From 72a6ee45e3bec09e5ae89d144b86bff936546527 Mon Sep 17 00:00:00 2001
From: Eriks Zelenka <isindir@users.sf.net>
Date: Wed, 19 Jun 2019 18:07:39 +0100
Subject: [PATCH] fix: add gpg support in the code of operator; add ephemeral
 gpg keypair creation in CI

Signed-off-by: Eriks Zelenka <isindir@users.sf.net>
---
 .circleci/config.yml                          | 81 +++++++++++++++++--
 TODO.md                                       |  7 +-
 pkg/apis/isindir/v1alpha1/sopssecret_types.go | 10 ++-
 .../isindir/v1alpha1/zz_generated.deepcopy.go | 21 +++++
 version/version.go                            |  2 +-
 5 files changed, 110 insertions(+), 11 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 804bf976..18a86a8a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,6 +13,7 @@ jobs:
       HELM_VERSION: v2.14.1
       GOLANG_VERSION: 1.12.5
       OPERATOR_SDK_VERSION: 0.8.1
+      SOPS_VERSION: 3.3.1
 
       KUBECONFIG: /home/circleci/.kube/config
 
@@ -32,10 +33,10 @@ jobs:
             - v2-modules-{{ .Branch }}-
             - v2-modules-
       - run:
-          name: setup golang
+          name: install golang
           command: |
             sudo rm -fr ${GOROOT}
-            curl -sSLO https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz 
+            curl -sSLO https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz
             tar -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz
             sudo mv go /usr/local
             rm -fr go${GOLANG_VERSION}.linux-amd64.tar.gz
@@ -44,7 +45,17 @@ jobs:
             go version
             go env
       - run:
-          name: setup kubectl
+          name: install bats
+          command: |
+            sudo add-apt-repository ppa:duggan/bats
+            sudo apt-get update
+            sudo apt-get install bats -y
+      - run:
+          name: install gpg2
+          command: |
+            sudo apt-get install gnupg2 -y
+      - run:
+          name: install kubectl
           command: |
             curl -sSLo kubectl https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl
             chmod +x kubectl
@@ -52,13 +63,19 @@ jobs:
             mkdir -p ${HOME}/.kube
             touch ${HOME}/.kube/config
       - run:
-          name: setup operator-sdk
+          name: install sops
+          command: |
+            curl -sSLo sops https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux
+            chmod +x sops
+            sudo mv sops /usr/local/bin/
+      - run:
+          name: install operator-sdk
           command: |
             curl -sSLo operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION}/operator-sdk-v${OPERATOR_SDK_VERSION}-x86_64-linux-gnu
             chmod +x operator-sdk
             sudo mv operator-sdk /usr/local/bin/
       - run:
-          name: setup minikube
+          name: install minikube
           command: |
             curl -sSLo minikube https://github.com/kubernetes/minikube/releases/download/${MINIKUBE_VERSION}/minikube-linux-amd64
             chmod +x minikube
@@ -71,7 +88,7 @@ jobs:
             until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do
               sleep 1;
             done
-            
+
             # make default account cluster-admin
             kubectl create clusterrolebinding add-on-cluster-admin --clusterrole cluster-admin --serviceaccount=kube-system:default
 
@@ -97,10 +114,62 @@ jobs:
           name: Fetch Go dependencies
           command: |
             make mod
+      - run:
+          name: Build
+          command: |
+            make build
       - save_cache:
           key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }}
           paths:
             - "/home/circleci/gogo/pkg"
+      - run:
+          name: Run Local Tests
+          command: |
+            export GNUPGHOME="$(mktemp -d)"
+            cat >$GNUPGHOME/foo <<EOF
+                %echo Generating a basic OpenPGP key
+                Key-Type: DSA
+                Key-Length: 1024
+                Subkey-Type: ELG-E
+                Subkey-Length: 1024
+                Name-Real: Joe Tester
+                Name-Comment: with stupid passphrase
+                Name-Email: joe@foo.bar
+                Expire-Date: 0
+                Passphrase: abc
+                %no-protection
+                %commit
+                %echo done
+            EOF
+            gpg2 --batch --gen-key $GNUPGHOME/foo
+            export SOPS_GPG_EXEC=$( which gpg2 )
+            export FP=$( gpg2 --with-colons --fingerprint | awk -F: '$1 == "fpr" {print $10; exit}' )
+            echo "Fingreprint: $FP ; gpg executable: $SOPS_GPG_EXEC"
+            # TODO: replace some of this by bash unit tests
+            # Run k8s related commands
+            kubectl create namespace sops
+            kubectl apply -f deploy/crds/isindir_v1alpha1_sopssecret_crd.yaml
+            sleep 3
+            sops -e -p $FP                    \
+              --encrypted-suffix='_templates' \
+              deploy/crds/00init.yaml         \
+              > 00init.enc.yaml
+            kubectl apply -f 00init.enc.yaml --namespace sops
+            sleep 3
+            nohup make run/local &
+            sleep 75
+            kubectl get sops --namespace sops
+            echo
+            kubectl get secrets --namespace sops
+            echo
+            export SECRETS_NUMBER=$( kubectl get secrets --namespace sops \
+              | awk '$0!~/default-token/ && $0!~/NAME/ { print $1; }' \
+              | wc -l )
+            if [[ $SECRETS_NUMBER -ne 3 ]]; then
+              echo "Expected number of secrets in sops namespace is 3 - Failed"
+              exit 1
+            fi
+            rm -fr $GNUPGHOME
       - run:
           name: Run Tests
           command: |
diff --git a/TODO.md b/TODO.md
index 8d5545cf..f1ff13b0 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,8 +1,9 @@
 # ToDo
 
-* Add CI Pipeline
-* Add Unit Tests
-* Add helm chart tests
+* Finish CI work
+  * Add Unit Tests
+  * Add helm chart tests
+  * add e2e tests using ephemeral gpg key
 * Add helm chart documentation
 * Improve documentation
   * Add section on how to build operator from source
diff --git a/pkg/apis/isindir/v1alpha1/sopssecret_types.go b/pkg/apis/isindir/v1alpha1/sopssecret_types.go
index f810af93..4ceea4c0 100644
--- a/pkg/apis/isindir/v1alpha1/sopssecret_types.go
+++ b/pkg/apis/isindir/v1alpha1/sopssecret_types.go
@@ -33,12 +33,20 @@ type KmsDataItem struct {
 	AwsProfile   string `json:"aws_profile,omitempty"`
 }
 
+// PgpDataItem defines AWS KMS specific encryption details
+// +k8s:openapi-gen=true
+type PgpDataItem struct {
+	EncryptedKey string `json:"enc,omitempty"`
+	CreationDate string `json:"created_at,omitempty"`
+	FingerPrint  string `json:"fp,omitempty"`
+}
+
 // SopsMetadata defines the encryption details
 // +k8s:openapi-gen=true
 type SopsMetadata struct {
 	AwsKms []KmsDataItem `json:"kms,omitempty"`
+	Pgp    []PgpDataItem `json:"pgp,omitempty"`
 	//TODO: add following
-	//Pgp      []PgpDataItem    `json:"pgp,omitempty"`
 	//GcpKms   []GcpKmsDataItem `json:"gcp_kms,omitempty"`
 	//AzureKms []AzureKmsItem   `json:"azure_kv,omitempty"`
 
diff --git a/pkg/apis/isindir/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/isindir/v1alpha1/zz_generated.deepcopy.go
index 040a0905..1206a87e 100644
--- a/pkg/apis/isindir/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/isindir/v1alpha1/zz_generated.deepcopy.go
@@ -24,6 +24,22 @@ func (in *KmsDataItem) DeepCopy() *KmsDataItem {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PgpDataItem) DeepCopyInto(out *PgpDataItem) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PgpDataItem.
+func (in *PgpDataItem) DeepCopy() *PgpDataItem {
+	if in == nil {
+		return nil
+	}
+	out := new(PgpDataItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SopsMetadata) DeepCopyInto(out *SopsMetadata) {
 	*out = *in
@@ -32,6 +48,11 @@ func (in *SopsMetadata) DeepCopyInto(out *SopsMetadata) {
 		*out = make([]KmsDataItem, len(*in))
 		copy(*out, *in)
 	}
+	if in.Pgp != nil {
+		in, out := &in.Pgp, &out.Pgp
+		*out = make([]PgpDataItem, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/version/version.go b/version/version.go
index d3aa19c6..122e9624 100644
--- a/version/version.go
+++ b/version/version.go
@@ -2,5 +2,5 @@ package version
 
 var (
 	// Version of the operator
-	Version = "0.0.3"
+	Version = "0.0.4"
 )