Initial git import

Author: anguslees

.gitignore

@@ -12,3 +12,6 @@
 
 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
+
+/controller
+/ksonnet-seal

Makefile

@@ -0,0 +1,29 @@
+GO = go
+GO_FLAGS =
+GOFMT = gofmt
+
+# TODO: Simplify this once ./... ignores ./vendor
+GO_PACKAGES = ./cmd/... ./api/...
+GO_FILES := $(shell find $(shell $(GO) list -f '{{.Dir}}' $(GO_PACKAGES)) -name \*.go)
+
+all: controller ksonnet-seal
+
+controller: $(GO_FILES)
+	$(GO) build -o $@ $(GO_FLAGS) ./cmd/controller/...
+
+ksonnet-seal: $(GO_FILES)
+	$(GO) build -o $@ $(GO_FLAGS) ./cmd/ksonnet-seal/...
+
+test:
+	$(GO) test $(GO_FLAGS) $(GO_PACKAGES)
+
+vet:
+	$(GO) vet $(GO_FLAGS) $(GO_PACKAGES)
+
+fmt:
+	$(GOFMT) -s -w $(GO_FILES)
+
+clean:
+	$(RM) ./controller ./ksonnet-seal
+
+.PHONY: all test clean vet fmt

apis/v1alpha1/register.go

@@ -0,0 +1,32 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/pkg/api"
+)
+
+// GroupName is the group name used in this package
+const GroupName = "ksonnet.io"
+
+var (
+	// SchemeGroupVersion is the group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+	// SchemeBuilder adds this group to scheme
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+)
+
+func init() {
+	SchemeBuilder.AddToScheme(api.Scheme)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&SealedSecret{},
+		&SealedSecretList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

apis/v1alpha1/sealedsecret.go

@@ -0,0 +1,270 @@
+package v1alpha1
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rsa"
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/pkg/api/v1"
+)
+
+const (
+	// SealedSecretName is the name used in SealedSecret TPR
+	SealedSecretName = "sealed-secret." + GroupName
+	// SealedSecretPlural is the collection plural used with SealedSecret API
+	SealedSecretPlural = "sealedsecrets"
+
+	sessionKeyBytes = 32
+)
+
+// ErrTooShort indicates the provided data is too short to be valid
+var ErrTooShort = errors.New("SealedSecret data is too short")
+
+// SealedSecretSpec is the specification of a SealedSecret
+type SealedSecretSpec struct {
+	Data []byte `json:"data"`
+}
+
+// SealedSecret is the K8s representation of a "sealed Secret" - a
+// regular k8s Secret that has been sealed (encrypted) using the
+// controller's key.
+type SealedSecret struct {
+	metav1.TypeMeta `json:",inline"`
+	// Note, can't use implicit object here:
+	// https://github.com/kubernetes/client-go/issues/8
+	Metadata metav1.ObjectMeta `json:"metadata"`
+
+	Spec SealedSecretSpec `json:"spec"`
+}
+
+// SealedSecretList represents a list of SealedSecrets
+type SealedSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	Metadata        metav1.ListMeta `json:"metadata"`
+
+	Items []SealedSecret `json:"items"`
+}
+
+// GetObjectKind is required for Object interface
+func (s *SealedSecret) GetObjectKind() schema.ObjectKind {
+	return &s.TypeMeta
+}
+
+// GetObjectMeta is required for ObjectMetaAccessor interface
+func (s *SealedSecret) GetObjectMeta() metav1.Object {
+	return &s.Metadata
+}
+
+// GetObjectKind is required for Object interface
+func (sl *SealedSecretList) GetObjectKind() schema.ObjectKind {
+	return &sl.TypeMeta
+}
+
+// GetListMeta is required for ListMetaAccessor interface
+func (sl *SealedSecretList) GetListMeta() metav1.List {
+	return &sl.Metadata
+}
+
+func labelFor(o metav1.Object) []byte {
+	label := fmt.Sprintf("%s/%s", o.GetNamespace(), o.GetName())
+	return []byte(label)
+}
+
+func hybridEncrypt(rnd io.Reader, pubKey *rsa.PublicKey, plaintext, label []byte) ([]byte, error) {
+	// Generate a random symmetric key
+	sessionKey := make([]byte, sessionKeyBytes)
+	if _, err := io.ReadFull(rnd, sessionKey); err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(sessionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	aed, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	// Encrypt symmetric key
+	rsaCiphertext, err := rsa.EncryptOAEP(sha256.New(), rnd, pubKey, sessionKey, label)
+	if err != nil {
+		return nil, err
+	}
+
+	// First 2 bytes are RSA ciphertext length, so we can separate
+	// all the pieces later.
+	ciphertext := make([]byte, 2)
+	binary.BigEndian.PutUint16(ciphertext, uint16(len(rsaCiphertext)))
+	ciphertext = append(ciphertext, rsaCiphertext...)
+
+	// SessionKey is random (and single-use), so zero nonce is ok
+	zeroNonce := make([]byte, aed.NonceSize())
+
+	// Append symmetrically encrypted Secret
+	ciphertext = aed.Seal(ciphertext, zeroNonce, plaintext, nil)
+
+	return ciphertext, nil
+}
+
+func hybridDecrypt(rnd io.Reader, privKey *rsa.PrivateKey, ciphertext, label []byte) ([]byte, error) {
+	if len(ciphertext) < 2 {
+		return nil, ErrTooShort
+	}
+	rsaLen := int(binary.BigEndian.Uint16(ciphertext))
+	if len(ciphertext) < rsaLen+2 {
+		return nil, ErrTooShort
+	}
+
+	rsaCiphertext := ciphertext[2 : rsaLen+2]
+	aesCiphertext := ciphertext[rsaLen+2:]
+
+	sessionKey, err := rsa.DecryptOAEP(sha256.New(), rnd, privKey, rsaCiphertext, label)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(sessionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	aed, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	// Key is random (and single-use), so zero nonce is ok
+	zeroNonce := make([]byte, aed.NonceSize())
+
+	plaintext, err := aed.Open(nil, zeroNonce, aesCiphertext, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return plaintext, nil
+}
+
+// NewSealedSecret creates a new SealedSecret object wrapping the
+// provided secret.
+func NewSealedSecret(codecs runtimeserializer.CodecFactory, rnd io.Reader, pubKey *rsa.PublicKey, secret *v1.Secret) (*SealedSecret, error) {
+	info, ok := runtime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)
+	if !ok {
+		return nil, fmt.Errorf("binary can't serialize JSON")
+	}
+
+	if secret.GetNamespace() == "" {
+		return nil, fmt.Errorf("Secret must declare a namespace")
+	}
+
+	codec := codecs.EncoderForVersion(info.Serializer, v1.SchemeGroupVersion)
+	plaintext, err := runtime.Encode(codec, secret)
+	if err != nil {
+		return nil, err
+	}
+
+	// RSA-OAEP will fail to decrypt unless the same label is used
+	// during decryption.
+	label := labelFor(secret)
+
+	ciphertext, err := hybridEncrypt(rnd, pubKey, plaintext, label)
+	if err != nil {
+		return nil, err
+	}
+
+	return &SealedSecret{
+		Metadata: metav1.ObjectMeta{
+			Name:      secret.GetName(),
+			Namespace: secret.GetNamespace(),
+		},
+		Spec: SealedSecretSpec{
+			Data: ciphertext,
+		},
+	}, nil
+}
+
+// Unseal decypts and returns the embedded v1.Secret.
+func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, rnd io.Reader, privKey *rsa.PrivateKey) (*v1.Secret, error) {
+	boolTrue := true
+	smeta := s.GetObjectMeta()
+
+	// This will fail to decrypt unless the same label was used
+	// during encryption.  This check ensures that we can't be
+	// tricked into decrypting a sealed secret into an unexpected
+	// namespace/name.
+	label := labelFor(smeta)
+
+	plaintext, err := hybridDecrypt(rnd, privKey, s.Spec.Data, label)
+	if err != nil {
+		return nil, err
+	}
+
+	var secret v1.Secret
+	dec := codecs.UniversalDecoder(secret.GroupVersionKind().GroupVersion())
+	if err = runtime.DecodeInto(dec, plaintext, &secret); err != nil {
+		return nil, err
+	}
+
+	// Ensure these are set to what we expect
+	secret.SetNamespace(smeta.GetNamespace())
+	secret.SetName(smeta.GetName())
+
+	// Refer back to owning SealedSecret
+	ownerRefs := []metav1.OwnerReference{
+		metav1.OwnerReference{
+			APIVersion: s.GetObjectKind().GroupVersionKind().GroupVersion().String(),
+			Kind:       s.GetObjectKind().GroupVersionKind().Kind,
+			Name:       smeta.GetName(),
+			UID:        smeta.GetUID(),
+			Controller: &boolTrue,
+		},
+	}
+	secret.SetOwnerReferences(ownerRefs)
+
+	return &secret, nil
+}
+
+// The code below is used only to work around a known problem with third-party
+// resources and ugorji. If/when these issues are resolved, the code below
+// should no longer be required.
+
+// SealedSecretListCopy is a workaround for a ugorji issue
+type SealedSecretListCopy SealedSecretList
+
+// SealedSecretCopy is a workaround for a ugorji issue
+type SealedSecretCopy SealedSecret
+
+// UnmarshalJSON ensures SealedSecret objects can be decoded from JSON successfully
+func (s *SealedSecret) UnmarshalJSON(data []byte) error {
+	tmp := SealedSecretCopy{}
+	err := json.Unmarshal(data, &tmp)
+	if err != nil {
+		return err
+	}
+	tmp2 := SealedSecret(tmp)
+	*s = tmp2
+	return nil
+}
+
+// UnmarshalJSON ensures SealedSecretList objects can be decoded from JSON successfully
+func (sl *SealedSecretList) UnmarshalJSON(data []byte) error {
+	tmp := SealedSecretListCopy{}
+	err := json.Unmarshal(data, &tmp)
+	if err != nil {
+		return err
+	}
+	tmp2 := SealedSecretList(tmp)
+	*sl = tmp2
+	return nil
+}