From 4fac2d5b60573b0ff7eabb3949e732d7fcbb826a Mon Sep 17 00:00:00 2001
From: budimanjojo <budimanjojo@gmail.com>
Date: Mon, 19 Sep 2022 17:46:34 +0700
Subject: [PATCH] feat(config): don't write unencrypted secret to disk

thanks to frezbo from talos for pointing this out
---
 cmd/genconfig.go   | 10 +---------
 pkg/talos/input.go |  9 +++++----
 2 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/cmd/genconfig.go b/cmd/genconfig.go
index 310cf710..88a26a0b 100644
--- a/cmd/genconfig.go
+++ b/cmd/genconfig.go
@@ -81,15 +81,7 @@ var (
 			var secretFile string
 			for _, file := range genconfigSecretFile {
 				if _, err := os.Stat(file); err == nil {
-					secret, err := decrypt.DecryptYamlWithSops(file)
-					if err != nil {
-						log.Fatalf("failed to decrypt/read secret file %s: %s", file, err)
-					}
-					err = os.WriteFile("/tmp/talsecret.yaml", secret, 0600)
-					if err != nil {
-						log.Fatalf("failed to write temp file to /tmp directory: %s", err)
-					}
-					secretFile = "/tmp/talsecret.yaml"
+					secretFile = file
 				} else if errors.Is(err, os.ErrNotExist) {
 					continue
 				} else {
diff --git a/pkg/talos/input.go b/pkg/talos/input.go
index 39ded3a2..5ce696ce 100644
--- a/pkg/talos/input.go
+++ b/pkg/talos/input.go
@@ -1,12 +1,12 @@
 package talos
 
 import (
-	"os"
-
 	"github.com/budimanjojo/talhelper/pkg/config"
+	"github.com/budimanjojo/talhelper/pkg/decrypt"
 	tconfig "github.com/talos-systems/talos/pkg/machinery/config"
 	"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/generate"
+	"gopkg.in/yaml.v3"
 )
 
 func NewClusterInput(c *config.TalhelperConfig, secretFile string) (*generate.Input, error) {
@@ -20,15 +20,16 @@ func NewClusterInput(c *config.TalhelperConfig, secretFile string) (*generate.In
 	var secrets *generate.SecretsBundle
 
 	if secretFile != "" {
-		secrets, err = NewSecretBundle(generate.NewClock(), generate.WithVersionContract(versionContract), generate.WithSecrets(secretFile))
+		decrypted, err := decrypt.DecryptYamlWithSops(secretFile)
 		if err != nil {
 			return nil, err
 		}
 
-		err = os.Remove(secretFile)
+		err = yaml.Unmarshal(decrypted, &secrets)
 		if err != nil {
 			return nil, err
 		}
+		secrets.Clock = generate.NewClock()
 	} else {
 		secrets, err = NewSecretBundle(generate.NewClock(), generate.WithVersionContract(versionContract))
 		if err != nil {