From 20bc6d46ba495ceaf36fea62e0548872635e3a5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Ra=C5=A1ka?= <michal.raska@h2o.ai>
Date: Thu, 20 Oct 2022 15:26:52 +0200
Subject: [PATCH] fix: mount secret with SSE-C key if neede, fix secret key
 read.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michal Raška <michal.raska@h2o.ai>
---
 workflow/artifacts/artifacts.go         |  2 +-
 workflow/controller/workflowpod.go      |  4 ++
 workflow/controller/workflowpod_test.go | 87 +++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/workflow/artifacts/artifacts.go b/workflow/artifacts/artifacts.go
index b143a7b03617..89f481234084 100644
--- a/workflow/artifacts/artifacts.go
+++ b/workflow/artifacts/artifacts.go
@@ -60,7 +60,7 @@ func newDriver(ctx context.Context, art *wfv1.Artifact, ri resource.Interface) (
 					return nil, fmt.Errorf("serverSideCustomerKeySecret and kmsKeyId cannot be set together")
 				}
 
-				serverSideCustomerKeyBytes, err := ri.GetSecret(ctx, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Name, art.S3.SecretKeySecret.Key)
+				serverSideCustomerKeyBytes, err := ri.GetSecret(ctx, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Name, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Key)
 				if err != nil {
 					return nil, err
 				}
diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go
index fed3b697cffb..e967db8d8751 100644
--- a/workflow/controller/workflowpod.go
+++ b/workflow/controller/workflowpod.go
@@ -1171,6 +1171,10 @@ func createSecretVolumesFromArtifactLocations(volMap map[string]apiv1.Volume, ar
 		if artifactLocation.S3 != nil {
 			createSecretVal(volMap, artifactLocation.S3.AccessKeySecret, keyMap)
 			createSecretVal(volMap, artifactLocation.S3.SecretKeySecret, keyMap)
+			sseCUsed := artifactLocation.S3.EncryptionOptions != nil && artifactLocation.S3.EncryptionOptions.EnableEncryption && artifactLocation.S3.EncryptionOptions.ServerSideCustomerKeySecret != nil
+			if sseCUsed {
+				createSecretVal(volMap, artifactLocation.S3.EncryptionOptions.ServerSideCustomerKeySecret, keyMap)
+			}
 		} else if artifactLocation.Git != nil {
 			createSecretVal(volMap, artifactLocation.Git.UsernameSecret, keyMap)
 			createSecretVal(volMap, artifactLocation.Git.PasswordSecret, keyMap)
diff --git a/workflow/controller/workflowpod_test.go b/workflow/controller/workflowpod_test.go
index 128808b005bb..3e22bf8684bf 100644
--- a/workflow/controller/workflowpod_test.go
+++ b/workflow/controller/workflowpod_test.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"strconv"
 	"testing"
@@ -1165,6 +1166,92 @@ func TestTmplLevelSecurityContext(t *testing.T) {
 	assert.Equal(t, runAsUser, *pod.Spec.SecurityContext.RunAsUser)
 }
 
+func Test_createSecretVolumesFromArtifactLocations_SSECUsed(t *testing.T) {
+	ctx := context.Background()
+
+	cancel, controller := newControllerWithComplexDefaults()
+	defer cancel()
+
+	wf := wfv1.MustUnmarshalWorkflow(helloWorldWf)
+	wf.Spec.Templates[0].Inputs = wfv1.Inputs{
+		Artifacts: []wfv1.Artifact{
+			{
+				Name: "foo",
+				Path: "/tmp/file",
+				ArtifactLocation: wfv1.ArtifactLocation{
+					S3: &wfv1.S3Artifact{
+						Key: "/foo/key",
+					},
+				},
+				Archive: &wfv1.ArchiveStrategy{
+					None: &wfv1.NoneStrategy{},
+				},
+			},
+		},
+	}
+	woc := newWorkflowOperationCtx(wf, controller)
+	setArtifactRepository(woc.controller,
+		&wfv1.ArtifactRepository{
+			S3: &wfv1.S3ArtifactRepository{
+				S3Bucket: wfv1.S3Bucket{
+					Bucket: "foo",
+					AccessKeySecret: &apiv1.SecretKeySelector{
+						LocalObjectReference: apiv1.LocalObjectReference{
+							Name: "accesskey",
+						},
+						Key: "aws-keys",
+					},
+					SecretKeySecret: &apiv1.SecretKeySelector{
+						LocalObjectReference: apiv1.LocalObjectReference{
+							Name: "secretkey",
+						},
+						Key: "aws-keys",
+					},
+					EncryptionOptions: &wfv1.S3EncryptionOptions{
+						EnableEncryption: true,
+						ServerSideCustomerKeySecret: &apiv1.SecretKeySelector{
+							LocalObjectReference: apiv1.LocalObjectReference{
+								Name: "enckey",
+							},
+							Key: "aws-sse-c",
+						},
+					},
+				},
+			},
+		},
+	)
+
+	wantVolume := apiv1.Volume{
+		Name: "enckey",
+		VolumeSource: apiv1.VolumeSource{
+			Secret: &apiv1.SecretVolumeSource{
+				SecretName: "enckey",
+				Items: []apiv1.KeyToPath{
+					{
+						Key:  "aws-sse-c",
+						Path: "aws-sse-c",
+					},
+				},
+			},
+		},
+	}
+	wantInitContainerVolumeMount := apiv1.VolumeMount{
+		Name:      "enckey",
+		ReadOnly:  true,
+		MountPath: path.Join(common.SecretVolMountPath, "enckey"),
+	}
+
+	err := woc.setExecWorkflow(ctx)
+	require.NoError(t, err)
+	woc.operate(ctx)
+
+	mainCtr := woc.execWf.Spec.Templates[0].Container
+	pod, _ := woc.createWorkflowPod(ctx, wf.Name, []apiv1.Container{*mainCtr}, &wf.Spec.Templates[0], &createWorkflowPodOpts{})
+	assert.Contains(t, pod.Spec.Volumes, wantVolume)
+	assert.Len(t, pod.Spec.InitContainers, 1)
+	assert.Contains(t, pod.Spec.InitContainers[0].VolumeMounts, wantInitContainerVolumeMount)
+}
+
 var helloWorldWfWithPatch = `
 apiVersion: argoproj.io/v1alpha1
 kind: Workflow