problems with sharing a repo's encryption key
Opened this issue · 1 comments
Summary
We were trying to share access to an encrypted deployment repository using plural crypto share
as per https://docs.plural.sh/advanced-topics/security/secret-management#share-a-repo
It does not work as expected though as it's not possible for any other user (logged in correctly with the mentioned accounts) to clone and decrypt the repo.
Reproduction
With a deployment SA dev2.at.onplural.sh@alexanderthamm.com
we created the repo, and after installing the kubeflow-aws
we followed the following steps:
setup:
dev2-at-onplural-sh on main on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto setup-keys --name sharekey
Public key uploaded successfully
dev2-at-onplural-sh on main on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto share --email hans.rauer@alexanderthamm.com
dev2-at-onplural-sh on main [!] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto share --email rostislav.nedelchev@alexanderthamm.com
dev2-at-onplural-sh on main [!] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ git add .
dev2-at-onplural-sh on main [+] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ git commit -m "share key"
dev2-at-onplural-sh on main [⇡] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ git push
On the other end the user rostislav.nedelche@alexanderthamm.com
should have been able to decrypt the repo but that was unsuccessful:
(base) rosko@AT-NB-182:~/git_repos/kubesoup/dev2-at-onplural-sh$ plural crypto init
Creating git encryption filters
2022/08/23 17:47:26 no identity matched any of the recipients
There is also no public key listed in app.plural.sh after this process.
Plural UI/UX Issue Screenshots
Message from the maintainers:
Impacted by this bug? Give it a 👍. We factor engagement into prioritization.
Update:
After a first deployment of the plural bundle (kubeflow) we tried again with sharing the repo and we observed something curious.
Performing the following command we now saw indeed changes in the .plural-crypt/identities.yaml
:
dev2-at-onplural-sh on main [!] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto share --email rostislav.nedelchev@alexanderthamm.com
This added an identity to .plural-crypt/identities.yaml
:
repokey: xxx
identities:
- key: xxx
email: dev2.at.onplural.sh@alexanderthamm.com
- key: xxx
email: rostislav.nedelchev@alexanderthamm.com
This is probably expected behaviour. After pushing the generated changes to the remote repo Rostislav was indeed able to unlock the repo on his local clone performing plural crypto init
and plural crypto unlock
. So this worked, but only after a successful first deployment of the plural stack/workspace.
Now the curious bit.
I wanted to share the repo with my personal plural account as well (bare in mind I'm still using the SA). So I did the same step for me:
dev2-at-onplural-sh on main [!] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto share --email hans.rauer@alexanderthamm.com
I expected the identity to be added to the .plural-crypt/identities.yaml
file, too, but it not only didn't add it, it also erased all previous entries except for the SA one.
repokey: xxx
identities:
- key: xxx
email: dev2.at.onplural.sh@alexanderthamm.com
I tried with the documented suggestion of multiple email addresses, too, but that had the same effect:
dev2-at-onplural-sh on main [!] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural crypto share --email rostislav.nedelchev@alexanderthamm.com --email hans.rauer@alexanderthamm.com
For all of the steps I was logged in as the SA we used for the deployment:
dev2-at-onplural-sh on main [!?] on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural profile show
apiVersion: platform.plural.sh/v1alpha1
kind: Config
metadata:
name: dev2.at
spec:
email: dev2.at.onplural.sh@alexanderthamm.com
token: plrl-xxxxxxxxx
namespacePrefix: ""
endpoint: ""
lockProfile: ""
reportErrors: true
Plural CLI version used:
dev2-at-onplural-sh on main on ☁️ at-kf1 (eu-central-1) on ☁️
❯ plural version
Plural CLI:
Version: v0.4.4-60-gf9ab40e
Git Commit: f9ab40e
Compiled At: 2022-08-24 14:25:45.874807 +0200 CEST m=+0.034057539
OS: darwin
Arch: amd64