Skip to content

Commit

Permalink
Put support for v1 secret format behind feature flag
Browse files Browse the repository at this point in the history
  • Loading branch information
Marko Mikulicic committed Sep 3, 2019
1 parent 3dc595a commit 46a6f18
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 6 deletions.
3 changes: 3 additions & 0 deletions cmd/controller/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ var (
myCN = flag.String("my-cn", "", "CN to use in generated certificate.")
printVersion = flag.Bool("version", false, "Print version information and exit")
keyRotatePeriod = flag.Duration("rotate-period", 0, "New key generation period (automatic rotation disabled if 0)")
acceptV1Data = flag.Bool("accept-deprecated-v1-data", false, "Accept deprecated V1 data field")

// VERSION set from Makefile
VERSION = "UNKNOWN"
Expand Down Expand Up @@ -228,6 +229,8 @@ func main() {
flag.Parse()
goflag.CommandLine.Parse([]string{})

ssv1alpha1.AcceptDeprecatedV1Data = *acceptV1Data

if *printVersion {
fmt.Printf("controller version: %s\n", VERSION)
return
Expand Down
11 changes: 10 additions & 1 deletion pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ import (
"github.com/bitnami-labs/sealed-secrets/pkg/crypto"
)

var (
// TODO(mkm): remove after a release
AcceptDeprecatedV1Data = false
)

// SealedSecretExpansion has methods to work with SealedSecrets resources.
type SealedSecretExpansion interface {
Unseal(codecs runtimeserializer.CodecFactory, privKeys map[string]*rsa.PrivateKey) (*v1.Secret, error)
Expand Down Expand Up @@ -188,7 +193,7 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
secret.Data[key] = plaintext
}

} else { // Support decrypting old secrets for backward compatibility
} else if AcceptDeprecatedV1Data { // Support decrypting old secrets for backward compatibility
plaintext, err := crypto.HybridDecrypt(rand.Reader, privKeys, s.Spec.Data, label)
if err != nil {
return nil, err
Expand All @@ -198,6 +203,10 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
if err = runtime.DecodeInto(dec, plaintext, &secret); err != nil {
return nil, err
}
} else {
if s.Spec.Data != nil {
return nil, fmt.Errorf("using deprecated 'data' field, use 'encryptedData' or flip the feature flag")
}
}

// Ensure these are set to what we expect
Expand Down
27 changes: 22 additions & 5 deletions pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"io"
mathrand "math/rand"
"reflect"
"strings"
"testing"

fuzz "github.com/google/gofuzz"
Expand Down Expand Up @@ -455,6 +456,16 @@ func TestSealMetadataPreservation(t *testing.T) {
}

func TestUnsealingV1Format(t *testing.T) {
testUnsealingV1Format(t, true)
testUnsealingV1Format(t, false)
}

func testUnsealingV1Format(t *testing.T, acceptDeprecated bool) {
defer func(saved bool) {
AcceptDeprecatedV1Data = saved
}(AcceptDeprecatedV1Data)
AcceptDeprecatedV1Data = acceptDeprecated

scheme := runtime.NewScheme()
codecs := serializer.NewCodecFactory(scheme)

Expand Down Expand Up @@ -491,11 +502,17 @@ func TestUnsealingV1Format(t *testing.T) {
t.Fatalf("cannot compute fingerprint: %v", err)
}
secret2, err := ssecret.Unseal(codecs, map[string]*rsa.PrivateKey{fp: key})
if err != nil {
t.Fatalf("Unseal returned error: %v", err)
}
if acceptDeprecated {
if err != nil {
t.Fatalf("Unseal returned error: %v", err)
}

if !reflect.DeepEqual(secret.Data, secret2.Data) {
t.Errorf("Unsealed secret != original secret: %v != %v", secret, secret2)
if !reflect.DeepEqual(secret.Data, secret2.Data) {
t.Errorf("Unsealed secret != original secret: %v != %v", secret, secret2)
}
} else {
if needle := "deprecated"; err == nil || !strings.Contains(err.Error(), needle) {
t.Fatalf("Expecting error: %v to contain %q", err, needle)
}
}
}

0 comments on commit 46a6f18

Please sign in to comment.