ensure backwards compatibility with global configurations
if ks.AzureAADConfig == nil {
return ks.Encrypt(ctx, req)
return ks.DefaultServer.Encrypt(ctx, req)
}

ciphertext, err := ks.encryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Plaintext)
if err != nil {
return nil, err
Expand Down Expand Up @@ -252,8 +253,9 @@ func (ks Server) Decrypt(ctx context.Context,
// Fallback to default server if no custom settings are configured
// to ensure backwards compatibility with global configurations
if ks.AzureAADConfig == nil {
return ks.Decrypt(ctx, req)
return ks.DefaultServer.Decrypt(ctx, req)
}

plaintext, err := ks.decryptWithAzureKeyvault(k.AzureKeyvaultKey, req.Ciphertext)
if err != nil {
return nil, err
Expand Down

0 comments on commit cf9b0fc

Please sign in to comment.