cannot encrypt secret due to missing gpg binary

[enekofb]

WGE release: v0.25.0

Priority

• high

Severity

• high

Describe the bug Initially found here here Where in the context of addressing CVEs found for WGE and Azure Marketplace We changed the clusters-service base image

Given that create sops secret journey relies on having the gpg binary When excercised the journey we get the following error

To Reproduce

• Go to secrets
• Create sops secret
• Click on preview or create PR to see the error

Actual behaviour

• error gpg binary not found

Expected behaviour

• sops encrypted secret

Additional context

[enekofb]

A suggested plan could be:

1) Tactic: to restore the functionality in next release by having available the binary.

There are two directions

• 1.a = add it to current base image. this has been started here
• 1.b = add it to another base image. using updated alpine here

in any case, we should engage with @foot for both visibility and to verify what this change means for Azure marketplace. I could image that if the image passes the vulnerability scanner, we are good to go.

2) find whether this is the best-balanced alternative we have available. some could be:

• server-side: encrypt via library, async job
• client-side: encrypt command to gitops cli, documentation for leveraging sops cli, encrypt in the browser
• do not encrypt record the decision as adr

3) implement 2)

4) ensure regressions are tested

[foot]

Oh no! Yeah this was the image base change. Sorry about that.

We're trying to understand Azure's CVE policy at the moment, its a bit strict. Alpine has been flagged by Azure every time we try and publish (openssl issues), so switching to distroless helped there.

If we need all those libs etc maybe its better to switch back to alpine though. There is another PR up to keep our openssl up to date when building https://github.com/weaveworks/weave-gitops-enterprise/pull/2961 which will hopefully help too.

[enekofb]

Testing branch in fluxga environment

~ $ which gpg
/usr/bin/gpg
~ $ gpg --version
gpg (GnuPG) 2.4.1
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: //.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
~ $

[enekofb]

{"level":"error","ts":"2023-06-20T14:06:43.575Z","msg":"server error","error":"failed to encrypt secret: exit status 2"}
{"level":"info","ts":"2023-06-20T14:06:43.575Z","msg":"server error","uri":"/v1/encrypt-sops-secret","status":500}

[enekofb]

With latest in the branch how it works

https://github.com/weaveworks/clusters-config/pull/452

[enekofb]

tested for vulnerabilities

➜  weave-gitops-enterprise git:(add-gpg-to-wge-eneko) ✗ docker scan --accept-license docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP

Testing docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP...

Package manager:   apk
Project name:      docker-image|docker.io/weaveworks/weave-gitops-enterprise-clusters-service
Docker image:      docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP
Platform:          linux/arm64

✔ Tested 50 dependencies for known vulnerabilities, no vulnerable paths found.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp