controllers: improve decryptor and add tests

- Refactored recursion while iterating over Kustomization files. References of files that have been visited are cached, and not visited again. In addition, symlinks are confirmed to not traverse outside the working directory. - Optimized various bits around (un)marshalling (encrypted) data, and YAML -> JSON -> YAML roundtrips are prevented where not required. - Added support for decrypting INI Kustomize EnvSource references using the dedicated SOPS store for the format. - Introduced support for decrypting Kustomize FileSources: https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/types#DataSources Signed-off-by: Hidde Beydals <[email protected]>
fluxcd · Apr 14, 2022 · 105ebd9 · 105ebd9
1 parent 4da17e1
commit 105ebd9
Show file tree

Hide file tree

Showing 3 changed files with 1,987 additions and 158 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -368,7 +368,7 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// build the kustomization
-	resources, err := r.build(ctx, kustomization, dirPath)
+	resources, err := r.build(ctx, tmpDir, kustomization, dirPath)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
 			kustomization,
@@ -634,8 +634,8 @@ func (r *KustomizationReconciler) generate(kustomization kustomizev1.Kustomizati
 	return gen.WriteFile(dirPath)
 }
 
-func (r *KustomizationReconciler) build(ctx context.Context, kustomization kustomizev1.Kustomization, dirPath string) ([]byte, error) {
-	dec, cleanup, err := NewTempDecryptor(r.Client, kustomization)
+func (r *KustomizationReconciler) build(ctx context.Context, workDir string, kustomization kustomizev1.Kustomization, dirPath string) ([]byte, error) {
+	dec, cleanup, err := NewTempDecryptor(workDir, r.Client, kustomization)
 	if err != nil {
 		return nil, err
 	}
@@ -649,7 +649,7 @@ func (r *KustomizationReconciler) build(ctx context.Context, kustomization kusto
 	fs := filesys.MakeFsOnDisk()
 	// decrypt .env files before building kustomization
 	if kustomization.Spec.Decryption != nil {
-		if err = dec.decryptDotEnvFiles(dirPath); err != nil {
+		if err = dec.DecryptEnvSources(dirPath); err != nil {
 			return nil, fmt.Errorf("error decrypting .env file: %w", err)
 		}
 	}
@@ -666,7 +666,7 @@ func (r *KustomizationReconciler) build(ctx context.Context, kustomization kusto
 
 		// check if resources are encrypted and decrypt them before generating the final YAML
 		if kustomization.Spec.Decryption != nil {
-			outRes, err := dec.Decrypt(res)
+			outRes, err := dec.DecryptResource(res)
 			if err != nil {
 				return nil, fmt.Errorf("decryption failed for '%s': %w", res.GetName(), err)
 			}