Support basic AES-256 encryption of AutoFlow Workflow data (!2076) · Merge requests · GitLab.org / cluster-integration / GitLab Agent for Kubernetes

Timo Furrer requested to merge autoflow/payload-encryption into master Dec 12, 2024

Support basic AES-256 encryption of AutoFlow Workflow data

This change set adds a custom PayloadCodec to encrypt workflow data. The codec currently uses a simple AES-256 GCM based encryption using a static key that is the same for all Workflow data, i.e. no key separation between "users" of AutoFlow.

If the key file is not provided to KAS no encryption is used.

This change set also implements an autoflow codec-server command that can be used together with the Temporal Web UI to decrypt Workflow data.

❗ This is not production-grade code. We wouldn't want people to necessarily host the codec server. Actually, with Temporal Cloud we can use OIDC where the Temporal Web UI sends an access token that can be verified. We probably also want a per-tenant encryption key and not just a static key that's the same for all workload. However, this all can come in iterations.

Refs gitlab-org/gitlab#508263

Edited Dec 12, 2024 by Timo Furrer

Support basic AES-256 encryption of AutoFlow Workflow data

Merge request reports