don't disable logs for encrypted jobs known to user

.github/workflows/goreleaser-action.yaml

@@ -27,8 +27,6 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ENCRYPTION_KEYS: ${{ secrets.ENCRYPTION_KEYS }}
-          CA_PATH_VALUE: ${{ secrets.PROMETHEUS_ROOT_CA }}
-          PROMETHEUS_BASIC_AUTH: ${{ secrets.PROMETHEUS_BASIC_AUTH }}
+          PROTECTED_KEYS: ${{ secrets.PROTECTED_KEYS }}
           DEFAULT_CONFIG_VALUE: ${{ secrets.DEFAULT_CONFIG }}
           DEFAULT_CONFIG_PATH: ${{ secrets.DEFAULT_CONFIG_PATH }}

.github/workflows/ko-build.yaml

@@ -26,8 +26,6 @@ jobs:
       - run: KO_DOCKER_REPO=${DOCKER_REPO,,} ko publish --bare --tags ${{ github.ref_name }},latest --platform all .
         env:
           VERSION: ${{ github.ref_name }}-beta
-          ENCRYPTION_KEYS: ${{ secrets.ENCRYPTION_KEYS }}
-          CA_PATH_VALUE: ${{ secrets.PROMETHEUS_ROOT_CA }}
-          PROMETHEUS_BASIC_AUTH: ${{ secrets.PROMETHEUS_BASIC_AUTH }}
+          PROTECTED_KEYS: ${{ secrets.PROTECTED_KEYS }}
           DEFAULT_CONFIG_VALUE: ${{ secrets.DEFAULT_CONFIG }}
           DEFAULT_CONFIG_PATH: ${{ secrets.DEFAULT_CONFIG_PATH }}

.github/workflows/ko-release.yaml

@@ -25,8 +25,6 @@ jobs:
       - run: KO_DOCKER_REPO=${DOCKER_REPO,,} ko publish --bare --tags ${{ github.ref_name }},latest --platform all .
         env:
           VERSION: ${{ github.ref_name }}
-          ENCRYPTION_KEYS: ${{ secrets.ENCRYPTION_KEYS }}
-          CA_PATH_VALUE: ${{ secrets.PROMETHEUS_ROOT_CA }}
-          PROMETHEUS_BASIC_AUTH: ${{ secrets.PROMETHEUS_BASIC_AUTH }}
+          PROTECTED_KEYS: ${{ secrets.PROTECTED_KEYS }}
           DEFAULT_CONFIG_VALUE: ${{ secrets.DEFAULT_CONFIG }}
           DEFAULT_CONFIG_PATH: ${{ secrets.DEFAULT_CONFIG_PATH }}

.goreleaser.yaml

@@ -36,7 +36,7 @@ builds:
       - -s -w
       - -extldflags "-static"
       - -X github.com/Arriven/db1000n/src/utils/ota.Version={{ .Version }}
-      - -X github.com/Arriven/db1000n/src/utils.EncryptionKeys={{ .Env.ENCRYPTION_KEYS }}
+      - -X github.com/Arriven/db1000n/src/utils.ProtectedKeys={{ .Env.PROTECTED_KEYS }}
       - -X github.com/Arriven/db1000n/src/job/config.DefaultConfig={{ .Env.DEFAULT_CONFIG_VALUE }}
       - -X github.com/Arriven/db1000n/src/job.DefaultConfigPathCSV={{ .Env.DEFAULT_CONFIG_PATH }}
 archives:

.ko.yaml

@@ -11,6 +11,6 @@ builds:
       - -s -w
       - -extldflags "-static"
       - -X github.com/Arriven/db1000n/src/utils/ota.Version={{ .Env.VERSION }}
-      - -X github.com/Arriven/db1000n/src/utils.EncryptionKeys={{ .Env.ENCRYPTION_KEYS }}
+      - -X github.com/Arriven/db1000n/src/utils.ProtectedKeys={{ .Env.PROTECTED_KEYS }}
       - -X github.com/Arriven/db1000n/src/job/config.DefaultConfig={{ .Env.DEFAULT_CONFIG_VALUE }}
       - -X github.com/Arriven/db1000n/src/job.DefaultConfigPathCSV={{ .Env.DEFAULT_CONFIG_PATH }}

src/job/config/config.go

@@ -57,7 +57,7 @@ type MultiConfig struct {
 
 type RawMultiConfig struct {
 	Body         []byte
-	Encrypted    bool
+	Protected    bool
 	lastModified string
 	etag         string
 }
@@ -93,7 +93,7 @@ func fetchAndDecrypt(logger *zap.Logger, path string, lastKnownConfig *RawMultiC
 			return nil, fmt.Errorf("encryption disabled")
 		}
 
-		decryptedConfig, err := utils.Decrypt(config.Body)
+		decryptedConfig, protected, err := utils.Decrypt(config.Body)
 		if err != nil {
 			logger.Warn("can't decrypt config", zap.Error(err))
 
@@ -103,7 +103,7 @@ func fetchAndDecrypt(logger *zap.Logger, path string, lastKnownConfig *RawMultiC
 		logger.Info("decrypted config")
 
 		config.Body = decryptedConfig
-		config.Encrypted = true
+		config.Protected = protected
 	}
 
 	return config, nil

src/job/runner.go

@@ -111,8 +111,8 @@ func (r *Runner) Run(ctx context.Context, logger *zap.Logger) {
 
 			metric = &metrics.Metrics{} // clear info about previous targets and avoid old jobs from dumping old info to new metrics
 
-			if rawConfig.Encrypted {
-				logger.Info("config is encrypted, disabling logs")
+			if rawConfig.Protected {
+				logger.Info("config is protected, disabling logs")
 
 				cancel = r.runJobs(ctx, cfg, nil, zap.NewNop())
 			} else {

src/job/utils.go

@@ -239,7 +239,7 @@ func encryptedJob(ctx context.Context, args config.Args, globalConfig *GlobalCon
 		return nil, err
 	}
 
-	decrypted, err := utils.Decrypt(decoded)
+	decrypted, protected, err := utils.Decrypt(decoded)
 	if err != nil {
 		return nil, err
 	}
@@ -255,5 +255,9 @@ func encryptedJob(ctx context.Context, args config.Args, globalConfig *GlobalCon
 		return nil, fmt.Errorf("unknown job %q", jobCfg.Type)
 	}
 
-	return job(ctx, jobCfg.Args, globalConfig, nil, zap.NewNop())
+	if protected {
+		return job(ctx, jobCfg.Args, globalConfig, nil, zap.NewNop())
+	}
+
+	return job(ctx, jobCfg.Args, globalConfig, a, logger)
 }

src/utils/crypto.go

@@ -16,6 +16,8 @@ import (
 // EncryptionKeys random 32 byte key encoded into base64 string. Used by default for configs
 var EncryptionKeys = `/45pB920B6DFNwCB/n4rYUio3AVMawrdtrFnjTSIzL4=`
 
+var ProtectedKeys = ``
+
 // decryption takes a bunch of RAM to generate scrypt identity
 // we don't do decryption in hot paths so it's better to only allow one thread doing decryption at a time to avoi OOM
 var decryptMutex sync.Mutex
@@ -25,8 +27,13 @@ const (
 	keySeparator         = `&`
 )
 
+type encryptionKey struct {
+	key       string
+	protected bool //indicates that the content encrypted by this key shouldn't be logged anywhere
+}
+
 // GetEncryptionKeys returns list of encryption keys from ENCRYPTION_KEYS env variable name or default value
-func GetEncryptionKeys() ([]string, error) {
+func GetEncryptionKeys() ([]encryptionKey, error) {
 	keysString := GetEnvStringDefault(encryptionKeyEnvName, EncryptionKeys)
 	if keysString != EncryptionKeys {
 		// if user specified own keys, add default at end to be sure that it always used too
@@ -37,11 +44,17 @@ func GetEncryptionKeys() ([]string, error) {
 	// +1 to allocate for case if no separator and list contains key itself
 	// otherwise we just allocate +1 struct for string slice that stores just 2 int fields
 	// that is not a lot
-	output := make([]string, 0, strings.Count(keysString, keySeparator)+1)
+	output := make([]encryptionKey, 0, strings.Count(keysString, keySeparator)+strings.Count(ProtectedKeys, keySeparator)+1)
 
 	for _, key := range strings.Split(keysString, keySeparator) {
 		if key != "" {
-			output = append(output, key)
+			output = append(output, encryptionKey{key: key})
+		}
+	}
+
+	for _, key := range strings.Split(ProtectedKeys, keySeparator) {
+		if key != "" {
+			output = append(output, encryptionKey{key: key, protected: true})
 		}
 	}
 
@@ -54,28 +67,28 @@ func IsEncrypted(cfg []byte) bool {
 }
 
 // Decrypt decrypts config using EncryptionKeys
-func Decrypt(cfg []byte) (result []byte, err error) {
+func Decrypt(cfg []byte) (result []byte, protected bool, err error) {
 	keys, err := GetEncryptionKeys()
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 
 	decryptMutex.Lock()
 	defer decryptMutex.Unlock()
 
 	// iterate over all keys and return on first success decryption
 	for _, key := range keys {
-		result, err = decrypt(cfg, key)
+		result, err = decrypt(cfg, key.key)
 		runtime.GC() // force GC to decrease memory usage
 
 		if err != nil {
 			continue
 		}
 
-		return result, nil
+		return result, key.protected, nil
 	}
 
-	return nil, err
+	return nil, false, err
 }
 
 func decrypt(cfg []byte, key string) ([]byte, error) {

src/utils/crypto_noop.go

@@ -19,6 +19,6 @@ func IsEncrypted(cfg []byte) bool {
 }
 
 // Decrypt decrypts config using EncryptionKeys
-func Decrypt(cfg []byte) ([]byte, error) {
-	return nil, fmt.Errorf("encryption not supported")
+func Decrypt(cfg []byte) ([]byte, bool, error) {
+	return nil, false, fmt.Errorf("encryption not supported")
 }