initialize cipher

stackrox · Aug 1, 2023 · 23061f9 · 23061f9
1 parent 13e3f4b
commit 23061f9
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 100 deletions.
diff --git a/fleetshard/config/config.go b/fleetshard/config/config.go
@@ -10,6 +10,13 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	// EnvProd is the expected value of the environment variable "ENVIRONMENT" for prod deployments of fleetshard-sync
+	EnvProd = "prod"
+	// EnvStage is the expected value of the environment variable "ENVIRONMENT" for stage deployments of fleetshard-sync
+	EnvStage = "stage"
+)
+
 // Config contains this application's runtime configuration.
 type Config struct {
 	FleetManagerEndpoint string        `env:"FLEET_MANAGER_ENDPOINT" envDefault:"http://127.0.0.1:8000"`
@@ -29,8 +36,9 @@ type Config struct {
 	EgressProxyImage     string        `env:"EGRESS_PROXY_IMAGE"`
 	BaseCrdURL           string        `env:"BASE_CRD_URL" envDefault:"https://raw.githubusercontent.com/stackrox/stackrox/%s/operator/bundle/manifests/"`
 
-	ManagedDB ManagedDB
-	Telemetry Telemetry
+	ManagedDB        ManagedDB
+	Telemetry        Telemetry
+	SecretEncryption SecretEncryption
 }
 
 // ManagedDB for configuring managed DB specific parameters
@@ -47,6 +55,12 @@ type Telemetry struct {
 	StorageKey      string `env:"TELEMETRY_STORAGE_KEY"`
 }
 
+// SecretEncryption defines paramaters to configure encryption of tenant secrest
+type SecretEncryption struct {
+	Type  string `env:"SECRET_ENCRYPTION_TYPE" envDefault:"local"`
+	KeyID string `env:"SECRET_ENCRYPTION_KEY_ID"`
+}
+
 // GetConfig retrieves the current runtime configuration from the environment and returns it.
 func GetConfig() (*Config, error) {
 	c := Config{}
@@ -65,6 +79,7 @@ func GetConfig() (*Config, error) {
 		configErrors.AddError(errors.New("AUTH_TYPE unset in the environment"))
 	}
 	validateManagedDBConfig(c, &configErrors)
+	validateSecretEncryptionConfig(c, &configErrors)
 
 	cfgErr := configErrors.ToError()
 	if cfgErr != nil {
@@ -81,3 +96,17 @@ func validateManagedDBConfig(c Config, configErrors *errorhelpers.ErrorList) {
 		configErrors.AddError(errors.New("MANAGED_DB_ENABLED == true and MANAGED_DB_SECURITY_GROUP unset in the environment"))
 	}
 }
+
+func validateSecretEncryptionConfig(c Config, configErrors *errorhelpers.ErrorList) {
+	if !isDevEnvironment(c) && c.SecretEncryption.Type == "local" {
+		configErrors.AddError(errors.New("SECRET_ENCRYPTION_TYPE == local not allowed for non dev environments")) // pragma: allowlist secret
+	}
+
+	if c.SecretEncryption.Type == "kms" && c.SecretEncryption.KeyID == "" {
+		configErrors.AddError(errors.New("SECRET_ENCRYPTION_TYPE == kms and SECRET_ENCRYPTION_KEY_ID unset in the environment")) // pragma: allowlist secret
+	}
+}
+
+func isDevEnvironment(c Config) bool {
+	return c.Environment != EnvProd && c.Environment != EnvStage
+}
diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go
@@ -1223,6 +1223,7 @@ var resourcesChart = charts.MustGetChart("tenant-resources", nil)
 // NewCentralReconciler ...
 func NewCentralReconciler(k8sClient ctrlClient.Client, central private.ManagedCentral,
 	managedDBProvisioningClient cloudprovider.DBClient, managedDBInitFunc postgres.CentralDBInitFunc,
+	secretCipher cipher.Cipher,
 	opts CentralReconcilerOptions,
 ) *CentralReconciler {
 	return &CentralReconciler{
@@ -1233,6 +1234,7 @@ func NewCentralReconciler(k8sClient ctrlClient.Client, central private.ManagedCe
 		wantsAuthProvider: opts.WantsAuthProvider,
 		routeService:      k8s.NewRouteService(k8sClient),
 		secretService:     k8s.NewSecretService(k8sClient),
+		secretCipher:      secretCipher, // pragma: allowlist secret
 		egressProxyImage:  opts.EgressProxyImage,
 		telemetry:         opts.Telemetry,
 		clusterName:       opts.ClusterName,

diff --git a/fleetshard/pkg/central/reconciler/reconciler_test.go b/fleetshard/pkg/central/reconciler/reconciler_test.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"embed"
 	"fmt"
+	"testing"
+	"time"
+
 	"github.com/stackrox/rox/pkg/utils"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"testing"
-	"time"
 
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 
@@ -22,6 +23,7 @@ import (
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/central/cloudprovider"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/central/cloudprovider/awsclient"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/central/postgres"
+	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/cipher"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/k8s"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/testutils"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/util"
@@ -90,12 +92,19 @@ func conditionForType(conditions []private.DataPlaneClusterUpdateStatusRequestCo
 	return nil, false
 }
 
+func createBase64Cipher(t *testing.T) cipher.Cipher {
+	b64Cipher, err := cipher.NewLocalBase64Cipher()
+	require.NoError(t, err, "creating base64 cipher for tests")
+	return b64Cipher
+}
+
 func TestReconcileCreate(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
 	r := NewCentralReconciler(fakeClient,
 		private.ManagedCentral{},
 		nil,
 		centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{ClusterName: clusterName, Environment: environment, UseRoutes: true},
 	)
 
@@ -145,7 +154,12 @@ func TestReconcileCreateWithManagedDB(t *testing.T) {
 		return connection, nil
 	}
 
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, managedDBProvisioningClient, centralDBInitFunc,
+	r := NewCentralReconciler(
+		fakeClient,
+		private.ManagedCentral{},
+		managedDBProvisioningClient,
+		centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{
 			UseRoutes:        true,
 			ManagedDBEnabled: true,
@@ -180,6 +194,7 @@ func TestReconcileCreateWithLabelOperatorVersion(t *testing.T) {
 	t.Setenv(features.TargetedOperatorUpgrades.EnvVar(), "true")
 
 	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{
 			UseRoutes: true,
 		})
@@ -215,6 +230,7 @@ func TestReconcileCreateWithManagedDBNoCredentials(t *testing.T) {
 	require.NoError(t, err)
 
 	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, managedDBProvisioningClient, centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{
 			UseRoutes:        true,
 			ManagedDBEnabled: true,
@@ -235,7 +251,8 @@ func TestReconcileUpdateSucceeds(t *testing.T) {
 		},
 	}, centralDeploymentObject()).Build()
 
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t), CentralReconcilerOptions{})
 
 	status, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -280,7 +297,9 @@ func TestReconcileLastHashSetOnSuccess(t *testing.T) {
 		},
 	}, centralDeploymentObject()).Build()
 
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 
 	managedCentral := simpleManagedCentral
 	managedCentral.RequestStatus = centralConstants.CentralRequestStatusReady.String()
@@ -312,7 +331,9 @@ func TestIgnoreCacheForCentralNotReady(t *testing.T) {
 		},
 	}, centralDeploymentObject()).Build()
 
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 
 	managedCentral := simpleManagedCentral
 	managedCentral.RequestStatus = centralConstants.CentralRequestStatusProvisioning.String()
@@ -337,7 +358,9 @@ func TestIgnoreCacheForCentralForceReconcileAlways(t *testing.T) {
 		},
 	}, centralDeploymentObject()).Build()
 
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 
 	managedCentral := simpleManagedCentral
 	managedCentral.RequestStatus = centralConstants.CentralRequestStatusReady.String()
@@ -356,7 +379,9 @@ func TestIgnoreCacheForCentralForceReconcileAlways(t *testing.T) {
 
 func TestReconcileDelete(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -389,7 +414,8 @@ func TestReconcileDelete(t *testing.T) {
 
 func TestDisablePauseAnnotation(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t), CentralReconcilerOptions{UseRoutes: true})
 
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -428,6 +454,7 @@ func TestReconcileDeleteWithManagedDB(t *testing.T) {
 	}
 
 	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, managedDBProvisioningClient, centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{
 			UseRoutes:        true,
 			ManagedDBEnabled: true,
@@ -512,7 +539,9 @@ func TestCentralChanged(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			reconciler := NewCentralReconciler(fakeClient, test.currentCentral, nil, centralDBInitFunc, CentralReconcilerOptions{})
+			reconciler := NewCentralReconciler(fakeClient, test.currentCentral, nil, centralDBInitFunc,
+				createBase64Cipher(t),
+				CentralReconcilerOptions{})
 
 			if test.lastCentral != nil {
 				err := reconciler.setLastCentralHash(*test.lastCentral)
@@ -528,7 +557,9 @@ func TestCentralChanged(t *testing.T) {
 
 func TestNamespaceLabelsAreSet(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -542,7 +573,9 @@ func TestNamespaceLabelsAreSet(t *testing.T) {
 
 func TestReportRoutesStatuses(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 
 	status, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -568,7 +601,9 @@ func TestChartResourcesAreAddedAndRemoved(t *testing.T) {
 	require.NoError(t, err)
 
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 	r.resourcesChart = chart
 
 	_, err = r.Reconcile(context.TODO(), simpleManagedCentral)
@@ -601,7 +636,9 @@ func TestChartResourcesAreAddedAndUpdated(t *testing.T) {
 	require.NoError(t, err)
 
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 	r.resourcesChart = chart
 
 	_, err = r.Reconcile(context.TODO(), simpleManagedCentral)
@@ -632,7 +669,9 @@ func TestChartResourcesAreAddedAndUpdated(t *testing.T) {
 
 func TestEgressProxyIsDeployed(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{})
 
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.NoError(t, err)
@@ -683,6 +722,7 @@ func TestEgressProxyIsDeployed(t *testing.T) {
 func TestEgressProxyCustomImage(t *testing.T) {
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
 	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
 		CentralReconcilerOptions{
 			EgressProxyImage: "registry.redhat.io/openshift4/ose-egress-http-proxy:version-for-test",
 		})
@@ -709,23 +749,29 @@ func TestEgressProxyCustomImage(t *testing.T) {
 func TestNoRoutesSentWhenOneNotCreated(t *testing.T) {
 	fakeClient, tracker := testutils.NewFakeClientWithTracker(t)
 	tracker.AddRouteError(centralReencryptRouteName, errors.New("fake error"))
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.Errorf(t, err, "fake error")
 }
 
 func TestNoRoutesSentWhenOneNotAdmitted(t *testing.T) {
 	fakeClient, tracker := testutils.NewFakeClientWithTracker(t)
 	tracker.SetRouteAdmitted(centralReencryptRouteName, false)
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.Errorf(t, err, "unable to find admitted ingress")
 }
 
 func TestNoRoutesSentWhenOneNotCreatedYet(t *testing.T) {
 	fakeClient, tracker := testutils.NewFakeClientWithTracker(t)
 	tracker.SetSkipRoute(centralReencryptRouteName, true)
-	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+	r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+		createBase64Cipher(t),
+		CentralReconcilerOptions{UseRoutes: true})
 	_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 	require.Errorf(t, err, "unable to find admitted ingress")
 }
@@ -759,7 +805,9 @@ func TestTelemetryOptionsAreSetInCR(t *testing.T) {
 	for _, tc := range tt {
 		t.Run(tc.testName, func(t *testing.T) {
 			fakeClient := testutils.NewFakeClientBuilder(t).Build()
-			r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{Telemetry: tc.telemetry})
+			r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+				createBase64Cipher(t),
+				CentralReconcilerOptions{Telemetry: tc.telemetry})
 
 			_, err := r.Reconcile(context.TODO(), simpleManagedCentral)
 			require.NoError(t, err)
@@ -819,7 +867,9 @@ func TestReconcileUpdatesRoutes(t *testing.T) {
 	for _, tc := range tt {
 		t.Run(tc.testName, func(t *testing.T) {
 			fakeClient := testutils.NewFakeClientBuilder(t).Build()
-			r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc, CentralReconcilerOptions{UseRoutes: true})
+			r := NewCentralReconciler(fakeClient, private.ManagedCentral{}, nil, centralDBInitFunc,
+				createBase64Cipher(t),
+				CentralReconcilerOptions{UseRoutes: true})
 			r.routeService = k8s.NewRouteService(fakeClient)
 			central := simpleManagedCentral