Allow providing cluster-wide age identity via controller env var

Signed-off-by: Marcus Weiner <[email protected]>
fluxcd · Jul 4, 2023 · c088f51 · c088f51
1 parent 0fe3783
commit c088f51
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go
@@ -40,6 +40,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/resource"
@@ -201,6 +202,15 @@ func (d *Decryptor) ImportKeys(ctx context.Context) error {
 	provider := d.kustomization.Spec.Decryption.Provider
 	switch provider {
 	case DecryptionProviderSOPS:
+		// load age key from env variable
+		globalAgeIdentities, err := age.GlobalIdentities()
+		if err != nil {
+			log := ctrl.LoggerFrom(ctx)
+			log.Info("failed to decrypt age identity from environment, ignoring", "error", err)
+		} else {
+			d.ageIdentities = append(d.ageIdentities, globalAgeIdentities...)
+		}
+
 		secretName := types.NamespacedName{
 			Namespace: d.kustomization.GetNamespace(),
 			Name:      d.kustomization.Spec.Decryption.SecretRef.Name,
@@ -214,7 +224,6 @@ func (d *Decryptor) ImportKeys(ctx context.Context) error {
 			return fmt.Errorf("cannot get %s decryption Secret '%s': %w", provider, secretName, err)
 		}
 
-		var err error
 		for name, value := range secret.Data {
 			switch filepath.Ext(name) {
 			case DecryptionPGPExt:

diff --git a/internal/sops/age/keysource.go b/internal/sops/age/keysource.go
@@ -11,12 +11,32 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"os"
 	"strings"
 
 	"filippo.io/age"
 	"filippo.io/age/armor"
 )
 
+const (
+	// SopsAgeKeyEnv can be set as an environment variable to provide
+	// an additional key to use for decryption.
+	SopsAgeKeyEnv = "FLUX_SOPS_AGE_KEY"
+)
+
+// GlobalIdentities loads age identities from the [SopsAgeKeyEnv] environment variable.
+func GlobalIdentities() ([]age.Identity, error) {
+	if globalKey, ok := os.LookupEnv(SopsAgeKeyEnv); ok {
+		parsed, err := age.ParseIdentities(strings.NewReader(globalKey))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse age identities from env var: %w", err)
+		}
+		return parsed, nil
+	}
+
+	return nil, nil
+}
+
 // MasterKey is an age key used to Encrypt and Decrypt SOPS' data key.
 //
 // Adapted from https://github.com/mozilla/sops/blob/v3.7.2/age/keysource.go