From: garciadeblas Date: Tue, 11 Mar 2025 14:44:25 +0000 (+0100) Subject: Fix age key encryption for default profiles and encryption of ksu secrets with profil... X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F47%2F15047%2F2;p=osm%2FLCM.git Fix age key encryption for default profiles and encryption of ksu secrets with profile age key Change-Id: I232dbc377761454914e40b557ecf9ca3f12051dc Signed-off-by: garciadeblas --- diff --git a/osm_lcm/k8s.py b/osm_lcm/k8s.py index 20d47a57..cd22a995 100644 --- a/osm_lcm/k8s.py +++ b/osm_lcm/k8s.py @@ -278,6 +278,24 @@ class GitOpsLcm(LcmBase): return True return False + def decrypt_age_keys(self, content, fields=["age_pubkey", "age_privkey"]): + self.db.encrypt_decrypt_fields( + content, + "decrypt", + fields, + schema_version="1.11", + salt=content["_id"], + ) + + def encrypt_age_keys(self, content, fields=["age_pubkey", "age_privkey"]): + self.db.encrypt_decrypt_fields( + content, + "encrypt", + fields, + schema_version="1.11", + salt=content["_id"], + ) + def decrypted_copy(self, content, fields=["age_pubkey", "age_privkey"]): # This deep copy is intended to be passed to ODU workflows. content_copy = copy.deepcopy(content) @@ -350,8 +368,9 @@ class ClusterLcm(GitOpsLcm): op_params = self.get_operation_params(db_cluster, op_id) # To copy the cluster content and decrypting fields to use in workflows + db_cluster_copy = self.decrypted_copy(db_cluster) workflow_content = { - "cluster": self.decrypted_copy(db_cluster), + "cluster": db_cluster_copy, } # To get the vim account details @@ -437,6 +456,7 @@ class ClusterLcm(GitOpsLcm): # Update db_cluster self.db.set_one("clusters", {"_id": db_cluster["_id"]}, db_cluster) + self.update_default_profile_agekeys(db_cluster_copy) self.update_profile_state(db_cluster, workflow_status, resource_status) # Register the cluster in k8sclusters collection @@ -543,6 +563,23 @@ class ClusterLcm(GitOpsLcm): op_id, checkings_list, "clusters", db_cluster ) + def update_default_profile_agekeys(self, db_cluster): + profiles = [ + "infra_controller_profiles", + "infra_config_profiles", + "app_profiles", + "resource_profiles", + ] + self.logger.debug("the db_cluster is :{}".format(db_cluster)) + for profile_type in profiles: + profile_id = db_cluster[profile_type] + db_collection = self.profile_collection_mapping[profile_type] + db_profile = self.db.get_one(db_collection, {"_id": profile_id}) + db_profile["age_pubkey"] = db_cluster["age_pubkey"] + db_profile["age_privkey"] = db_cluster["age_privkey"] + self.encrypt_age_keys(db_profile) + self.db.set_one(db_collection, {"_id": db_profile["_id"]}, db_profile) + def update_profile_state(self, db_cluster, workflow_status, resource_status): profiles = [ "infra_controller_profiles", @@ -550,15 +587,7 @@ class ClusterLcm(GitOpsLcm): "app_profiles", "resource_profiles", ] - """ - profiles_collection = { - "infra_controller_profiles": "k8sinfra_controller", - "infra_config_profiles": "k8sinfra_config", - "app_profiles": "k8sapp", - "resource_profiles": "k8sresource", - } - """ - self.logger.info("the db_cluster is :{}".format(db_cluster)) + self.logger.debug("the db_cluster is :{}".format(db_cluster)) for profile_type in profiles: profile_id = db_cluster[profile_type] db_collection = self.profile_collection_mapping[profile_type] @@ -567,8 +596,6 @@ class ClusterLcm(GitOpsLcm): db_profile["state"] = db_cluster["state"] db_profile["resourceState"] = db_cluster["resourceState"] db_profile["operatingState"] = db_cluster["operatingState"] - db_profile["age_pubkey"] = db_cluster["age_pubkey"] - db_profile["age_privkey"] = db_cluster["age_privkey"] db_profile = self.update_operation_history( db_profile, op_id, workflow_status, resource_status ) @@ -2015,6 +2042,9 @@ class KsuLcm(GitOpsLcm): profile_id = ksu_params["profile"]["_id"] profile_collection = self.profile_collection_mapping[profile_type] db_profile = self.db.get_one(profile_collection, {"_id": profile_id}) + # db_profile is decrypted inline + # No need to use decrypted_copy because db_profile won't be updated. + self.decrypt_age_keys(db_profile) ksu_params["profile"]["name"] = db_profile["name"] ksu_params["profile"]["age_pubkey"] = db_profile.get("age_pubkey", "") # Update ksu_params["oka"] with sw_catalog_path (when missing) @@ -2081,6 +2111,9 @@ class KsuLcm(GitOpsLcm): profile_id = ksu_params["profile"]["_id"] profile_collection = self.profile_collection_mapping[profile_type] db_profile = self.db.get_one(profile_collection, {"_id": profile_id}) + # db_profile is decrypted inline + # No need to use decrypted_copy because db_profile won't be updated. + self.decrypt_age_keys(db_profile) ksu_params["profile"]["name"] = db_profile["name"] ksu_params["profile"]["age_pubkey"] = db_profile.get("age_pubkey", "") # Update ksu_params["oka"] with sw_catalog_path (when missing) @@ -2142,13 +2175,12 @@ class KsuLcm(GitOpsLcm): ksu_params["profile"] = {} ksu_params["profile"]["profile_type"] = db_ksu["profile"]["profile_type"] ksu_params["profile"]["_id"] = db_ksu["profile"]["_id"] - # Update ksu_params["profile"] with profile name and age-pubkey + # Update ksu_params["profile"] with profile name profile_type = ksu_params["profile"]["profile_type"] profile_id = ksu_params["profile"]["_id"] profile_collection = self.profile_collection_mapping[profile_type] db_profile = self.db.get_one(profile_collection, {"_id": profile_id}) ksu_params["profile"]["name"] = db_profile["name"] - ksu_params["profile"]["age_pubkey"] = db_profile.get("age_pubkey", "") op_params.append(ksu_params) workflow_res, workflow_name = await self.odu.launch_workflow(