feat: #17 support secrets encryption

Author: bohdan-shulha

Diff for: api-nodes/Http/Controllers/EventController.php

@@ -24,6 +24,7 @@ public function started(Node $node, AgentStartedEventData $data)
 
                 $swarm->data->joinTokens = $data->swarm->joinTokens;
                 $swarm->data->managerNodes = $data->swarm->managerNodes;
+                $swarm->data->encryptionKey = $data->swarm->encryptionKey;
 
                 $nodeAddresses = $swarm->nodes->pluck('data.address')->toArray();
                 $dockerServices = collect($swarm->services)

Diff for: api-nodes/Models/AgentStartedEventData/SwarmData.php

@@ -14,5 +14,6 @@ public function __construct(
         #[DataCollectionOf(ManagerNode::class)]
         /* @var ManagerNode[] */
         public array $managerNodes,
+        public string $encryptionKey,
     ) {}
 }

Diff for: app/Actions/Nodes/InitCluster.php

@@ -82,6 +82,7 @@ private function createSwarm(int $teamId): Swarm
                     'manager' => '-',
                 ],
                 'managerNodes' => [],
+                'encryptionKey' => '-',
             ]),
         ]);
     }
@@ -217,9 +218,7 @@ private function getCaddyProcessConfig(Node $node): array
                     'value' => '0.0.0.0:2019',
                 ],
             ],
-            'secretVars' => [
-                'vars' => [],
-            ],
+            'secretVars' => [],
             'configFiles' => [
                 [
                     'path' => '/ptah/caddy/tls/.keep',

Diff for: app/Console/Commands/SelfHostPtah.php

@@ -135,9 +135,7 @@ public function handle()
                             'value' => 'ptah_sh',
                         ],
                     ],
-                    'secretVars' => [
-                        'vars' => [],
-                    ],
+                    'secretVars' => [],
                     'configFiles' => [],
                     'secretFiles' => [],
                     'volumes' => [
@@ -203,9 +201,7 @@ public function handle()
                             'value' => 'ptah_sh',
                         ],
                     ],
-                    'secretVars' => [
-                        'vars' => [],
-                    ],
+                    'secretVars' => [],
                     'configFiles' => [],
                     'secretFiles' => [],
                     'volumes' => [],
@@ -292,9 +288,7 @@ public function handle()
                             'value' => 'false',
                         ],
                     ],
-                    'secretVars' => [
-                        'vars' => [],
-                    ],
+                    'secretVars' => [],
                     'configFiles' => [],
                     'secretFiles' => [],
                     'volumes' => [],

Diff for: app/Http/Controllers/NodeController.php

@@ -79,6 +79,11 @@ public function show(Node $node)
 
         $node->load('swarm');
 
+        $s3TaskGroup = $node->actualTaskGroup(NodeTaskGroupType::UpdateS3Storages);
+        if ($s3TaskGroup?->is_completed) {
+            $s3TaskGroup = null;
+        }
+
         $registryTaskGroup = $node->actualTaskGroup(NodeTaskGroupType::UpdateDockerRegistries);
         if ($registryTaskGroup?->is_completed) {
             $registryTaskGroup = null;
@@ -91,6 +96,7 @@ public function show(Node $node)
             'lastAgentVersion' => $lastAgentVersion,
             'agentUpgradeTaskGroup' => $taskGroup?->is_completed ? null : $taskGroup,
             'registryUpdateTaskGroup' => $registryTaskGroup?->is_completed ? null : $registryTaskGroup,
+            's3SUpdateTaskGroup' => $s3TaskGroup?->is_completed ? null : $s3TaskGroup,
         ]);
     }
 

Diff for: app/Http/Controllers/ServiceController.php

@@ -59,6 +59,9 @@ public function create()
             'dockerRegistries' => $dockerRegistries,
             's3Storages' => $s3Storages,
             'marketplaceUrl' => config('ptah.marketplace_url'),
+            'node' => [
+                'swarm' => $swarm,
+            ],
         ]);
     }
 
@@ -73,13 +76,17 @@ public function show(Service $service)
         $nodes = $service->swarm->nodes;
         $dockerRegistries = $service->swarm->data->registries;
         $s3Storages = $service->swarm->data->s3Storages;
+        $swarm = $service->swarm;
 
         return Inertia::render('Services/Show', [
             'service' => $service,
             'networks' => $networks,
             'nodes' => $nodes,
             'dockerRegistries' => $dockerRegistries,
             's3Storages' => $s3Storages,
+            'node' => [
+                'swarm' => $swarm,
+            ],
         ]);
     }
 

Diff for: app/Http/Controllers/SwarmController.php

@@ -89,13 +89,11 @@ public function updateDockerRegistries(Swarm $swarm, Request $request)
             $tasks = [];
 
             foreach ($swarmData->registries as $registry) {
-                $previous = $registry->dockerName ? $swarm->data->findRegistry($registry->dockerName) : null;
-                if ($previous) {
-                    if ($registry->sameAs($previous)) {
-                        $registry->dockerName = $previous->dockerName;
+                $previous = $swarm->data->findRegistry($registry->id);
+                if ($registry->sameAs($previous)) {
+                    $registry->password = $previous->password;
 
-                        continue;
-                    }
+                    continue;
                 }
 
                 $registry->dockerName = dockerize_name('registry_r'.$swarmData->registriesRev.'_'.$registry->name);
@@ -108,7 +106,6 @@ public function updateDockerRegistries(Swarm $swarm, Request $request)
                     'type' => NodeTaskType::CreateRegistryAuth,
                     'meta' => CreateRegistryAuthMeta::validateAndCreate($taskMeta),
                     'payload' => [
-                        'PrevConfigName' => $previous?->dockerName,
                         'AuthConfigSpec' => [
                             'ServerAddress' => $registry->serverAddress,
                             'Username' => $registry->username,
@@ -163,10 +160,10 @@ public function updateS3Storages(Swarm $swarm, Request $request)
 
             foreach ($swarmData->s3Storages as $s3Storage) {
                 $previous = $swarm->data->findS3Storage($s3Storage->id);
-                if ($previous) {
-                    if ($s3Storage->sameAs($previous)) {
-                        continue;
-                    }
+                if ($s3Storage->sameAs($previous)) {
+                    $s3Storage->secretKey = $previous->secretKey;
+
+                    continue;
                 }
 
                 $s3Storage->dockerName = dockerize_name('s3_r'.$swarmData->s3StoragesRev.'_'.$s3Storage->name);

Diff for: app/Models/DeploymentData.php

@@ -6,7 +6,6 @@
 use App\Models\DeploymentData\LaunchMode;
 use App\Models\DeploymentData\Process;
 use App\Models\DeploymentData\ReleaseCommand;
-use App\Models\DeploymentData\SecretVars;
 use App\Rules\UniqueInArray;
 use App\Util\Arrays;
 use Illuminate\Validation\ValidationException;
@@ -43,9 +42,7 @@ public static function make(array $attributes): static
             'workers' => [],
             'launchMode' => LaunchMode::Daemon->value,
             'envVars' => [],
-            'secretVars' => SecretVars::from([
-                'vars' => [],
-            ]),
+            'secretVars' => [],
             'configFiles' => [],
             'secretFiles' => [],
             'volumes' => [],

Diff for: app/Models/DeploymentData/ConfigFile.php

@@ -8,25 +8,23 @@ class ConfigFile extends Data
 {
     public function __construct(
         public string $path,
-        public ?string $content,
+        public string $content,
         public ?string $dockerName,
     ) {
         $this->content = $content ?? '';
     }
 
-    public function hash(): string
-    {
-        // TODO: use cache?
-        return md5($this->content);
-    }
-
     public function base64(): string
     {
         return base64_encode($this->content);
     }
 
     public function sameAs(?ConfigFile $older): bool
     {
-        return $older !== null && $this->hash() === $older->hash();
+        if ($older === null) {
+            return false;
+        }
+
+        return $this->content === $older->content;
     }
 }

Diff for: app/Models/DeploymentData/Process.php

@@ -44,12 +44,14 @@ public function __construct(
         #[DataCollectionOf(EnvVar::class)]
         /* @var EnvVar[] */
         public array $envVars,
-        public SecretVars $secretVars,
+        #[DataCollectionOf(SecretVar::class)]
+        /* @var SecretVar[] */
+        public array $secretVars,
         #[DataCollectionOf(ConfigFile::class)]
         /* @var ConfigFile[] */
         public array $configFiles,
-        #[DataCollectionOf(ConfigFile::class)]
-        /* @var ConfigFile[] */
+        #[DataCollectionOf(SecretFile::class)]
+        /* @var SecretFile[] */
         public array $secretFiles,
         #[DataCollectionOf(Volume::class)]
         /* @var Volume[] */
@@ -87,9 +89,14 @@ public function findConfigFile(string $path): ?ConfigFile
         return collect($this->configFiles)->first(fn (ConfigFile $file) => $file->path === $path);
     }
 
-    public function findSecretFile(string $path): ?ConfigFile
+    public function findSecretFile(string $path): ?SecretFile
+    {
+        return collect($this->secretFiles)->first(fn (SecretFile $file) => $file->path === $path);
+    }
+
+    public function findSecretVar(string $name): ?SecretVar
     {
-        return collect($this->secretFiles)->first(fn (ConfigFile $file) => $file->path === $path);
+        return collect($this->secretVars)->first(fn (SecretVar $var) => $var->name === $name);
     }
 
     /**
@@ -142,7 +149,6 @@ public function asNodeTasks(Deployment $deployment): array
                     'deploymentId' => $deployment->id,
                     'processName' => $this->dockerName,
                     'path' => $configFile->path,
-                    'hash' => $configFile->hash(),
                 ]),
                 'payload' => [
                     'SwarmConfigSpec' => [
@@ -151,7 +157,6 @@ public function asNodeTasks(Deployment $deployment): array
                         'Labels' => dockerize_labels([
                             ...$labels,
                             'kind' => 'config',
-                            'content.hash' => $configFile->hash(),
                         ]),
                     ],
                 ],
@@ -160,29 +165,28 @@ public function asNodeTasks(Deployment $deployment): array
 
         foreach ($this->secretFiles as $secretFile) {
             $previousSecret = $previous?->findSecretFile($secretFile->path);
-            if ($previousSecret && ($secretFile->content === null || $secretFile->sameAs($previousSecret))) {
-                $secretFile->dockerName = $previousSecret->dockerName;
+            if ($secretFile->sameAs($previousSecret)) {
+                $secretFile->content = $previousSecret->content;
 
                 continue;
             }
 
-            $secretFile->dockerName = $this->makeResourceName('dpl_'.$deployment->id.'_cfg_'.$secretFile->path);
+            $secretFile->dockerName = $this->makeResourceName('dpl_'.$deployment->id.'_secret_'.$secretFile->path);
 
             $tasks[] = [
                 'type' => NodeTaskType::CreateSecret,
                 'meta' => CreateSecretMeta::from([
                     'deploymentId' => $deployment->id,
                     'processName' => $this->dockerName,
                     'path' => $secretFile->path,
-                    'hash' => $secretFile->hash(),
                 ]),
                 'payload' => [
                     'SwarmSecretSpec' => [
                         'Name' => $secretFile->dockerName,
                         'Data' => $secretFile->base64(),
                         'Labels' => dockerize_labels([
                             ...$labels,
-                            'content.hash' => $secretFile->hash(),
+                            'kind' => 'secret',
                         ]),
                     ],
                 ],
@@ -289,7 +293,7 @@ public function asNodeTasks(Deployment $deployment): array
             'value' => $internalDomain,
         ]);
 
-        $serviceSecretVars = $this->getSecretVars();
+        $serviceSecretVars = $this->getSecretVars($previous);
 
         $tasks[] = [
             'type' => NodeTaskType::LaunchService,
@@ -313,7 +317,7 @@ public function asNodeTasks(Deployment $deployment): array
                             'Hosts' => [
                                 $internalDomain,
                             ],
-                            'Secrets' => collect($this->secretFiles)->map(fn (ConfigFile $secretFile) => [
+                            'Secrets' => collect($this->secretFiles)->map(fn (SecretFile $secretFile) => [
                                 'File' => [
                                     'Name' => $secretFile->path,
                                     // TODO: figure out better permissions settings (if any)
@@ -404,7 +408,7 @@ public function asNodeTasks(Deployment $deployment): array
                                 'Hosts' => [
                                     "{$worker->name}.{$internalDomain}",
                                 ],
-                                'Secrets' => collect($this->secretFiles)->map(fn (ConfigFile $secretFile) => [
+                                'Secrets' => collect($this->secretFiles)->map(fn (SecretFile $secretFile) => [
                                     'File' => [
                                         'Name' => $secretFile->path,
                                         // TODO: figure out better permissions settings (if any)
@@ -454,12 +458,16 @@ public function asNodeTasks(Deployment $deployment): array
         return $tasks;
     }
 
-    protected function getSecretVars(): array
+    protected function getSecretVars(?Process $previous): object
     {
-        return [
-            'Values' => (object) collect($this->secretVars->vars)
-                ->reduce(fn ($carry, EnvVar $var) => [...$carry, $var->name => $var->value ?? ''], []),
-        ];
+        return (object) collect($this->secretVars)
+            ->reduce(function ($carry, SecretVar $var) use ($previous) {
+                $prevVar = $previous?->findSecretVar($var->name);
+
+                $carry[$var->name] = ($var->sameAs($prevVar) ? $prevVar->value : $var->value) ?? '';
+
+                return $carry;
+            }, []);
     }
 
     public function makeResourceName(string $name): string

Diff for: app/Models/DeploymentData/SecretFile.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Models\DeploymentData;
+
+use Spatie\LaravelData\Attributes\Validation\RequiredWithout;
+use Spatie\LaravelData\Data;
+
+class SecretFile extends Data
+{
+    public function __construct(
+        public string $path,
+        #[RequiredWithout('dockerName')]
+        public ?string $content,
+        public ?string $dockerName,
+    ) {}
+
+    public function base64(): string
+    {
+        return base64_encode($this->content);
+    }
+
+    public function sameAs(?SecretFile $older): bool
+    {
+        if ($older === null) {
+            return false;
+        }
+
+        return $this->path === $older->path && is_null($this->content);
+    }
+}

Diff for: app/Models/DeploymentData/SecretVar.php

@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Models\DeploymentData;
+
+use Spatie\LaravelData\Data;
+
+class SecretVar extends Data
+{
+    public function __construct(
+        public string $name,
+        public ?string $value
+    ) {}
+
+    public function sameAs(?SecretVar $other): bool
+    {
+        if ($other === null) {
+            return false;
+        }
+
+        return $this->name === $other->name && is_null($this->value);
+    }
+}