diff --git a/README.md b/README.md index 0615ad8c..4b2548b1 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,4 @@ See each plugin readme for more info and usage instructions. | [Twistlock](plugins/cfstep-twistlock) | Security scanning of docker images using Twistlock | `security` | | [Clair](plugins/clair/README.md) | Security scanning of Docker images using Clair | `security` | | [Import Docker Images](plugins/import-docker-images/README.md) | Import Docker images metadata into Codefresh| `docker` `codefresh`| +| [Google KMS](plugins/google-kms-plugin/README.md) | Encryption/Decryption with Google KMS| `KMS` `codefresh`| diff --git a/plugins/google-kms/Dockerfile b/plugins/google-kms/Dockerfile new file mode 100644 index 00000000..5ba4f610 --- /dev/null +++ b/plugins/google-kms/Dockerfile @@ -0,0 +1,10 @@ +FROM google/cloud-sdk:alpine + +WORKDIR /kms + +RUN apk -U add jq bash +ENV PATH=${PATH}:/kms + +COPY google-kms.sh ./kms + + diff --git a/plugins/google-kms/README.md b/plugins/google-kms/README.md new file mode 100644 index 00000000..bd72adae --- /dev/null +++ b/plugins/google-kms/README.md @@ -0,0 +1,27 @@ +odefresh Google KMS plugin + +This plugin facilitates work with Google Key Management Service for such operations like *encrypting* and *decrypting* + +# Usage + +kms [OPERATION] [VALUE_1] [VALUE_n...] + +Set the plugin required environment variables for the pipeline and use the plugin as a freestyle step with a command like: + +```yaml +GoogleKMS: + image: codefresh/google-kms + commands: + - kms encrypt VALUE_1 VALUE_n +``` +where VALUE_1 and VALUE_n are the **names** of the environment variables containing the values you need to encrypt or decrypt. + +The operation is mutable and when the step finishes the variables with the same names will contain encrypted values. For decryption the process is similar + +# Required environment variables + +- `KMS_PROJECT` - GCP project name in which your KMS entities are present +- `KMS_LOCATION` - Google KMS location +- `KMS_KEYRING` - Google KMS keyring +- `KMS_KEY` - Google KMS key +- `GCP_SA_KEY` - [Google Service Account Key (JSON)](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) diff --git a/plugins/google-kms/google-kms.sh b/plugins/google-kms/google-kms.sh new file mode 100755 index 00000000..7eead9b9 --- /dev/null +++ b/plugins/google-kms/google-kms.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +for pluginVar in KMS_PROJECT KMS_LOCATION KMS_KEYRING KMS_KEY + do + if [ -z ${!pluginVar} ]; then echo $pluginVar is not set, stopping...; exit 1; fi + done + +echo $GCP_SA_KEY > google-app-creds.json +export GOOGLE_APPLICATION_CREDENTIALS=$(realpath google-app-creds.json) +operation=$1 + + +function encrypt () { + + hashedtext=$(echo $2 | base64 | tr -d '\n') + cf_export $1=$(curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/$KMS_PROJECT/locations/$KMS_LOCATION/keyRings/$KMS_KEYRING/cryptoKeys/$KMS_KEY:encrypt" \ + -d "{\"plaintext\":\"$hashedtext\"}" \ + -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \ + -H "Content-Type:application/json" | jq '.ciphertext' --raw-output ) + + } + +function decrypt { + + cf_export $1=$(curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/$KMS_PROJECT/locations/$KMS_LOCATION/keyRings/$KMS_KEYRING/cryptoKeys/$KMS_KEY:decrypt" \ + -d "{\"ciphertext\":\"$2\"}" \ + -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \ + -H "Content-Type:application/json" | jq '.plaintext' --raw-output | base64 -d) + + } + +for secret in "${@: 2}" + do + $operation $secret ${!secret} + done