Remove sops decrypting, receive secrets as environment variables

This is a follow up to RMI/terraform#1, it removes the sops dependency from our binaries and moves it into our terraform/Azure secrets configuration. Makes local dev more straightforward and improves cold start times.

Signed-off-by: Brandon Sprague <[email protected]>

cmd/server/configs/dev.conf

@@ -1,4 +1,3 @@
 env dev
 allowed_cors_origin https://pacta.dev.rmi.siliconally.dev
-sops_path /configs/secrets/dev.enc.json
 port 80

cmd/server/configs/local.conf

@@ -1,3 +1,13 @@
 env local
 allowed_cors_origin http://localhost:3000
-sops_path cmd/server/configs/secrets/local.enc.json
+
+secret_postgres_host UNUSED
+# Also unused
+secret_postgres_port 1234
+secret_postgres_database UNUSED
+secret_postgres_user UNUSED
+secret_postgres_password UNUSED
+
+# In non-local environments, these are passed in by Azure's secret handling infra
+secret_auth_public_key_id 2023-08-11
+secret_auth_public_key_data -----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAP/Sv7H5TRozqXeQ2zV9W4V6Zkb/U5XWEjCQbOwAl0nc=\n-----END PUBLIC KEY-----

cmd/server/main.go

@@ -50,9 +50,17 @@ func run(args []string) error {
 		allowedCORSOrigin = fs.String("allowed_cors_origin", "", "If specified, enables CORS handling and allows the given domain, e.g. 'http://localhost:3000'. This is used for the example web client in frontend/")
 
 		env      = fs.String("env", "", "The environment that we're running in.")
-		localDSN = fs.String("local_dsn", "", "If set, override the DB addresses retrieved from the sops configuration. Can only be used when running locally.")
+		localDSN = fs.String("local_dsn", "", "If set, override the DB addresses retrieved from the secret configuration. Can only be used when running locally.")
 
-		sopsPath = fs.String("sops_path", "", "Path to the sops-formatted file containing sensitive credentials to be decrypted at runtime.")
+		// Secrets
+		pgHost     = fs.String("secret_postgres_host", "", "Host of the Postgres server, like db.example.com")
+		pgPort     = fs.Int("secret_postgres_port", 5432, "Port to connect to the Postgres server on")
+		pgDatabase = fs.String("secret_postgres_database", "", "Name of the postgres database, like pactasrv")
+		pgUser     = fs.String("secret_postgres_user", "", "Name of the Postgres user to connect as")
+		pgPassword = fs.String("secret_postgres_password", "", "Password of the Postgres user to connect as")
+
+		authKeyID   = fs.String("secret_auth_public_key_id", "", "Key ID (kid) of the JWT tokens to allow")
+		authKeyData = fs.String("secret_auth_public_key_data", "", "PEM-encoded Ed25519 public key to verify JWT tokens with, contains literal \\n characters that will need to be replaced before parsing")
 	)
 	// Allows for passing in configuration via a -config path/to/env-file.conf
 	// flag, see https://pkg.go.dev/github.com/namsral/flag#readme-usage
@@ -78,11 +86,21 @@ func run(args []string) error {
 		}
 	}
 
-	// Pub is the key we use to authenticate signatures on user auth tokens.
-	logger.Info("Loading sops secrets", zap.String("sops_path", *sopsPath))
-	sec, err := secrets.LoadPACTA(*sopsPath)
+	sec, err := secrets.LoadPACTA(&secrets.RawPACTAConfig{
+		PostgresConfig: &secrets.RawPostgresConfig{
+			Host:     *pgHost,
+			Port:     *pgPort,
+			Database: *pgDatabase,
+			User:     *pgUser,
+			Password: *pgPassword,
+		},
+		AuthVerificationKey: &secrets.RawAuthVerificationKey{
+			ID:   *authKeyID,
+			Data: *authKeyData,
+		},
+	})
 	if err != nil {
-		return fmt.Errorf("failed to decrypt secrets: %w", err)
+		return fmt.Errorf("failed to parse secrets: %w", err)
 	}
 
 	if *localDSN != "" && *env != "local" {

cmd/tools/migratesqldb/cmd/BUILD.bazel

@@ -9,7 +9,6 @@ go_library(
     importpath = "github.com/RMI/pacta/cmd/tools/migratesqldb/cmd",
     visibility = ["//visibility:public"],
     deps = [
-        "//secrets",
         "@com_github_jackc_pgx_v5//pgxpool",
         "@com_github_silicon_ally_testpgx//migrate",
         "@com_github_spf13_cobra//:cobra",

cmd/tools/migratesqldb/cmd/cmd.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/RMI/pacta/secrets"
 	"github.com/Silicon-Ally/testpgx/migrate"
 	"github.com/bazelbuild/rules_go/go/tools/bazel"
 	"github.com/jackc/pgx/v5/pgxpool"
@@ -27,8 +26,7 @@ var (
 
 // Flags
 var (
-	sopsConfigPath string // --sops_encrypted_config
-	dsn            string // --dsn
+	dsn string // --dsn
 )
 
 // Commands
@@ -37,22 +35,13 @@ var (
 		Use:   "migratesqldb",
 		Short: "A simple tool for applying our migration set, using golang-migrate",
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			var pgCfg *pgxpool.Config
-			switch {
-			case sopsConfigPath != "":
-				cfg, err := secrets.LoadMigratorConfig(sopsConfigPath)
-				if err != nil {
-					return fmt.Errorf("failed to load migrator config: %w", err)
-				}
-				pgCfg = cfg.Postgres
-			case dsn != "":
-				cfg, err := pgxpool.ParseConfig(dsn)
-				if err != nil {
-					return fmt.Errorf("failed to parse DSN: %w", err)
-				}
-				pgCfg = cfg
-			default:
-				return errors.New("no --sops_encrypted_config or --dsn was specified")
+			if dsn == "" {
+				return errors.New("no --dsn was specified")
+			}
+
+			pgCfg, err := pgxpool.ParseConfig(dsn)
+			if err != nil {
+				return fmt.Errorf("failed to parse DSN: %w", err)
 			}
 
 			db, err := sql.Open("pgx", pgCfg.ConnString())
@@ -91,7 +80,6 @@ var (
 )
 
 func init() {
-	rootCmd.PersistentFlags().StringVar(&sopsConfigPath, "sops_encrypted_config", "", "A JSON-formatted configuration file for the migrator, parseable by the SOPS tool (https://github.com/mozilla/sops).")
 	rootCmd.PersistentFlags().StringVar(&dsn, "dsn", "", "A Postgres DSN, parsable by pgx.ParseConfig")
 	rootCmd.AddCommand(applyCmd)
 }

cmd/tools/migratesqldb/main.go

@@ -1,6 +1,5 @@
 // Command migrate provides functionality for managing migration sets applied
-// to a database, using the golang-migrate library. It currently takes
-// configuration via a sops-encrypted file.
+// to a database, using the golang-migrate library.
 package main
 
 import (