Introduce global decryption for SOPS age keys

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

internal/controller/kustomization_controller.go

@@ -104,6 +104,8 @@ type KustomizationReconciler struct {
 	NoRemoteBases           bool
 	FailFast                bool
 	DefaultServiceAccount   string
+	SOPSAgeSecret           string
+	RuntimeNamespace        string
 	KubeConfigOpts          runtimeClient.KubeConfigOptions
 	ConcurrentSSA           int
 	DisallowedFieldManagers []string
@@ -642,7 +644,19 @@ func (r *KustomizationReconciler) generate(obj unstructured.Unstructured,
 func (r *KustomizationReconciler) build(ctx context.Context,
 	obj *kustomizev1.Kustomization, u unstructured.Unstructured,
 	workDir, dirPath string) ([]byte, error) {
-	dec, cleanup, err := decryptor.NewTempDecryptor(workDir, r.Client, obj, r.TokenCache)
+
+	// Build decryptor.
+	decryptorOpts := []decryptor.Option{
+		decryptor.WithRoot(workDir),
+	}
+	if r.TokenCache != nil {
+		decryptorOpts = append(decryptorOpts, decryptor.WithTokenCache(*r.TokenCache))
+	}
+	if r.SOPSAgeSecret != "" {
+		decryptorOpts = append(decryptorOpts,
+			decryptor.WithSOPSAgeSecret(r.SOPSAgeSecret, r.RuntimeNamespace))
+	}
+	dec, cleanup, err := decryptor.New(r.Client, obj, decryptorOpts...)
 	if err != nil {
 		return nil, err
 	}

internal/decryptor/decryptor.go

@@ -162,32 +162,30 @@ type Decryptor struct {
 	// decryptor.
 	keyServices      []keyservice.KeyServiceClient
 	localServiceOnce sync.Once
-}
 
-// NewDecryptor creates a new Decryptor for the given kustomization.
-// gnuPGHome can be empty, in which case the systems' keyring is used.
-func NewDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization,
-	maxFileSize int64, gnuPGHome string, tokenCache *cache.TokenCache) *Decryptor {
-	return &Decryptor{
-		root:          root,
-		client:        client,
-		kustomization: kustomization,
-		maxFileSize:   maxFileSize,
-		gnuPGHome:     pgp.GnuPGHome(gnuPGHome),
-		tokenCache:    tokenCache,
-	}
+	// sopsAgeSecret is the NamespacedName of the Secret containing
+	// a fallback SOPS age decryption key.
+	sopsAgeSecret *types.NamespacedName
 }
 
-// NewTempDecryptor creates a new Decryptor, with a temporary GnuPG
+// New creates a new Decryptor, with a temporary GnuPG
 // home directory to Decryptor.ImportKeys() into.
-func NewTempDecryptor(root string, client client.Client, kustomization *kustomizev1.Kustomization,
-	tokenCache *cache.TokenCache) (*Decryptor, func(), error) {
+func New(client client.Client, kustomization *kustomizev1.Kustomization, opts ...Option) (*Decryptor, func(), error) {
 	gnuPGHome, err := pgp.NewGnuPGHome()
 	if err != nil {
 		return nil, nil, fmt.Errorf("cannot create decryptor: %w", err)
 	}
 	cleanup := func() { _ = os.RemoveAll(gnuPGHome.String()) }
-	return NewDecryptor(root, client, kustomization, maxEncryptedFileSize, gnuPGHome.String(), tokenCache), cleanup, nil
+	d := &Decryptor{
+		client:        client,
+		kustomization: kustomization,
+		maxFileSize:   maxEncryptedFileSize,
+		gnuPGHome:     gnuPGHome,
+	}
+	for _, opt := range opts {
+		opt(d)
+	}
+	return d, cleanup, nil
 }
 
 // IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted
@@ -210,16 +208,43 @@ func IsEncryptedSecret(object *unstructured.Unstructured) bool {
 // For the import of PGP keys, the Decryptor must be configured with
 // an absolute GnuPG home directory path.
 func (d *Decryptor) ImportKeys(ctx context.Context) error {
-	if d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.SecretRef == nil {
+	if d.kustomization.Spec.Decryption == nil ||
+		(d.kustomization.Spec.Decryption.SecretRef == nil && d.sopsAgeSecret == nil) {
 		return nil
 	}
 
 	provider := d.kustomization.Spec.Decryption.Provider
 	switch provider {
 	case DecryptionProviderSOPS:
+		secretRef := d.kustomization.Spec.Decryption.SecretRef
+
+		// We handle the SOPS age global decryption separately, as most of the other
+		// decryption providers already support global decryption in other ways, and
+		// we don't want to introduce duplicate methods of achieving the same.
+		// Furthermore, allowing e.g. cloud provider credentials to be fetched
+		// from this global secret would prevent workload identity from working.
+		if secretRef == nil && d.sopsAgeSecret != nil {
+			var secret corev1.Secret
+			if err := d.client.Get(ctx, *d.sopsAgeSecret, &secret); err != nil {
+				if apierrors.IsNotFound(err) {
+					return err
+				}
+				return fmt.Errorf("cannot get %s SOPS age decryption Secret '%s': %w", provider, *d.sopsAgeSecret, err)
+			}
+			for name, value := range secret.Data {
+				if filepath.Ext(name) == DecryptionAgeExt {
+					if err := d.ageIdentities.Import(string(value)); err != nil {
+						return fmt.Errorf("failed to import '%s' data from %s SOPS age decryption Secret '%s': %w",
+							name, provider, *d.sopsAgeSecret, err)
+					}
+				}
+			}
+			return nil
+		}
+
 		secretName := types.NamespacedName{
 			Namespace: d.kustomization.GetNamespace(),
-			Name:      d.kustomization.Spec.Decryption.SecretRef.Name,
+			Name:      secretRef.Name,
 		}
 
 		var secret corev1.Secret

internal/decryptor/decryptor_test.go

@@ -376,7 +376,7 @@ clientSecret: some-client-secret`),
 				},
 			}
 
-			d, cleanup, err := NewTempDecryptor("", cb.Build(), &kustomization, nil)
+			d, cleanup, err := New(cb.Build(), &kustomization)
 			g.Expect(err).ToNot(HaveOccurred())
 			t.Cleanup(cleanup)
 
@@ -605,7 +605,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 			Provider: DecryptionProviderSOPS,
 		}
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kus, nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kus)
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -646,7 +646,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 			Provider: DecryptionProviderSOPS,
 		}
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kus, nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kus)
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -681,7 +681,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 			Provider: DecryptionProviderSOPS,
 		}
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kus, nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kus)
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -716,7 +716,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 			Provider: DecryptionProviderSOPS,
 		}
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kus, nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kus)
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -765,7 +765,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 	t.Run("nil resource", func(t *testing.T) {
 		g := NewWithT(t)
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kustomization.DeepCopy(), nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kustomization.DeepCopy())
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -777,7 +777,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 	t.Run("no decryption spec", func(t *testing.T) {
 		g := NewWithT(t)
 
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kustomization.DeepCopy(), nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kustomization.DeepCopy())
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 
@@ -793,7 +793,7 @@ func TestDecryptor_DecryptResource(t *testing.T) {
 		kus.Spec.Decryption = &kustomizev1.Decryption{
 			Provider: "not-supported",
 		}
-		d, cleanup, err := NewTempDecryptor("", fake.NewClientBuilder().Build(), kus, nil)
+		d, cleanup, err := New(fake.NewClientBuilder().Build(), kus)
 		g.Expect(err).ToNot(HaveOccurred())
 		t.Cleanup(cleanup)
 

internal/decryptor/options.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package decryptor
+
+import (
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/fluxcd/pkg/cache"
+)
+
+// Option is a functional option for configuring the Decryptor.
+type Option func(o *Decryptor)
+
+// WithRoot sets the root directory for the Decryptor.
+func WithRoot(root string) Option {
+	return func(o *Decryptor) {
+		o.root = root
+	}
+}
+
+// WithTokenCache sets the token cache for the Decryptor.
+func WithTokenCache(tokenCache cache.TokenCache) Option {
+	return func(o *Decryptor) {
+		o.tokenCache = &tokenCache
+	}
+}
+
+// WithSOPSAgeSecret sets the SOPSAgeSecret for the Decryptor.
+func WithSOPSAgeSecret(name, namespace string) Option {
+	return func(o *Decryptor) {
+		o.sopsAgeSecret = &types.NamespacedName{
+			Name:      name,
+			Namespace: namespace,
+		}
+	}
+}

main.go

@@ -96,6 +96,8 @@ func main() {
 		noRemoteBases           bool
 		httpRetry               int
 		defaultServiceAccount   string
+		sopsAgeSecret           string
+		runtimeNamespace        string
 		featureGates            feathelper.FeatureGates
 		disallowedFieldManagers []string
 		tokenCacheOptions       pkgcache.TokenFlags
@@ -111,6 +113,7 @@ func main() {
 		"Disallow remote bases usage in Kustomize overlays. When this flag is enabled, all resources must refer to local files included in the source artifact.")
 	flag.IntVar(&httpRetry, "http-retry", 9, "The maximum number of retries when failing to fetch artifacts over HTTP.")
 	flag.StringVar(&defaultServiceAccount, "default-service-account", "", "Default service account used for impersonation.")
+	flag.StringVar(&sopsAgeSecret, "sops-age-secret", "", "The name of a Kubernetes secret in the RUNTIME_NAMESPACE containing a SOPS age decryption key for fallback usage.")
 	flag.StringArrayVar(&disallowedFieldManagers, "override-manager", []string{}, "Field manager disallowed to perform changes on managed resources.")
 
 	clientOptions.BindFlags(flag.CommandLine)
@@ -148,9 +151,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	runtimeNamespace = os.Getenv("RUNTIME_NAMESPACE")
+
 	watchNamespace := ""
 	if !watchOptions.AllNamespaces {
-		watchNamespace = os.Getenv("RUNTIME_NAMESPACE")
+		watchNamespace = runtimeNamespace
 	}
 
 	watchSelector, err := runtimeCtrl.GetWatchSelector(watchOptions)
@@ -271,6 +276,8 @@ func main() {
 	if err = (&controller.KustomizationReconciler{
 		ControllerName:          controllerName,
 		DefaultServiceAccount:   defaultServiceAccount,
+		SOPSAgeSecret:           sopsAgeSecret,
+		RuntimeNamespace:        runtimeNamespace,
 		Client:                  mgr.GetClient(),
 		Mapper:                  restMapper,
 		APIReader:               mgr.GetAPIReader(),