Introduce global decryption for SOPS age keys

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

docs/spec/v1/kustomizations.md

@@ -1430,127 +1430,29 @@ Kustomization object itself, it will fall back to these defaults.
 
 See also the [workload identity](/flux/installation/configuration/workload-identity/) docs.
 
-#### AWS KMS
+#### Cloud Provider KMS Services
 
-While making use of the [IAM OIDC provider](https://eksctl.io/usage/iamserviceaccounts/)
-on your EKS cluster, you can create an IAM Role and Service Account with access
-to AWS KMS (using at least `kms:Decrypt` and `kms:DescribeKey`). Once these are
-created, you can annotate the kustomize-controller Service Account with the
-Role ARN, granting the controller permission to decrypt the Secrets. Please refer
-to the [SOPS guide](https://fluxcd.io/flux/guides/mozilla-sops/#aws) for detailed steps.
+For cloud provider KMS services, please refer to the specific sections in the integration guides:
 
-```sh
-kubectl -n flux-system annotate serviceaccount kustomize-controller \
-  --field-manager=flux-client-side-apply \
-  eks.amazonaws.com/role-arn='arn:aws:iam::<ACCOUNT_ID>:role/<KMS-ROLE-NAME>'
-```
+Service-specific configuration:
 
-Furthermore, you can also use the usual [environment variables used for specifying AWS
-credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list),
-by patching the kustomize-controller Deployment:
+- [AWS KMS](https://fluxcd.io/flux/integrations/aws/#for-amazon-key-management-service)
+- [Azure Key Vault](https://fluxcd.io/flux/integrations/azure/#for-azure-key-vault)
+- [GCP KMS](https://fluxcd.io/flux/integrations/gcp/#for-google-cloud-key-management-service)
 
-```yaml
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kustomize-controller
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      containers:
-      - name: manager
-        env:
-        - name: AWS_ACCESS_KEY_ID
-          valueFrom:
-            secretKeyRef:
-              name: aws-creds
-              key: awsAccessKeyID
-        - name: AWS_SECRET_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: aws-creds
-              key: awsSecretAccessKey
-        - name: AWS_SESSION_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: aws-creds
-              key: awsSessionToken
-```
-
-In addition to this, the
-[general SOPS documentation around KMS AWS applies](https://github.com/mozilla/sops#27kms-aws-profiles),
-allowing you to specify e.g. a `SOPS_KMS_ARN` environment variable.
-
-**Note:**: If you are mounting a secret containing the AWS credentials as a
-file in the `kustomize-controller` Pod, you need to specify an environment
-variable `$HOME`, since the AWS credentials file is expected to be present at
-`~/.aws`. For example:
-
-```yaml
-env:
-  - name: HOME
-    value: /home/{$USER}
-```
+Controller-level configuration:
 
-#### Azure Key Vault
+- [AWS](https://fluxcd.io/flux/integrations/aws/#at-the-controller-level)
+- [Azure](https://fluxcd.io/flux/integrations/azure/#at-the-controller-level)
+- [GCP](https://fluxcd.io/flux/integrations/gcp/#at-the-controller-level)
 
-##### Workload Identity
+These guides provide detailed instructions for setting up authentication,
+permissions, and controller configuration for each cloud provider.
 
-If you have Workload Identity set up on your AKS cluster, you can establish
-a federated identity between the kustomize-controller ServiceAccount and an
-identity that has "Decrypt" role on the Azure Key Vault. Once, this is done
-you can label and annotate the kustomize-controller ServiceAccount and Pod
-with the patch shown below:
+#### Hashicorp Vault
 
-```yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - gotk-components.yaml
-  - gotk-sync.yaml
-patches:
-  - patch: |-
-      apiVersion: v1
-      kind: ServiceAccount
-      metadata:
-        name: kustomize-controller
-        namespace: flux-system
-        annotations:
-          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
-        labels:
-          azure.workload.identity/use: "true"
-  - patch: |-
-      apiVersion: apps/v1
-      kind: Deployment
-      metadata:
-        name: kustomize-controller
-        namespace: flux-system
-        labels:
-          azure.workload.identity/use: "true"
-      spec:
-        template:
-          metadata:
-            labels:
-              azure.workload.identity/use: "true"
-```
-
-##### Kubelet Identity
-
-If the kubelet managed identity has `Decrypt` permissions on Azure Key Vault,
-no additional configuration is required for the kustomize-controller to decrypt
-data.
-
-#### GCP KMS
-
-While making use of Google Cloud Platform, the [`GOOGLE_APPLICATION_CREDENTIALS`
-environment variable](https://cloud.google.com/docs/authentication/production)
-is automatically taken into account.
-[Granting permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles)
-to the Service Account attached to this will therefore be sufficient to decrypt
-data. When running outside GCP, it is possible to manually patch the
-kustomize-controller Deployment with a valid set of (mounted) credentials.
+To configure a global default for Hashicorp Vault, patch the controller's
+Deployment with a `VAULT_TOKEN` environment variable.
 
 ```yaml
 ---
@@ -1565,41 +1467,35 @@ spec:
       containers:
       - name: manager
         env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /var/gcp/credentials.json
-        volumeMounts:
-        - name: gcp-credentials
-          mountPath: /var/gcp/
-          readOnly: true
-      volumes:
-      - name: gcp-credentials
-        secret:
-          secretName: mysecret
-          items:
-          - key: credentials
-            path: credentials.json
+        - name: VAULT_TOKEN
+          value: <token>
 ```
 
-#### Hashicorp Vault
+#### SOPS Age Keys
 
-To configure a global default for Hashicorp Vault, patch the controller's
-Deployment with a `VAULT_TOKEN` environment variable.
+To configure global decryption for SOPS Age keys, use the `--sops-age-secret`
+controller flag to specify a Kubernetes Secret containing the Age private keys.
+
+Start the kustomize-controller with the flag:
+
+```sh
+--sops-age-secret=<secret-name>
+```
+
+The referenced Secret must be in the same namespace as the kustomize-controller
+(specified in the `RUNTIME_NAMESPACE` environment variable) and contain Age
+private keys with the `.agekey` suffix:
 
 ```yaml
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: v1
+kind: Secret
 metadata:
-  name: kustomize-controller
+  name: sops-age-keys
   namespace: flux-system
-spec:
-  template:
-    spec:
-      containers:
-      - name: manager
-        env:
-        - name: VAULT_TOKEN
-          value: <token>
+data:
+  identity1.agekey: <BASE64>
+  identity2.agekey: <BASE64>
 ```
 
 ### Kustomize secretGenerator

internal/controller/kustomization_controller.go

@@ -104,6 +104,8 @@ type KustomizationReconciler struct {
 	NoRemoteBases           bool
 	FailFast                bool
 	DefaultServiceAccount   string
+	SOPSAgeSecret           string
+	RuntimeNamespace        string
 	KubeConfigOpts          runtimeClient.KubeConfigOptions
 	ConcurrentSSA           int
 	DisallowedFieldManagers []string
@@ -642,7 +644,19 @@ func (r *KustomizationReconciler) generate(obj unstructured.Unstructured,
 func (r *KustomizationReconciler) build(ctx context.Context,
 	obj *kustomizev1.Kustomization, u unstructured.Unstructured,
 	workDir, dirPath string) ([]byte, error) {
-	dec, cleanup, err := decryptor.NewTempDecryptor(workDir, r.Client, obj, r.TokenCache)
+
+	// Build decryptor.
+	decryptorOpts := []decryptor.Option{
+		decryptor.WithRoot(workDir),
+	}
+	if r.TokenCache != nil {
+		decryptorOpts = append(decryptorOpts, decryptor.WithTokenCache(*r.TokenCache))
+	}
+	if r.SOPSAgeSecret != "" {
+		decryptorOpts = append(decryptorOpts,
+			decryptor.WithSOPSAgeSecret(r.SOPSAgeSecret, r.RuntimeNamespace))
+	}
+	dec, cleanup, err := decryptor.New(r.Client, obj, decryptorOpts...)
 	if err != nil {
 		return nil, err
 	}

internal/decryptor/decryptor.go

@@ -162,32 +162,30 @@ type Decryptor struct {
 	// decryptor.
 	keyServices      []keyservice.KeyServiceClient
 	localServiceOnce sync.Once
-}
 
-// NewDecryptor creates a new Decryptor for the given kustomization.
-// gnuPGHome can be empty, in which case the systems' keyring is used.
-func NewDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization,
-	maxFileSize int64, gnuPGHome string, tokenCache *cache.TokenCache) *Decryptor {
-	return &Decryptor{
-		root:          root,
-		client:        client,
-		kustomization: kustomization,
-		maxFileSize:   maxFileSize,
-		gnuPGHome:     pgp.GnuPGHome(gnuPGHome),
-		tokenCache:    tokenCache,
-	}
+	// sopsAgeSecret is the NamespacedName of the Secret containing
+	// a fallback SOPS age decryption key.
+	sopsAgeSecret *types.NamespacedName
 }
 
-// NewTempDecryptor creates a new Decryptor, with a temporary GnuPG
+// New creates a new Decryptor, with a temporary GnuPG
 // home directory to Decryptor.ImportKeys() into.
-func NewTempDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization,
-	tokenCache *cache.TokenCache) (*Decryptor, func(), error) {
+func New(client client.Client, kustomization *kustomizev1.Kustomization, opts ...Option) (*Decryptor, func(), error) {
 	gnuPGHome, err := pgp.NewGnuPGHome()
 	if err != nil {
 		return nil, nil, fmt.Errorf("cannot create decryptor: %w", err)
 	}
 	cleanup := func() { _ = os.RemoveAll(gnuPGHome.String()) }
-	return NewDecryptor(root, client, kustomization, maxEncryptedFileSize, gnuPGHome.String(), tokenCache), cleanup, nil
+	d := &Decryptor{
+		client:        client,
+		kustomization: kustomization,
+		maxFileSize:   maxEncryptedFileSize,
+		gnuPGHome:     gnuPGHome,
+	}
+	for _, opt := range opts {
+		opt(d)
+	}
+	return d, cleanup, nil
 }
 
 // IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted
@@ -210,16 +208,43 @@ func IsEncryptedSecret(object *unstructured.Unstructured) bool {
 // For the import of PGP keys, the Decryptor must be configured with
 // an absolute GnuPG home directory path.
 func (d *Decryptor) ImportKeys(ctx context.Context) error {
-	if d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.SecretRef == nil {
+	if d.kustomization.Spec.Decryption == nil ||
+		(d.kustomization.Spec.Decryption.SecretRef == nil && d.sopsAgeSecret == nil) {
 		return nil
 	}
 
 	provider := d.kustomization.Spec.Decryption.Provider
 	switch provider {
 	case DecryptionProviderSOPS:
+		secretRef := d.kustomization.Spec.Decryption.SecretRef
+
+		// We handle the SOPS age global decryption separately, as most of the other
+		// decryption providers already support global decryption in other ways, and
+		// we don't want to introduce duplicate methods of achieving the same.
+		// Furthermore, allowing e.g. cloud provider credentials to be fetched
+		// from this global secret would prevent workload identity from working.
+		if secretRef == nil && d.sopsAgeSecret != nil {
+			var secret corev1.Secret
+			if err := d.client.Get(ctx, *d.sopsAgeSecret, &secret); err != nil {
+				if apierrors.IsNotFound(err) {
+					return err
+				}
+				return fmt.Errorf("cannot get %s SOPS age decryption Secret '%s': %w", provider, *d.sopsAgeSecret, err)
+			}
+			for name, value := range secret.Data {
+				if filepath.Ext(name) == DecryptionAgeExt {
+					if err := d.ageIdentities.Import(string(value)); err != nil {
+						return fmt.Errorf("failed to import '%s' data from %s SOPS age decryption Secret '%s': %w",
+							name, provider, *d.sopsAgeSecret, err)
+					}
+				}
+			}
+			return nil
+		}
+
 		secretName := types.NamespacedName{
 			Namespace: d.kustomization.GetNamespace(),
-			Name:      d.kustomization.Spec.Decryption.SecretRef.Name,
+			Name:      secretRef.Name,
 		}
 
 		var secret corev1.Secret