From c630bdd1b926324905b1ffcfffab15d25a120145 Mon Sep 17 00:00:00 2001 From: Piotr Halama Date: Fri, 24 Nov 2023 13:29:52 +0100 Subject: [PATCH] Remove KMS rotation (#9381) --- .koapps.yaml | 1 - cmd/cloud-run/kms-rotate/README.md | 44 --- cmd/cloud-run/kms-rotate/kms-rotate.go | 229 ----------- cmd/cloud-run/kms-rotate/kms-rotate_test.go | 360 ------------------ docs/index.md | 13 +- docs/prow/presets.md | 1 - prow/config.yaml | 10 - .../compass/compass-gke-benchmark.yaml | 3 - prow/jobs/scans/whitesource-periodics.yaml | 38 -- templates/config.yaml | 1 - .../data/whitesource-periodics-data.yaml | 2 - 11 files changed, 5 insertions(+), 697 deletions(-) delete mode 100644 cmd/cloud-run/kms-rotate/README.md delete mode 100644 cmd/cloud-run/kms-rotate/kms-rotate.go delete mode 100644 cmd/cloud-run/kms-rotate/kms-rotate_test.go diff --git a/.koapps.yaml b/.koapps.yaml index 87c5bc681b94..c1ddadadcee0 100644 --- a/.koapps.yaml +++ b/.koapps.yaml @@ -17,7 +17,6 @@ apps: - ko://github.com/kyma-project/test-infra/cmd/tools/externalsecretschecker - ko://github.com/kyma-project/test-infra/cmd/gardener-rotate - ko://github.com/kyma-project/test-infra/cmd/cloud-run/gardener-sa-rotate - - ko://github.com/kyma-project/test-infra/cmd/cloud-run/kms-rotate - ko://github.com/kyma-project/test-infra/cmd/cloud-run/create-github-issue - ko://github.com/kyma-project/test-infra/cmd/cloud-run/move-gcs-bucket - ko://github.com/kyma-project/test-infra/cmd/cloud-run/scan-logs-for-secrets diff --git a/cmd/cloud-run/kms-rotate/README.md b/cmd/cloud-run/kms-rotate/README.md deleted file mode 100644 index 45667536c601..000000000000 --- a/cmd/cloud-run/kms-rotate/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# Rotate KMS secrets using Cloud Run - -## Overview - -The Cloud Run application decrypts and encrypts files in a bucket with the latest version of a KMS key, and deletes old versions of a key. The function is triggered by a HTTP POST request sent by a Cloud Scheduler. - -1. A job in Cloud Scheduler sends a POST request to the Cloud Run application. -2. The Cloud Run application checks if there is more than one enabled key version. If not, it stops running. -3. The Cloud Run application decrypts and encrypts files in the bucket with the latest version of the key. -4. The Cloud Run application marks the old versions of a KMS key for destruction. - - -## Cloud Run deployment - -To deploy the Cloud Run application, follow these steps: - -1. Use the following command to deploy the Cloud Run application: -```bash -gcloud run deploy rotate-kms-key \ ---region europe-west1 \ ---timeout 600 \ ---max-instances 1 \ ---memory 128Mi \ ---service-account sa-kms-update@sap-kyma-prow.iam.gserviceaccount.com \ ---ingress all \ ---project sap-kyma-prow \ ---image europe-docker.pkg.dev/kyma-project/prod/test-infra/kms-rotate:v20221025-47772933 -``` -2. Create a new job in Cloud Scheduler that calls the Cloud Run endpoint with JSON config passed as a POST body. - - -# JSON request parameters - -See the list of JSON arguments for the function: -| Name | Required | Description | -| :------------------------ | :------: | :--------------------------------------------------------------------------------------------------- | -| **project** | Yes | Name of the CGP project containing the KMS key. | -| **location** | Yes | Name of the CGP location where the KMS key is stored. | -| **bucketName** | Yes | Name of the CGP bucket containing the files to be re-encrypted. | -| **bucketPrefix** | No | Prefix of the files stored in the bucket used to filter them out. | -| **keyring** | Yes | Name of the keyring containing the KMS key. | -| **key** | Yes | Name of the KMS key. | - - diff --git a/cmd/cloud-run/kms-rotate/kms-rotate.go b/cmd/cloud-run/kms-rotate/kms-rotate.go deleted file mode 100644 index acd8e219d128..000000000000 --- a/cmd/cloud-run/kms-rotate/kms-rotate.go +++ /dev/null @@ -1,229 +0,0 @@ -// package main contains code for KMS GCP symmetric key secret re-encrypting -package main - -import ( - "context" - "encoding/json" - "fmt" - "io" - "log" - "net/http" - "os" - - kms "cloud.google.com/go/kms/apiv1" - kmspb "cloud.google.com/go/kms/apiv1/kmspb" - "cloud.google.com/go/storage" - "github.com/go-playground/validator/v10" - "google.golang.org/api/iterator" -) - -// Config contains function configuration provided through POST JSON -type Config struct { - Project string `json:"project" validate:"required,min=1"` - Location string `json:"location" validate:"required,min=1"` - BucketName string `json:"bucketName" validate:"required,min=1"` - BucketPrefix string `json:"bucketPrefix,omitempty"` - Keyring string `json:"keyring" validate:"required,min=1"` - Key string `json:"key" validate:"required,min=1"` -} - -var ( - kmsService *kms.KeyManagementClient - storageService *storage.Client -) - -func main() { - var err error - ctx := context.Background() - - kmsService, err = kms.NewKeyManagementClient(ctx) - if err != nil { - log.Fatal("failed creating KMS client, error: " + err.Error()) - } - defer kmsService.Close() - - storageService, err = storage.NewClient(ctx) - if err != nil { - log.Fatal("failed creating KMS client, error: " + err.Error()) - } - - http.HandleFunc("/", RotateKMSKey) - // Determine port for HTTP service. - port := os.Getenv("PORT") - if port == "" { - port = "8080" - log.Printf("Defaulting to port %s", port) - } - // Start HTTP server. - log.Printf("Listening on port %s", port) - if err := http.ListenAndServe(":"+port, nil); err != nil { - log.Fatal(err) - } -} - -// RotateKMSKey function manages GCP KMS rotation with bucket files re-signing -func RotateKMSKey(w http.ResponseWriter, r *http.Request) { - ctx := context.Background() - - // get data from POST JSON - body, err := io.ReadAll(r.Body) - if err != nil { - showError(w, http.StatusBadRequest, "Couldn't read request body: %v", err) - return - } - - var conf Config - - json.Unmarshal(body, &conf) - - validate := validator.New() - err = validate.Struct(conf) - if err != nil { - showError(w, http.StatusBadRequest, "Missing values in config: %v", err) - return - } - - keyPath := "projects/" + conf.Project + "/locations/" + conf.Location + "/keyRings/" + conf.Keyring + "/cryptoKeys/" + conf.Key - cryptoKeyRequest := &kmspb.GetCryptoKeyRequest{Name: keyPath} - cryptoKey, err := kmsService.GetCryptoKey(ctx, cryptoKeyRequest) - if err != nil { - showError(w, http.StatusInternalServerError, "Couldn't get %s crypto key: %v", keyPath, err) - return - } - primaryVersion := cryptoKey.GetPrimary() - - keyIteratorRequest := &kmspb.ListCryptoKeyVersionsRequest{Parent: keyPath} - keyIterator := kmsService.ListCryptoKeyVersions(ctx, keyIteratorRequest) - keyVersions, err := getKeyVersions(keyIterator) - if err != nil { - showError(w, http.StatusInternalServerError, "Couldn't iterate over %s key versions: %v", keyPath, err) - return - } - if len(keyVersions) < 2 { - log.Printf("Less than two enabled key versions, quitting") - return - } - - bucket := storageService.Bucket(conf.BucketName) - - err = rotateFiles(ctx, bucket, conf.BucketPrefix, keyPath) - if err != nil { - showError(w, http.StatusInternalServerError, "Couldn't rotate files in the %s bucket: %v", conf.BucketName, err) - return - } - - err = destroyOldKeyVersions(ctx, primaryVersion, keyVersions) - if err != nil { - showError(w, http.StatusInternalServerError, "Couldn't delete old %s key versions: %v", keyPath, err) - return - } -} - -func showError(w http.ResponseWriter, statusCode int, format string, args ...interface{}) { - errorMessage := fmt.Sprintf(format, args...) - log.Println(errorMessage) - http.Error(w, errorMessage, statusCode) -} - -func rotateFiles(ctx context.Context, bucket *storage.BucketHandle, bucketPrefix, keyPath string) error { - // for all files in bucket dir - query := &storage.Query{} - if bucketPrefix != "" { - query.Prefix = bucketPrefix - } - - bucketIterator := bucket.Objects(ctx, query) - - for { - attrs, err := bucketIterator.Next() - if err == iterator.Done { - break - } - if err != nil { - return fmt.Errorf("iterator error: %v", err) - } - - o := bucket.Object(attrs.Name) - encryptedData, err := getBucketObjectData(ctx, o) - if err != nil { - return fmt.Errorf("couldn't get %s object data: %v", attrs.Name, err) - } - - encryptResponse, err := reencrypt(ctx, keyPath, encryptedData) - if err != nil { - return fmt.Errorf("couldn't re-encrypt %s object data: %v", attrs.Name, err) - } - - err = setBucketObjectData(ctx, o, encryptResponse.Ciphertext) - if err != nil { - return fmt.Errorf("couldn't update %s object data: %v", attrs.Name, err) - } - } - return nil -} - -func getKeyVersions(keyIterator *kms.CryptoKeyVersionIterator) ([]*kmspb.CryptoKeyVersion, error) { - var keyVersions []*kmspb.CryptoKeyVersion - for nextVer, err := keyIterator.Next(); err != iterator.Done; nextVer, err = keyIterator.Next() { - if err != nil && err != iterator.Done { - return nil, err - } - if nextVer.State == kmspb.CryptoKeyVersion_ENABLED { - keyVersions = append(keyVersions, nextVer) - } - } - return keyVersions, nil -} - -// getBucketObjectData reads data from a bucket object -func getBucketObjectData(ctx context.Context, o *storage.ObjectHandle) ([]byte, error) { - reader, err := o.NewReader(ctx) - if err != nil { - return nil, err - } - encryptedData, err := io.ReadAll(reader) - if err != nil { - return nil, err - } - reader.Close() - - return encryptedData, nil -} - -// setBucketObjectData writes data to a bucket object -func setBucketObjectData(ctx context.Context, o *storage.ObjectHandle, data []byte) error { - writer := o.NewWriter(ctx) - _, err := writer.Write(data) - writer.Close() - return err -} - -// reencrypt takes in encrypted data and return the same data encrypted with the primary version of a key -func reencrypt(ctx context.Context, keyPath string, encryptedData []byte) (*kmspb.EncryptResponse, error) { - decryptRequest := &kmspb.DecryptRequest{Name: keyPath, Ciphertext: encryptedData} - decryptResponse, err := kmsService.Decrypt(ctx, decryptRequest) - if err != nil { - log.Fatal(err) - } - - encryptRequest := &kmspb.EncryptRequest{Name: keyPath, Plaintext: decryptResponse.Plaintext} - encryptResponse, err := kmsService.Encrypt(ctx, encryptRequest) - if err != nil { - log.Fatal(err) - } - return encryptResponse, nil -} - -// destroyOldKeyVersions destroys all versions of key except the primary version -func destroyOldKeyVersions(ctx context.Context, primaryVersion *kmspb.CryptoKeyVersion, keyVersions []*kmspb.CryptoKeyVersion) error { - for _, keyVersion := range keyVersions { - if keyVersion.Name != primaryVersion.Name { - destructionRequest := &kmspb.DestroyCryptoKeyVersionRequest{Name: keyVersion.Name} - _, err := kmsService.DestroyCryptoKeyVersion(ctx, destructionRequest) - if err != nil { - return err - } - } - } - return nil -} diff --git a/cmd/cloud-run/kms-rotate/kms-rotate_test.go b/cmd/cloud-run/kms-rotate/kms-rotate_test.go deleted file mode 100644 index 474f3ba63ebb..000000000000 --- a/cmd/cloud-run/kms-rotate/kms-rotate_test.go +++ /dev/null @@ -1,360 +0,0 @@ -package main - -import ( - "context" - "encoding/json" - "fmt" - "io" - "mime" - "mime/multipart" - "net" - "net/http" - "net/http/httptest" - "reflect" - "regexp" - "sort" - "strings" - "testing" - - kms "cloud.google.com/go/kms/apiv1" - kmspb "cloud.google.com/go/kms/apiv1/kmspb" - "cloud.google.com/go/storage" - "google.golang.org/api/option" - storageraw "google.golang.org/api/storage/v1" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials/insecure" -) - -const ( - testProjectName = "test-project" - testLocation = "europe-west3" - testBucketName = "test-bucket" - testKeyringName = "test-keyring" - testKeyName = "test-key" - testPrefix = "certificates/" -) - -type fakeKeyVersion struct { - // name string - state kmspb.CryptoKeyVersion_CryptoKeyVersionState -} - -type fakeFile struct { - // name string - keyVersion string -} - -type bucketUpload struct { - Bucket string `yaml:"bucket,omitempty"` - Name string `yaml:"name,omitempty"` -} - -func getSortedKeyVersionNames(keyVersions map[string]*fakeKeyVersion) []string { - var keyVersionNames []string - for versionName := range keyVersions { - keyVersionNames = append(keyVersionNames, versionName) - } - sort.Strings(keyVersionNames) - return keyVersionNames -} - -type fakeKMSServer struct { - kmspb.UnimplementedKeyManagementServiceServer - keyVersions map[string]*fakeKeyVersion -} - -func (f *fakeKMSServer) GetCryptoKey(ctx context.Context, req *kmspb.GetCryptoKeyRequest) (*kmspb.CryptoKey, error) { - // fmt.Printf("GetCryptoKey %s\n", req.Name) - resp := &kmspb.CryptoKey{} - if len(f.keyVersions) > 0 { - keyVersionNames := getSortedKeyVersionNames(f.keyVersions) - latestKeyVersionName := keyVersionNames[len(keyVersionNames)-1] - primaryVersionName := req.Name + "/cryptoKeyVersions/" + latestKeyVersionName - resp = &kmspb.CryptoKey{Primary: &kmspb.CryptoKeyVersion{Name: primaryVersionName}} - } - return resp, nil -} - -func (f *fakeKMSServer) ListCryptoKeyVersions(ctx context.Context, req *kmspb.ListCryptoKeyVersionsRequest) (*kmspb.ListCryptoKeyVersionsResponse, error) { - fmt.Printf("ListCryptoKeyVersions %s\n", req.Parent) - resp := &kmspb.ListCryptoKeyVersionsResponse{} - if len(f.keyVersions) > 0 { - keyVersionNames := getSortedKeyVersionNames(f.keyVersions) - for _, keyVersionName := range keyVersionNames { - currentKeyVersion := f.keyVersions[keyVersionName] - currentKeyVersionName := req.Parent + "/cryptoKeyVersions/" + keyVersionName - cryptoKeyVersion := &kmspb.CryptoKeyVersion{Name: currentKeyVersionName, State: currentKeyVersion.state} - resp.CryptoKeyVersions = append(resp.CryptoKeyVersions, cryptoKeyVersion) - } - } - return resp, nil -} - -func (f *fakeKMSServer) Decrypt(ctx context.Context, req *kmspb.DecryptRequest) (*kmspb.DecryptResponse, error) { - resp := &kmspb.DecryptResponse{} - resp.Plaintext = []byte("decrypted") - return resp, nil -} - -func (f *fakeKMSServer) Encrypt(ctx context.Context, req *kmspb.EncryptRequest) (*kmspb.EncryptResponse, error) { - resp := &kmspb.EncryptResponse{} - fmt.Printf("KMS encrypt %s, %s\n", req.Name, string(req.Plaintext)) - keyVersionNames := getSortedKeyVersionNames(f.keyVersions) - latestKey := keyVersionNames[len(keyVersionNames)-1] - resp.Ciphertext = []byte(latestKey) - return resp, nil -} - -func (f *fakeKMSServer) DestroyCryptoKeyVersion(ctx context.Context, req *kmspb.DestroyCryptoKeyVersionRequest) (*kmspb.CryptoKeyVersion, error) { - nameList := strings.Split(req.Name, "/") - keyVersionName := nameList[9] - - resp := &kmspb.CryptoKeyVersion{Name: req.Name} - f.keyVersions[keyVersionName].state = kmspb.CryptoKeyVersion_DESTROY_SCHEDULED - resp.State = kmspb.CryptoKeyVersion_DESTROY_SCHEDULED - return resp, nil -} - -type fakeStorageServer struct { - prefix string - files map[string]*fakeFile - unknownEndpointCallCount int -} - -func (s *fakeStorageServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { - objectsPathRegex := regexp.MustCompile("^/b/(.*)/o$") - - filePathRegex := regexp.MustCompile("^/" + testBucketName + "/(.*)$") - uploadPathRegex := regexp.MustCompile("^/upload/storage/v1/b/" + testBucketName + "/o$") - - switch path := r.URL.Path; { - case objectsPathRegex.MatchString(path): - { - body, err := io.ReadAll(r.Body) - if err != nil { - http.Error(w, "failed to parse response body: "+path, 500) - } - - objects := storageraw.Objects{Kind: "storage#objects"} - - for fileName := range s.files { - if s.prefix != "" && !strings.HasPrefix(fileName, s.prefix) { - continue - } - object := &storageraw.Object{ - Kind: "storage#object", - Bucket: testBucketName, - Name: fileName, - } - objects.Items = append(objects.Items, object) - } - - fmt.Printf("BUCKET url: %s ;Query: %s ;Body: %s; %s\n", r.URL.Path, r.URL.Query().Encode(), string(body), r.Method) - - b, err := json.Marshal(objects) - if err != nil { - http.Error(w, "unable to marshal request: "+err.Error(), http.StatusBadRequest) - return - } - w.Write(b) - } - case filePathRegex.MatchString(path): - { - // simple file serving - nameList := strings.SplitN(path, "/", 3) - filename := nameList[2] - - w.Write([]byte(s.files[filename].keyVersion)) - - } - case uploadPathRegex.MatchString(path): - { - fmt.Printf("UPLOAD url: %s ;Query: %s ; %s\n", r.URL.Path, r.URL.Query().Encode(), r.Method) - - contentType, params, err := mime.ParseMediaType(r.Header.Get("Content-Type")) - if err != nil || !strings.HasPrefix(contentType, "multipart/") { - http.Error(w, "expecting a multipart message", http.StatusBadRequest) - return - } - - multipartReader := multipart.NewReader(r.Body, params["boundary"]) - defer r.Body.Close() - - var newData string - var parsedJSONdata bucketUpload - - for { - part, err := multipartReader.NextPart() - if err == io.EOF { - break - } - if err != nil { - http.Error(w, "couldn't read multipart part", http.StatusBadRequest) - return - } - defer part.Close() - - partData, err := io.ReadAll(part) - if err != nil { - http.Error(w, "failed to read content of the part", http.StatusBadRequest) - return - } - - switch part.Header.Get("Content-Type") { - case "application/json": - err = json.Unmarshal(partData, &parsedJSONdata) - if err != nil { - fmt.Printf("Cannot unmarshal upload JSON %s", err) - http.Error(w, "cannot unmarshal upload JSON", http.StatusBadRequest) - return - } - case "text/plain; charset=utf-8": - newData = string(partData) - default: - fmt.Printf("unknown content type %s", part.Header.Get("Content-Type")) - http.Error(w, "unknown part content type", http.StatusBadRequest) - return - } - } - s.files[parsedJSONdata.Name].keyVersion = newData - - } - default: - { - body, err := io.ReadAll(r.Body) - if err != nil { - http.Error(w, "failed to parse response body: "+path, 500) - } - fmt.Printf("unknown url: %s ;Query: %s ;Body: %s; %s\n", r.URL.Path, r.URL.Query().Encode(), string(body), r.Method) - http.Error(w, "unknown URL: "+path, 500) - s.unknownEndpointCallCount++ - } - } -} - -// TestRotateKMSKey tests RotateKMSKey function -func TestRotateKMSKey(t *testing.T) { - - //var err error - ctx := context.Background() - - defaultRequestBody := Config{ - Project: testProjectName, - Location: testLocation, - BucketName: testBucketName, - Keyring: testKeyringName, - Key: testKeyName, - } - - defaultPrefixedRequestBody := Config{ - Project: testProjectName, - Location: testLocation, - BucketName: testBucketName, - Keyring: testKeyringName, - Key: testKeyName, - BucketPrefix: testPrefix, - } - - tests := []struct { - name string - requestBody Config - keyVersions map[string]*fakeKeyVersion - expectedKeyVersions map[string]*fakeKeyVersion - files map[string]*fakeFile - }{ - { - name: "One enabled key, no files", - requestBody: defaultRequestBody, - keyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_ENABLED}}, - expectedKeyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_ENABLED}}, - }, - { - name: "Two enabled keys, no files", - requestBody: defaultRequestBody, - keyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_ENABLED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - expectedKeyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_DESTROY_SCHEDULED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - }, - { - name: "Two enabled keys, one file", - requestBody: defaultRequestBody, - keyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_ENABLED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - expectedKeyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_DESTROY_SCHEDULED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - files: map[string]*fakeFile{"cert": {"1"}}, - }, - { - name: "Two enabled keys, one file, query with prefix", - requestBody: defaultPrefixedRequestBody, - keyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_ENABLED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - expectedKeyVersions: map[string]*fakeKeyVersion{"1": {kmspb.CryptoKeyVersion_DESTROY_SCHEDULED}, "2": {kmspb.CryptoKeyVersion_ENABLED}}, - files: map[string]*fakeFile{"notcert": {"data"}, "certificates/cert": {"1"}}, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - kmsServerStruct := &fakeKMSServer{keyVersions: test.keyVersions} - l, err := net.Listen("tcp", "localhost:0") - if err != nil { - t.Fatal(err) - } - gsrv := grpc.NewServer() - kmspb.RegisterKeyManagementServiceServer(gsrv, kmsServerStruct) - kmsEndpointURL := l.Addr().String() - go func() { - if err := gsrv.Serve(l); err != nil { - t.Errorf("couldn't set up fake KMS server %s", err) - } - }() - kmsService, err = kms.NewKeyManagementClient(ctx, option.WithEndpoint(kmsEndpointURL), option.WithoutAuthentication(), option.WithGRPCDialOption(grpc.WithTransportCredentials(insecure.NewCredentials()))) - if err != nil { - t.Errorf("Couldn't set up fake kms service: %s", err) - } - - storageServerStruct := fakeStorageServer{files: test.files, prefix: test.requestBody.BucketPrefix} - storageServer := httptest.NewServer(&storageServerStruct) - storageService, err = storage.NewClient(ctx, option.WithoutAuthentication(), option.WithEndpoint(storageServer.URL)) - if err != nil { - t.Errorf("Couldn't set up fake storage service: %s", err) - } - - rr := httptest.NewRecorder() - - pubsubMessageByte, err := json.Marshal(test.requestBody) - if err != nil { - t.Errorf("Couldn't marshall request message: %s", err) - } - - req := httptest.NewRequest("GET", "/", strings.NewReader(string(pubsubMessageByte))) - req.Header.Add("Content-Type", "application/json") - - RotateKMSKey(rr, req) - - if rr.Code != 200 { - t.Errorf("Error HTTP response: %d: %s", rr.Code, rr.Body.String()) - } - - if storageServerStruct.unknownEndpointCallCount > 0 { - t.Errorf("Unhandled storage calls: %d", storageServerStruct.unknownEndpointCallCount) - } - - if !reflect.DeepEqual(test.keyVersions, test.expectedKeyVersions) { - t.Errorf("List of key versions differs, %v, want %v", test.keyVersions, test.expectedKeyVersions) - } - - keyNames := getSortedKeyVersionNames(test.keyVersions) - latestKeyVersion := keyNames[len(keyNames)-1] - for filePath, f := range test.files { - if strings.HasPrefix(filePath, test.requestBody.BucketPrefix) { - if f.keyVersion != latestKeyVersion { - t.Errorf("Incorrect version of key used to sign %s file: %s", filePath, f.keyVersion) - } - } else { - if f.keyVersion == latestKeyVersion { - t.Errorf("Incorrect file was signed: %s", filePath) - } - } - } - - }) - } -} diff --git a/docs/index.md b/docs/index.md index a58302f06fdf..8bd148515297 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,8 +1,6 @@ [Rotate Gardener service account secrets using Cloud Run](/cmd/cloud-run/gardener-sa-rotate/README.md) - The Cloud Run application creates a new key for a GCP service account, updates the required secret data, and deletes old versions of a key. The function is triggered by a Pub/Sub message sent by a secret stored in Secret Manager. -[Rotate KMS secrets using Cloud Run](/cmd/cloud-run/kms-rotate/README.md) - The Cloud Run application decrypts and encrypts files in a bucket with the latest version of a KMS key, and deletes old versions of a key. The function is triggered by a HTTP POST request sent by a Cloud Scheduler. - -[Rotate service account secrets](/cmd/cloud-run/rotate-service-account/README.md) - RotateServiceAccount creates a new key for a GCP service account and updates the required secret data. It's triggered by a Pub/Sub message sent by a secret stored in Secret Manager. It runs as a cloud run container. +[Rotate service account secrets](/cmd/cloud-run/rotate-service-account/README.md) - RotateServiceAccount creates a new key for a GCP service account and updates the required secret data. It's triggered by a Pub/Sub message sent by a secret stored in Secret Manager. It runs as a cloud run container. [Cleanup of service account secrets](/cmd/cloud-run/service-account-keys-cleaner/README.md) - The Cloud Run service deletes old keys for a GCP service account and updates the required secret data for all service account secrets stored in the Secret Manager. The service is triggered by a Cloud Scheduler job. @@ -54,7 +52,7 @@ [Add custom secret to Prow](/docs/how-to/how-to-add-custom-secret.md) - This tutorial shows how to add a custom secret and use it in the Prow pipeline. -[Standard Terraform configuration](/docs/how-to/how-to-create-standard-terraform-config.md) - This document describes the standard Terraform configuration that is used in `test-infra` repository. +[Standard Terraform configuration](/docs/how-to/how-to-create-standard-terraform-config.md) - This document describes the standard Terraform configuration that is used in `test-infra` repository. [Docs](/docs/prow/README.md) - The folder contains documents that provide an insight into Prow configuration, development, and testing. @@ -78,15 +76,15 @@ [HTML lens](/docs/prow/prow-html-lens.md) - Spyglass HTML lens allows to render HTML files in the job results. -[Image autobump ](/docs/prow/prow-jobs-autobump.md) - This document provides an overview of autobump Prow Jobs. +[Image autobump ](/docs/prow/prow-jobs-autobump.md) - This document provides an overview of autobump Prow Jobs. [Prow Jobs QuickStart](/docs/prow/prow-jobs-quick-start.md) - This document provides an overview of how to quickly start working with Prow jobs. -[Prow Cluster Monitoring Setup](/docs/prow/prow-monitoring.md) - This document describes how to install and manage Prow cluster monitoring that is available at `https://monitoring.build.kyma-project.io`. +[Prow Cluster Monitoring Setup](/docs/prow/prow-monitoring.md) - This document describes how to install and manage Prow cluster monitoring that is available at `https://monitoring.build.kyma-project.io`. [Quality metrics](/docs/prow/quality-metrics.md) - This document describes reports that provide an overview of the basic quality measures for the Kyma project. -[Security Leaks Scanner](/docs/prow/security_commit_scanner.md) - Security Leaks Scanner is a tool that scans a repository for potential security leaks, thus providing protection against any potential security threats and vulnerabilities. It operates using [Gitleaks](https://github.com/zricethezav/gitleaks), which ensures a thorough and efficient examination of your repository. +[Security Leaks Scanner](/docs/prow/security_commit_scanner.md) - Security Leaks Scanner is a tool that scans a repository for potential security leaks, thus providing protection against any potential security threats and vulnerabilities. It operates using [Gitleaks](https://github.com/zricethezav/gitleaks), which ensures a thorough and efficient examination of your repository. [Prow Test Clusters](/docs/prow/test-clusters.md) - This document gathers information about test clusters that Prow jobs build. All test clusters are built in the `sap-kyma-prow-workloads` project. @@ -121,4 +119,3 @@ [Vulnerability Scanner](/prow/images/whitesource-scanner/README.md) - This folder contains the WhiteSource Unified Agent image that is based on the Java Buildpack image. Use it to perform WhiteSource vulnerability scans. [Templates](/templates/README.md) - Jobs and Prow configuration are generated from templates by the Render Templates tool. Check - diff --git a/docs/prow/presets.md b/docs/prow/presets.md index b94045946fe7..9d4020400285 100644 --- a/docs/prow/presets.md +++ b/docs/prow/presets.md @@ -33,5 +33,4 @@ This document contains the list of all Presets available in the [`config.yaml`]( | **preset-kyma-backup-credentials** | It sets the environment variable for the JSON file with the credentials for the service account. The file contains write and read permissions for the GCP bucket used for backups. | | **preset-kyma-backup-restore-bucket** | It defines the environment variable for Kyma's backups bucket. | | **preset-kyma-ondemands** | It defines the environment variable for Kyma's on-demand artifacts bucket. | -| **preset-kyma-encryption-key** | It defines the key name for encrypting/decrypting operations on a Prow cluster. | | **preset-certificates-bucket** | It provides the environment variable with the name of the bucket for Prow Jobs Secrets in the `kyma-prow-workload` project. | diff --git a/prow/config.yaml b/prow/config.yaml index 9a4f9a6e210d..690e9e554dce 100644 --- a/prow/config.yaml +++ b/prow/config.yaml @@ -885,21 +885,11 @@ presets: secretKeyRef: name: nightly-github-integration-app-client-secret key: client-secret - - labels: - preset-kyma-keyring: "true" - env: - - name: KYMA_KEYRING - value: "prow-workloads-keyring" - labels: preset-kyma-development-artifacts-bucket: "true" env: - name: KYMA_DEVELOPMENT_ARTIFACTS_BUCKET value: "gs://kyma-development-artifacts" - - labels: - preset-kyma-encryption-key: "true" - env: - - name: KYMA_ENCRYPTION_KEY - value: prow-workloads-encrypt - labels: preset-whitesource-product-kyma: "true" env: diff --git a/prow/jobs/kyma-incubator/compass/compass-gke-benchmark.yaml b/prow/jobs/kyma-incubator/compass/compass-gke-benchmark.yaml index 0bec454ad667..2e21a74d0be0 100644 --- a/prow/jobs/kyma-incubator/compass/compass-gke-benchmark.yaml +++ b/prow/jobs/kyma-incubator/compass/compass-gke-benchmark.yaml @@ -17,9 +17,7 @@ presubmits: # runs on PRs preset-kms-gc-project-env: "true" preset-kyma-artifacts-bucket: "true" preset-kyma-development-artifacts-bucket: "true" - preset-kyma-encryption-key: "true" preset-kyma-guard-bot-github-token: "true" - preset-kyma-keyring: "true" preset-sa-gke-kyma-integration: "true" run_if_changed: '^((chart\S+|installation\S+)(\.[^.][^.][^.]+$|\.[^.][^dD]$|\.[^mM][^.]$|\.[^.]$|/[^.]+$))' optional: true @@ -63,4 +61,3 @@ presubmits: # runs on PRs limits: memory: 6Gi cpu: 3 - \ No newline at end of file diff --git a/prow/jobs/scans/whitesource-periodics.yaml b/prow/jobs/scans/whitesource-periodics.yaml index 41bc07d8d293..9cc084181745 100644 --- a/prow/jobs/scans/whitesource-periodics.yaml +++ b/prow/jobs/scans/whitesource-periodics.yaml @@ -13,8 +13,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -63,8 +61,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-control-plane: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -113,8 +109,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -163,8 +157,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma-test: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -213,8 +205,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma-test: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -263,8 +253,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma-dashboard: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -313,8 +301,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -363,8 +349,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -415,8 +399,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-control-plane: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-incubator-whitesource: "true" @@ -465,8 +447,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-control-plane: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -515,8 +495,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -567,8 +545,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -619,8 +595,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -669,8 +643,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -719,8 +691,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-whitesource-product-kyma: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" @@ -817,8 +787,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" preset-whitesource-product-kyma-release: "true" @@ -867,8 +835,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" preset-whitesource-product-kyma-release: "true" @@ -920,8 +886,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" preset-whitesource-product-kyma-release-previous: "true" @@ -970,8 +934,6 @@ periodics: # runs on schedule prow.k8s.io/pubsub.topic: "prowjobs" preset-gc-project-env: "true" preset-kms-gc-project-env: "true" - preset-kyma-encryption-key: "true" - preset-kyma-keyring: "true" preset-wssagent-keys: "true" preset-sa-gke-kyma-integration-kyma-project-whitesource: "true" preset-whitesource-product-kyma-release-previous: "true" diff --git a/templates/config.yaml b/templates/config.yaml index 68e9a7c8207c..4d9a0470de9b 100644 --- a/templates/config.yaml +++ b/templates/config.yaml @@ -256,7 +256,6 @@ globalSets: labels: preset-dind-enabled: "true" preset-sa-kyma-push-images: "true" - preset-kyma-kms-sign-key: "true" command: "/home/prow/go/src/github.com/kyma-project/test-infra/prow/scripts/build-generic.sh" jobConfig_generic_component_kyma: labels: diff --git a/templates/data/whitesource-periodics-data.yaml b/templates/data/whitesource-periodics-data.yaml index 9940a003bb02..99ab571ff269 100644 --- a/templates/data/whitesource-periodics-data.yaml +++ b/templates/data/whitesource-periodics-data.yaml @@ -20,8 +20,6 @@ templates: testgrid-create-test-group: "false" labels: preset-wssagent-keys: "true" - preset-kyma-keyring: "true" - preset-kyma-encryption-key: "true" preset-kms-gc-project-env: "true" preset-gc-project-env: "true" env: