feat(secret): decrypt secrets before sending to deck

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/config/v1/secrets/BindingsSecretDecrypter.java

@@ -0,0 +1,32 @@
+package com.netflix.spinnaker.halyard.deploy.config.v1.secrets;
+
+import com.netflix.spinnaker.halyard.core.secrets.v1.SecretSessionManager;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
+import com.netflix.spinnaker.kork.secrets.EncryptedSecret;
+import java.nio.file.Path;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class BindingsSecretDecrypter {
+  private SecretSessionManager secretSessionManager;
+
+  @Autowired
+  BindingsSecretDecrypter(SecretSessionManager secretSessionManager) {
+    this.secretSessionManager = secretSessionManager;
+  }
+
+  public String trackSecretFile(Profile profile, Path outputDir, String value, String fieldName) {
+    if (!EncryptedSecret.isEncryptedSecret(value)) {
+      return value;
+    }
+    String decryptedFilename = newRandomFileName(fieldName);
+    profile.getDecryptedFiles().put(decryptedFilename, secretSessionManager.decryptAsBytes(value));
+    return outputDir.resolve(decryptedFilename).toString();
+  }
+
+  private String newRandomFileName(String fieldName) {
+    return fieldName + "-" + RandomStringUtils.randomAlphanumeric(5);
+  }
+}

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/AwsCredentialsProfileFactoryBuilder.java

@@ -83,7 +83,9 @@ protected ArtifactService getArtifactService() {
 
     @Override
     protected Map<String, Object> getBindings(
-        DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
+        DeploymentConfiguration deploymentConfiguration,
+        Profile profile,
+        SpinnakerRuntimeSettings endpoints) {
       Map<String, Object> result = new HashMap<>();
       result.put("accessKeyId", accessKeyId);
       result.put(

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/ProfileFactory.java

@@ -50,6 +50,9 @@ protected String getMinimumSecretDecryptionVersion(String deploymentName) {
    * @return true if the target service supports decryption of secrets
    */
   protected boolean supportsSecretDecryption(String deploymentName) {
+    if (getArtifact().equals(SpinnakerArtifact.DECK)) {
+      return false;
+    }
     String minVersion = getMinimumSecretDecryptionVersion(deploymentName);
     if (minVersion == null) {
       return false;

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/TemplateBackedProfileFactory.java

@@ -28,7 +28,9 @@ public abstract class TemplateBackedProfileFactory extends ProfileFactory {
   protected abstract String getTemplate();
 
   protected abstract Map<String, Object> getBindings(
-      DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints);
+      DeploymentConfiguration deploymentConfiguration,
+      Profile profile,
+      SpinnakerRuntimeSettings endpoints);
 
   protected List<String> requiredFiles(DeploymentConfiguration deploymentConfiguration) {
     return new ArrayList<>();
@@ -46,7 +48,7 @@ protected void setProfile(
       SpinnakerRuntimeSettings endpoints) {
     StringResource template = new StringResource(profile.getBaseContents());
     profile.setRequiredFiles(requiredFiles(deploymentConfiguration));
-    Map<String, Object> bindings = getBindings(deploymentConfiguration, endpoints);
+    Map<String, Object> bindings = getBindings(deploymentConfiguration, profile, endpoints);
     profile.setContents(template.setBindings(bindings).toString());
   }
 }

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/consul/ConsulClientProfileFactory.java

@@ -20,6 +20,7 @@
 import com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerArtifact;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerRuntimeSettings;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.TemplateBackedProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.SpinnakerService.Type;
@@ -51,7 +52,9 @@ public class ConsulClientProfileFactory extends TemplateBackedProfileFactory {
 
   @Override
   protected Map<String, Object> getBindings(
-      DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
+      DeploymentConfiguration deploymentConfiguration,
+      Profile profile,
+      SpinnakerRuntimeSettings endpoints) {
     Map<String, Object> bindings = new HashMap<>();
     ServiceSettings consul = endpoints.getServiceSettings(Type.CONSUL_CLIENT);
     bindings.put("scheme", consul.getScheme());

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/deck/ApachePassphraseProfileFactory.java

@@ -23,6 +23,7 @@
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerRuntimeSettings;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.TemplateBackedProfileFactory;
+import com.netflix.spinnaker.kork.secrets.EncryptedSecret;
 import java.util.HashMap;
 import java.util.Map;
 import org.springframework.stereotype.Component;
@@ -52,10 +53,17 @@ protected void setProfile(
 
   @Override
   protected Map<String, Object> getBindings(
-      DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
+      DeploymentConfiguration deploymentConfiguration,
+      Profile profile,
+      SpinnakerRuntimeSettings endpoints) {
     Map<String, Object> bindings = new HashMap<>();
     ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl();
-    bindings.put("passphrase", ssl.getSslCertificatePassphrase());
+    if (EncryptedSecret.isEncryptedSecret(ssl.getSslCertificatePassphrase())
+        && !supportsSecretDecryption(deploymentConfiguration.getName())) {
+      bindings.put("passphrase", secretSessionManager.decrypt(ssl.getSslCertificatePassphrase()));
+    } else {
+      bindings.put("passphrase", ssl.getSslCertificatePassphrase());
+    }
     return bindings;
   }
 

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/deck/ApachePortsProfileFactory.java

@@ -54,7 +54,9 @@ protected void setProfile(
 
   @Override
   protected Map<String, Object> getBindings(
-      DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
+      DeploymentConfiguration deploymentConfiguration,
+      Profile profile,
+      SpinnakerRuntimeSettings endpoints) {
     Map<String, Object> bindings = new HashMap<>();
     bindings.put("deck-host", endpoints.getServiceSettings(Type.DECK).getHost());
     bindings.put("deck-port", endpoints.getServiceSettings(Type.DECK).getPort() + "");

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/deck/ApacheSpinnakerProfileFactory.java

@@ -22,6 +22,7 @@
 import com.netflix.spinnaker.halyard.config.model.v1.security.UiSecurity;
 import com.netflix.spinnaker.halyard.core.resource.v1.StringResource;
 import com.netflix.spinnaker.halyard.core.resource.v1.TemplatedResource;
+import com.netflix.spinnaker.halyard.deploy.config.v1.secrets.BindingsSecretDecrypter;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerArtifact;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerRuntimeSettings;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
@@ -30,6 +31,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 @Component
@@ -55,6 +57,8 @@ public class ApacheSpinnakerProfileFactory extends TemplateBackedProfileFactory
           "  </Directory>",
           "</VirtualHost>");
 
+  @Autowired BindingsSecretDecrypter bindingsSecretDecrypter;
+
   @Override
   protected String getTemplate() {
     return SPINNAKER_TEMPLATE;
@@ -77,13 +81,35 @@ protected void setProfile(
 
   @Override
   protected Map<String, Object> getBindings(
-      DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
+      DeploymentConfiguration deploymentConfiguration,
+      Profile profile,
+      SpinnakerRuntimeSettings endpoints) {
     TemplatedResource resource = new StringResource(SSL_TEMPLATE);
     Map<String, Object> bindings = new HashMap<>();
     UiSecurity uiSecurity = deploymentConfiguration.getSecurity().getUiSecurity();
     ApacheSsl apacheSsl = uiSecurity.getSsl();
-    bindings.put("cert-file", apacheSsl.getSslCertificateFile());
-    bindings.put("key-file", apacheSsl.getSslCertificateKeyFile());
+    if (supportsSecretDecryption(deploymentConfiguration.getName())) {
+      bindings.put("cert-file", apacheSsl.getSslCertificateFile());
+      bindings.put("key-file", apacheSsl.getSslCertificateKeyFile());
+    } else {
+      bindings.put(
+          "cert-file",
+          bindingsSecretDecrypter.trackSecretFile(
+              profile,
+              halconfigDirectoryStructure.getStagingDependenciesPath(
+                  deploymentConfiguration.getName()),
+              apacheSsl.getSslCertificateFile(),
+              "sslCertificateFile"));
+      bindings.put(
+          "key-file",
+          bindingsSecretDecrypter.trackSecretFile(
+              profile,
+              halconfigDirectoryStructure.getStagingDependenciesPath(
+                  deploymentConfiguration.getName()),
+              apacheSsl.getSslCertificateKeyFile(),
+              "sslCertificateKeyFile"));
+    }
+
     String ssl = resource.setBindings(bindings).toString();
     bindings.clear();
     bindings.put("ssl", ssl);

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/deck/DeckDockerProfileFactory.java

@@ -20,6 +20,7 @@
 import com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration;
 import com.netflix.spinnaker.halyard.config.model.v1.security.ApacheSsl;
 import com.netflix.spinnaker.halyard.config.services.v1.AccountService;
+import com.netflix.spinnaker.halyard.deploy.config.v1.secrets.BindingsSecretDecrypter;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerArtifact;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerRuntimeSettings;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
@@ -33,6 +34,8 @@
 public class DeckDockerProfileFactory extends DeckProfileFactory {
   @Autowired AccountService accountService;
 
+  @Autowired BindingsSecretDecrypter bindingsSecretDecrypter;
+
   @Override
   public String commentPrefix() {
     return "// ";
@@ -59,9 +62,30 @@ protected void setProfile(
       env.put("DECK_HOST", deckSettings.getHost());
       env.put("DECK_PORT", deckSettings.getPort() + "");
       env.put("API_HOST", gateSettings.getBaseUrl());
-      env.put("DECK_CERT", apacheSsl.getSslCertificateFile());
-      env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile());
-      env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase());
+      if (supportsSecretDecryption(deploymentConfiguration.getName())) {
+        env.put("DECK_CERT", apacheSsl.getSslCertificateFile());
+        env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile());
+        env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase());
+      } else {
+        env.put(
+            "DECK_CERT",
+            bindingsSecretDecrypter.trackSecretFile(
+                profile,
+                halconfigDirectoryStructure.getStagingDependenciesPath(
+                    deploymentConfiguration.getName()),
+                apacheSsl.getSslCertificateFile(),
+                "sslCertificateFile"));
+        env.put(
+            "DECK_KEY",
+            bindingsSecretDecrypter.trackSecretFile(
+                profile,
+                halconfigDirectoryStructure.getStagingDependenciesPath(
+                    deploymentConfiguration.getName()),
+                apacheSsl.getSslCertificateKeyFile(),
+                "sslCertificateKeyFile"));
+        env.put(
+            "PASSPHRASE", secretSessionManager.decrypt(apacheSsl.getSslCertificatePassphrase()));
+      }
     }
 
     env.put(