feat: auto rotate configs and secrets (#11)

m-adawi · Jul 21, 2024 · 369e9df · 369e9df
1 parent 9e9a82d
commit 369e9df
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -63,6 +63,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.20.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-yaml v1.12.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
@@ -113,6 +114,7 @@ require (
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
 	google.golang.org/api v0.186.0 // indirect
 	google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -201,7 +203,7 @@ require (
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/term v0.21.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect

diff --git a/go.sum b/go.sum
@@ -248,6 +248,8 @@ github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAp
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
+github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -686,6 +688,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -723,6 +727,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUOU8xyFgXv6cOTp2HASDlsDk=
+golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 google.golang.org/api v0.186.0 h1:n2OPp+PPXX0Axh4GuSsL5QL8xQCTb2oDwyzPnQvqUug=
 google.golang.org/api v0.186.0/go.mod h1:hvRbBmgoje49RV3xqVXrmP6w93n6ehGgIVPYrGtBFFc=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=

diff --git a/swarmcd/swarmcd.go b/swarmcd/swarmcd.go
@@ -1,14 +1,17 @@
 package swarmcd
 
 import (
+	"crypto/md5"
 	"fmt"
+	"os"
 	"path"
 	"sync"
 	"time"
 
 	"github.com/docker/cli/cli/command/stack"
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/goccy/go-yaml"
 	"github.com/m-adawi/swarm-cd/util"
 )
 
@@ -58,6 +61,11 @@ func updateStack(stackName string) (revision string, err error) {
 		return "", fmt.Errorf("failed to decrypt one or more sops files for %s stack: %w", stackName, err)
 	}
 
+	err = rotateConfigsAndSecrets(stackName) 
+	if err != nil {
+		return
+	}
+
 	err = deployStack(stackName) 
 	if err != nil {
 		return
@@ -139,6 +147,65 @@ func deployStack(stackName string) error {
 	return nil
 }
 
+
+
+func rotateConfigsAndSecrets(stackName string) error {
+	stackConfig := config.StackConfigs[stackName]
+	composeFile := path.Join(config.ReposPath, stackConfig.Repo, stackConfig.ComposeFile)
+	composeFileBytes, err := os.ReadFile(composeFile)
+	if err != nil {
+		return fmt.Errorf("could not read compose file %s: %w", composeFile, err)
+	}
+	var composeMap map[string]any
+	err = yaml.Unmarshal(composeFileBytes, &composeMap)
+	if err != nil {
+		return fmt.Errorf("could not parse yaml file %s: %w", composeFile, err)
+	}
+
+	composeDir := path.Dir(composeFile)
+	if configs, ok := composeMap["configs"].(map[string]any); ok {
+		err = rotateObjects(configs, composeDir, stackName)
+		if err != nil{
+			return fmt.Errorf("could not rotate one or more config files of stack %s: %w", stackName, err)
+		}
+	}
+	if secrets, ok := composeMap["secrets"].(map[string]any); ok {
+		err = rotateObjects(secrets, composeDir, stackName)
+		if err != nil{
+			return fmt.Errorf("could not rotate one or more secret files of stack %s: %w", stackName, err)
+		}
+	}
+
+	composeFileBytes, err = yaml.Marshal(composeMap)
+	if err != nil {
+		return fmt.Errorf("could not store comopse file as yaml after calculating hashes for stack %s", stackName)
+	}
+	fileInfo, _ := os.Stat(composeFile)
+	os.WriteFile(composeFile, composeFileBytes, fileInfo.Mode())
+	return nil
+}
+
+func rotateObjects(objects map[string]any, objectsDir string, stackName string) error {
+	for objectName, object := range objects {
+		objectMap, ok := object.(map[string]any)
+		if !ok {
+			return fmt.Errorf("invalid compose file: %s object must be a map", objectName)
+		}
+		objectFile, ok := objectMap["file"].(string)
+		if !ok {
+			return fmt.Errorf("invalid compose file: %s file field must be a string", objectName)
+		}
+		objectFilePath := path.Join(objectsDir, objectFile)
+		configFileBytes, err := os.ReadFile(objectFilePath)
+		if err != nil {
+			return fmt.Errorf("could not read file %s for rotation: %w", objectFilePath, err)
+		}
+		hash := fmt.Sprintf("%x", md5.Sum(configFileBytes))[:8]
+		objectMap["name"] = stackName + "-" + objectName + "-" + hash
+	}
+	return nil
+}
+
 func GetStackStatus() map[string]*StackStatus {
 	return stackStatus
 }