airshipctl/pkg/config/config.go
uday.ruddarraju 9a608de653 Encrypt and decrypt using sops
Design document: https://docs.google.com/document/d/1EjiCuXoiy8DEEXe15KxVJ4iWrwogCyG113_0LdzcWzQ/edit?usp=drive_web&ouid=102644738301620637153

Demo readme: https://hackmd.io/@WE7PUWXBRVeQJzCZkXkOLw/ryoW-aOLv

This patchset comprises of:
- package library to interact with sops
- integrate airshipctl encrypt/decrypt with sops

Change-Id: I2ca3ff3c8661d146708084728cb3f87365a4f39e
2020-10-23 02:27:45 -07:00

576 lines
17 KiB
Go

/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package config
import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
"sort"
"sigs.k8s.io/yaml"
"opendev.org/airship/airshipctl/pkg/log"
"opendev.org/airship/airshipctl/pkg/util"
)
// Where possible, json tags match the cli argument names.
// Top level config objects and all values required for proper functioning are not "omitempty".
// Any truly optional piece of config is allowed to be omitted.
// Config holds the information required by airshipctl commands
// It is somewhat a superset of what a kubeconfig looks like
type Config struct {
// +optional
Kind string `json:"kind,omitempty"`
// +optional
APIVersion string `json:"apiVersion,omitempty"`
// Permissions is a struct of permissions for file and directory
Permissions Permissions `json:"permissions,omitempty"`
// Contexts is a map of referenceable names to context configs
Contexts map[string]*Context `json:"contexts"`
// Manifests is a map of referenceable names to documents
Manifests map[string]*Manifest `json:"manifests"`
// EncryptionConfigs is a map of referenceable names to encryption configs
EncryptionConfigs map[string]*EncryptionConfig `json:"encryptionConfigs"`
// CurrentContext is the name of the context that you would like to use by default
CurrentContext string `json:"currentContext"`
// Management configuration defines management information for all baremetal hosts in a cluster.
ManagementConfiguration map[string]*ManagementConfiguration `json:"managementConfiguration"`
// loadedConfigPath is the full path to the the location of the config
// file from which this config was loaded
// +not persisted in file
loadedConfigPath string
}
// Permissions has the permissions for file and directory
type Permissions struct {
DirectoryPermission uint32
FilePermission uint32
}
// Factory is a function which returns ready to use config object and error (if any)
type Factory func() (*Config, error)
// CreateFactory returns function which creates ready to use Config object
func CreateFactory(airshipConfigPath *string) Factory {
return func() (*Config, error) {
cfg := NewConfig()
var acp string
if airshipConfigPath != nil {
acp = *airshipConfigPath
}
cfg.initConfigPath(acp)
err := cfg.LoadConfig()
if err != nil {
// Should stop airshipctl
log.Fatal("Failed to load or initialize config: ", err)
}
return cfg, cfg.EnsureComplete()
}
}
// CreateConfig saves default config to specified paths
func CreateConfig(airshipConfigPath string) error {
cfg := NewConfig()
cfg.initConfigPath(airshipConfigPath)
return cfg.PersistConfig()
}
// initConfigPath - Initializes loadedConfigPath variable for Config object
func (c *Config) initConfigPath(airshipConfigPath string) {
switch {
case airshipConfigPath != "":
// The loadedConfigPath may already have been received as a command line argument
c.loadedConfigPath = airshipConfigPath
case os.Getenv(AirshipConfigEnv) != "":
// Otherwise, we can check if we got the path via ENVIRONMENT variable
c.loadedConfigPath = os.Getenv(AirshipConfigEnv)
default:
// Otherwise, we'll try putting it in the home directory
c.loadedConfigPath = filepath.Join(util.UserHomeDir(), AirshipConfigDir, AirshipConfig)
}
}
// LoadConfig populates the Config from the file found at airshipConfigPath.
// If there is no file at airshipConfigPath, this function does nothing.
// An error is returned if:
// * airshipConfigPath is the empty string
// * the file at airshipConfigPath is inaccessible
// * the file at airshipConfigPath cannot be marshaled into Config
func (c *Config) LoadConfig() error {
// If I can read from the file, load from it
// throw an error otherwise
if _, err := os.Stat(c.loadedConfigPath); err != nil {
return err
}
return util.ReadYAMLFile(c.loadedConfigPath, c)
}
// EnsureComplete verifies that a Config object is ready to use.
// A complete Config object meets the following criteria:
// * At least 1 Context is defined
// * At least 1 Manifest is defined
// * The CurrentContext is set
// * The CurrentContext identifies an existing Context
// * The CurrentContext identifies an existing Manifest
func (c *Config) EnsureComplete() error {
if len(c.Contexts) == 0 {
return ErrMissingConfig{
What: "At least one Context needs to be defined",
}
}
if len(c.Manifests) == 0 {
return ErrMissingConfig{
What: "At least one Manifest needs to be defined",
}
}
if c.CurrentContext == "" {
return ErrMissingConfig{
What: "Current Context is not defined",
}
}
currentContext, found := c.Contexts[c.CurrentContext]
if !found {
return ErrMissingConfig{
What: fmt.Sprintf("Current Context (%s) does not identify a defined Context", c.CurrentContext),
}
}
if _, found := c.Manifests[currentContext.Manifest]; !found {
return ErrMissingConfig{
What: fmt.Sprintf("Current Context (%s) does not identify a defined Manifest", c.CurrentContext),
}
}
return nil
}
// PersistConfig updates the airshipctl config file to match
// the current Config object.
// If file did not previously exist, the file will be created.
// Otherwise, the file will be overwritten
func (c *Config) PersistConfig() error {
airshipConfigYaml, err := c.ToYaml()
if err != nil {
return err
}
// WriteFile doesn't create the directory, create it if needed
configDir := filepath.Dir(c.loadedConfigPath)
err = os.MkdirAll(configDir, os.FileMode(c.Permissions.DirectoryPermission))
if err != nil {
return err
}
// Write the Airship Config file
err = ioutil.WriteFile(c.loadedConfigPath, airshipConfigYaml, os.FileMode(c.Permissions.FilePermission))
if err != nil {
return err
}
// Change the permission of directory
err = os.Chmod(configDir, os.FileMode(c.Permissions.DirectoryPermission))
if err != nil {
return err
}
// Change the permission of config file
err = os.Chmod(c.loadedConfigPath, os.FileMode(c.Permissions.FilePermission))
if err != nil {
return err
}
return nil
}
func (c *Config) String() string {
yamlData, err := c.ToYaml()
// This is hiding the error perhaps
if err != nil {
return ""
}
return string(yamlData)
}
// ToYaml returns a YAML document
// It serializes the given Config object to a valid YAML document
func (c *Config) ToYaml() ([]byte, error) {
return yaml.Marshal(&c)
}
// LoadedConfigPath returns the file path of airship config
// from where the current Config object is created
func (c *Config) LoadedConfigPath() string {
return c.loadedConfigPath
}
// SetLoadedConfigPath updates the file path of airship config
// in the Config object
func (c *Config) SetLoadedConfigPath(lcp string) {
c.loadedConfigPath = lcp
}
// GetContext returns a context instance
func (c *Config) GetContext(cName string) (*Context, error) {
context, exists := c.Contexts[cName]
if !exists {
return nil, ErrMissingConfig{What: fmt.Sprintf("Context with name '%s'", cName)}
}
return context, nil
}
// GetContexts returns all of the contexts associated with the Config sorted by name
func (c *Config) GetContexts() []*Context {
keys := make([]string, 0, len(c.Contexts))
for name := range c.Contexts {
keys = append(keys, name)
}
sort.Strings(keys)
contexts := make([]*Context, 0, len(c.Contexts))
for _, name := range keys {
contexts = append(contexts, c.Contexts[name])
}
return contexts
}
// GetManagementConfiguration retrieves a management configuration by name.
func (c *Config) GetManagementConfiguration(name string) (*ManagementConfiguration, error) {
managementCfg, exists := c.ManagementConfiguration[name]
if !exists {
return nil, ErrManagementConfigurationNotFound{Name: name}
}
return managementCfg, nil
}
// AddContext creates a new context and returns the instance of
// newly created context
func (c *Config) AddContext(theContext *ContextOptions) *Context {
// Create the new Airship config context
nContext := NewContext()
c.Contexts[theContext.Name] = nContext
nContext.NameInKubeconf = theContext.Name
// Ok , I have initialized structs for the Context information
// We can use Modify to populate the correct information
c.ModifyContext(nContext, theContext)
return nContext
}
// ModifyContext updates Context object with given given context options
func (c *Config) ModifyContext(context *Context, theContext *ContextOptions) {
if theContext.ManagementConfiguration != "" {
context.ManagementConfiguration = theContext.ManagementConfiguration
}
if theContext.Manifest != "" {
context.Manifest = theContext.Manifest
}
if theContext.EncryptionConfig != "" {
context.EncryptionConfig = theContext.EncryptionConfig
}
}
// GetCurrentContext methods Returns the appropriate information for the current context
// Current Context holds labels for the appropriate config objects
func (c *Config) GetCurrentContext() (*Context, error) {
currentContext, err := c.GetContext(c.CurrentContext)
if err != nil {
// this should not happen since Ensure Complete checks for this
return nil, err
}
return currentContext, nil
}
// CurrentContextManifest returns the manifest for the current context
func (c *Config) CurrentContextManifest() (*Manifest, error) {
currentContext, err := c.GetCurrentContext()
if err != nil {
return nil, err
}
return c.Manifests[currentContext.Manifest], nil
}
// CurrentContextTargetPath returns target path from current context's manifest
func (c *Config) CurrentContextTargetPath() (string, error) {
ccm, err := c.CurrentContextManifest()
if err != nil {
return "", err
}
return ccm.TargetPath, nil
}
// CurrentContextPhaseRepositoryDir returns phase repository directory from current context's manifest
// E.g. let repository url be "http://dummy.org/phaserepo.git" then repo directory under targetPath is "phaserepo"
func (c *Config) CurrentContextPhaseRepositoryDir() (string, error) {
ccm, err := c.CurrentContextManifest()
if err != nil {
return "", err
}
repo, exist := ccm.Repositories[ccm.PhaseRepositoryName]
if !exist {
return "", ErrMissingRepositoryName{}
}
return util.GitDirNameFromURL(repo.URL()), nil
}
// GetManifests returns all of the Manifests associated with the Config sorted by name
func (c *Config) GetManifests() []*Manifest {
keys := make([]string, 0, len(c.Manifests))
for name := range c.Manifests {
keys = append(keys, name)
}
sort.Strings(keys)
manifests := make([]*Manifest, 0, len(c.Manifests))
for _, name := range keys {
manifests = append(manifests, c.Manifests[name])
}
return manifests
}
// AddManifest creates new Manifest
func (c *Config) AddManifest(theManifest *ManifestOptions) *Manifest {
nManifest := NewManifest()
c.Manifests[theManifest.Name] = nManifest
err := c.ModifyManifest(nManifest, theManifest)
if err != nil {
return nil
}
return nManifest
}
// ModifyManifest set actual values to manifests
func (c *Config) ModifyManifest(manifest *Manifest, theManifest *ManifestOptions) error {
if theManifest.IsPhase {
manifest.PhaseRepositoryName = theManifest.RepoName
}
if theManifest.SubPath != "" {
manifest.SubPath = theManifest.SubPath
}
if theManifest.TargetPath != "" {
manifest.TargetPath = theManifest.TargetPath
}
if theManifest.MetadataPath != "" {
manifest.MetadataPath = theManifest.MetadataPath
}
// There is no repository details to be updated
if theManifest.RepoName == "" {
return nil
}
//when setting an existing repository as phase, verify whether the repository exists
//and user is also not passing any repository URL
if theManifest.IsPhase && theManifest.URL == "" && (manifest.Repositories[theManifest.RepoName] == nil) {
return ErrRepositoryNotFound{theManifest.RepoName}
}
repository, exists := manifest.Repositories[theManifest.RepoName]
if !exists {
_, err := c.AddRepository(manifest, theManifest)
if err != nil {
return err
}
} else {
err := c.ModifyRepository(repository, theManifest)
if err != nil {
return err
}
}
return nil
}
// AddRepository creates new Repository
func (c *Config) AddRepository(manifest *Manifest, theManifest *ManifestOptions) (*Repository, error) {
nRepository := NewRepository()
manifest.Repositories[theManifest.RepoName] = nRepository
err := c.ModifyRepository(nRepository, theManifest)
if err != nil {
return nil, err
}
return nRepository, nil
}
// ModifyRepository set actual values to repository
func (c *Config) ModifyRepository(repository *Repository, theManifest *ManifestOptions) error {
if theManifest.URL != "" {
repository.URLString = theManifest.URL
}
if theManifest.Branch != "" {
repository.CheckoutOptions.Branch = theManifest.Branch
}
if theManifest.CommitHash != "" {
repository.CheckoutOptions.CommitHash = theManifest.CommitHash
}
if theManifest.Tag != "" {
repository.CheckoutOptions.Tag = theManifest.Tag
}
if theManifest.Force {
repository.CheckoutOptions.ForceCheckout = theManifest.Force
}
possibleValues := [3]string{repository.CheckoutOptions.CommitHash,
repository.CheckoutOptions.Branch, repository.CheckoutOptions.Tag}
var count int
for _, val := range possibleValues {
if val != "" {
count++
}
}
if count > 1 {
return ErrMutuallyExclusiveCheckout{}
}
if count == 0 {
return ErrMissingRepoCheckoutOptions{}
}
return nil
}
// GetEncryptionConfigs returns all the encryption configs associated with the Config sorted by name
func (c *Config) GetEncryptionConfigs() []*EncryptionConfig {
keys := make([]string, 0, len(c.EncryptionConfigs))
for name := range c.EncryptionConfigs {
keys = append(keys, name)
}
sort.Strings(keys)
encryptionConfigs := make([]*EncryptionConfig, 0, len(c.EncryptionConfigs))
for _, name := range keys {
encryptionConfigs = append(encryptionConfigs, c.EncryptionConfigs[name])
}
return encryptionConfigs
}
// GetEncryptionConfig returns encryption configs associated with name
// Returns error if no encryption config with name is found
func (c *Config) GetEncryptionConfig(name string) (*EncryptionConfig, error) {
encryptionConfig, exists := c.EncryptionConfigs[name]
if !exists {
return nil, ErrEncryptionConfigurationNotFound{
Name: fmt.Sprintf("Encryption Config with name '%s'", name),
}
}
return encryptionConfig, nil
}
// AddEncryptionConfig creates a new encryption config
func (c *Config) AddEncryptionConfig(options *EncryptionConfigOptions) *EncryptionConfig {
encryptionConfig := &EncryptionConfig{
EncryptionKeyFileSource: EncryptionKeyFileSource{
EncryptionKeyPath: options.EncryptionKeyPath,
DecryptionKeyPath: options.DecryptionKeyPath,
},
EncryptionKeySecretSource: EncryptionKeySecretSource{
KeySecretName: options.KeySecretName,
KeySecretNamespace: options.KeySecretNamespace,
},
}
if c.EncryptionConfigs == nil {
c.EncryptionConfigs = make(map[string]*EncryptionConfig)
}
c.EncryptionConfigs[options.Name] = encryptionConfig
return encryptionConfig
}
// ModifyEncryptionConfig sets existing values to existing encryption config
func (c *Config) ModifyEncryptionConfig(encryptionConfig *EncryptionConfig, options *EncryptionConfigOptions) {
if options.EncryptionKeyPath != "" {
encryptionConfig.EncryptionKeyPath = options.EncryptionKeyPath
}
if options.DecryptionKeyPath != "" {
encryptionConfig.DecryptionKeyPath = options.DecryptionKeyPath
}
if options.KeySecretName != "" {
encryptionConfig.KeySecretName = options.KeySecretName
}
if options.KeySecretNamespace != "" {
encryptionConfig.KeySecretNamespace = options.KeySecretNamespace
}
return
}
// CurrentContextManagementConfig returns the management options for the current context
func (c *Config) CurrentContextManagementConfig() (*ManagementConfiguration, error) {
currentContext, err := c.GetCurrentContext()
if err != nil {
return nil, err
}
if currentContext.ManagementConfiguration == "" {
return nil, ErrMissingConfig{
What: fmt.Sprintf("No management config listed for cluster %s", currentContext.NameInKubeconf),
}
}
managementCfg, exists := c.ManagementConfiguration[currentContext.ManagementConfiguration]
if !exists {
return nil, ErrMissingManagementConfiguration{context: currentContext}
}
return managementCfg, nil
}
// CurrentContextEncryptionConfig returns the encryption config for the current context
func (c *Config) CurrentContextEncryptionConfig() (*EncryptionConfig, error) {
currentContext, err := c.GetCurrentContext()
if err != nil {
return nil, err
}
return c.GetEncryptionConfig(currentContext.EncryptionConfig)
}
// Purge removes the config file
func (c *Config) Purge() error {
return os.Remove(c.loadedConfigPath)
}
// CurrentContextManifestMetadata gets manifest metadata
func (c *Config) CurrentContextManifestMetadata() (*Metadata, error) {
manifest, err := c.CurrentContextManifest()
if err != nil {
return nil, err
}
phaseRepoDir, err := c.CurrentContextPhaseRepositoryDir()
if err != nil {
return nil, err
}
meta := &Metadata{
// Populate with empty values to avoid nil pointers
Inventory: &InventoryMeta{},
PhaseMeta: &PhaseMeta{},
}
err = util.ReadYAMLFile(filepath.Join(manifest.TargetPath, phaseRepoDir, manifest.MetadataPath), meta)
if err != nil {
return nil, err
}
return meta, nil
}