feat: encryption for db credentials

App.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"github.com/devtron-labs/common-lib/middlewares"
 	pubsub "github.com/devtron-labs/common-lib/pubsub-lib"
+	"github.com/devtron-labs/common-lib/securestore"
 	posthogTelemetry "github.com/devtron-labs/common-lib/telemetry"
 	"github.com/devtron-labs/devtron/pkg/eventProcessor"
 	"github.com/devtron-labs/devtron/pkg/eventProcessor/in"
@@ -47,6 +48,13 @@ import (
 	"go.uber.org/zap"
 )
 
+func init() {
+	err := securestore.SetEncryptionKey()
+	if err != nil {
+		log.Println("error in setting encryption key", "err", err)
+	}
+}
+
 type App struct {
 	MuxRouter     *router.MuxRouter
 	Logger        *zap.SugaredLogger

Makefile

@@ -2,7 +2,7 @@
 
 all: fetch-all-env build
 
-TARGET_BRANCH?=develop
+TARGET_BRANCH?=main
 TAG?=$(shell bash -c 'git log --pretty=format:'%h' -n 1')
 FLAGS=
 ENVVAR=

api/helm-app/service/HelmAppService.go

@@ -965,10 +965,10 @@ func (impl *HelmAppServiceImpl) TemplateChart(ctx context.Context, templateChart
 		registryCredential = &gRPC.RegistryCredential{
 			RegistryUrl:         appStoreAppVersion.AppStore.DockerArtifactStore.RegistryURL,
 			Username:            appStoreAppVersion.AppStore.DockerArtifactStore.Username,
-			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password,
+			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password.String(),
 			AwsRegion:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSRegion,
 			AccessKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSAccessKeyId,
-			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey,
+			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey.String(),
 			RegistryType:        string(appStoreAppVersion.AppStore.DockerArtifactStore.RegistryType),
 			RepoName:            appStoreAppVersion.AppStore.Name,
 			IsPublic:            ociRegistryConfig.IsPublic,

cmd/external-app/externalApp.go

@@ -20,6 +20,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/devtron-labs/common-lib/securestore"
+	"log"
 	"net/http"
 	"os"
 	"time"
@@ -35,6 +37,13 @@ import (
 	"go.uber.org/zap"
 )
 
+func init() {
+	err := securestore.SetEncryptionKey()
+	if err != nil {
+		log.Println("error in setting encryption key", "err", err)
+	}
+}
+
 type App struct {
 	db             *pg.DB
 	sessionManager *authMiddleware.SessionManager

go.mod

@@ -335,7 +335,7 @@ require (
 replace (
 	github.com/argoproj/argo-workflows/v3 v3.5.13 => github.com/devtron-labs/argo-workflows/v3 v3.5.13
 	github.com/cyphar/filepath-securejoin v0.4.1 => github.com/cyphar/filepath-securejoin v0.3.6 // indirect
-	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250911133753-9256a0667454
-	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250911133753-9256a0667454
+	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20251013071936-4564399cd269
+	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20251013071936-4564399cd269
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 )

go.sum

@@ -237,10 +237,10 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc h1:VRRKCwnzq
 github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13 h1:3pINq0gXOSeTw2z/vYe+j80lRpSN5Rp/8mfQORh8SmU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13/go.mod h1:/vqxcovDPT4zqr4DjR5v7CF8ggpY1l3TSa2CIG3jmjA=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250911133753-9256a0667454 h1:FfSiQrZpr6rDjmtFR6u3vG1WaoUBkv4ZR6rGZ5eRX8I=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250911133753-9256a0667454/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250911133753-9256a0667454 h1:qpYqvcezyTM9yDBSsDHJvp7GjSypx9SxiU/L4xoZR9s=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250911133753-9256a0667454/go.mod h1:/Ciy9tD9OxZOWBDPIasM448H7uvSo4+ZJiExpfwBZpA=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20251013071936-4564399cd269 h1:DWDnjdZ+AAa4w+WiqFPLS4kBRVeY+BvHQGrfEsFTREE=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20251013071936-4564399cd269/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20251013071936-4564399cd269 h1:9+YW3jipbllOHJ1l3mYFSeSris1wUCaM/MQuI4p+Hxc=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20251013071936-4564399cd269/go.mod h1:/Ciy9tD9OxZOWBDPIasM448H7uvSo4+ZJiExpfwBZpA=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta h1:VEx1jvDgdtDPS6A1uUFoaEi0l1/oLhbr+90xOwr6sDU=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta/go.mod h1:GnuiCesvh8xyHeMCb+twm8lBR/kQzJYSKL28ZfObp1Y=
 github.com/devtron-labs/protos v0.0.3-0.20250323220609-ecf8a0f7305e h1:U6UdYbW8a7xn5IzFPd8cywjVVPfutGJCudjePAfL/Hs=

internal/sql/repository/GitOpsConfigRepository.go

@@ -17,6 +17,7 @@
 package repository
 
 import (
+	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/devtron/pkg/sql"
 	"github.com/go-pg/pg"
 	"go.uber.org/zap"
@@ -41,24 +42,24 @@ type GitOpsConfigRepositoryImpl struct {
 }
 
 type GitOpsConfig struct {
-	tableName             struct{} `sql:"gitops_config" pg:",discard_unknown_columns"`
-	Id                    int      `sql:"id,pk"`
-	Provider              string   `sql:"provider"`
-	Username              string   `sql:"username"`
-	Token                 string   `sql:"token"`
-	GitLabGroupId         string   `sql:"gitlab_group_id"`
-	GitHubOrgId           string   `sql:"github_org_id"`
-	AzureProject          string   `sql:"azure_project"`
-	Host                  string   `sql:"host"`
-	Active                bool     `sql:"active,notnull"`
-	AllowCustomRepository bool     `sql:"allow_custom_repository,notnull"`
-	BitBucketWorkspaceId  string   `sql:"bitbucket_workspace_id"`
-	BitBucketProjectKey   string   `sql:"bitbucket_project_key"`
-	EmailId               string   `sql:"email_id"`
-	EnableTLSVerification bool     `sql:"enable_tls_verification"`
-	TlsCert               string   `sql:"tls_cert"`
-	TlsKey                string   `sql:"tls_key"`
-	CaCert                string   `sql:"ca_cert"`
+	tableName             struct{}                    `sql:"gitops_config" pg:",discard_unknown_columns"`
+	Id                    int                         `sql:"id,pk"`
+	Provider              string                      `sql:"provider"`
+	Username              string                      `sql:"username"`
+	Token                 securestore.EncryptedString `sql:"token"`
+	GitLabGroupId         string                      `sql:"gitlab_group_id"`
+	GitHubOrgId           string                      `sql:"github_org_id"`
+	AzureProject          string                      `sql:"azure_project"`
+	Host                  string                      `sql:"host"`
+	Active                bool                        `sql:"active,notnull"`
+	AllowCustomRepository bool                        `sql:"allow_custom_repository,notnull"`
+	BitBucketWorkspaceId  string                      `sql:"bitbucket_workspace_id"`
+	BitBucketProjectKey   string                      `sql:"bitbucket_project_key"`
+	EmailId               string                      `sql:"email_id"`
+	EnableTLSVerification bool                        `sql:"enable_tls_verification"`
+	TlsCert               string                      `sql:"tls_cert"`
+	TlsKey                string                      `sql:"tls_key"`
+	CaCert                string                      `sql:"ca_cert"`
 	sql.AuditLog
 }
 
@@ -71,15 +72,24 @@ func (impl *GitOpsConfigRepositoryImpl) GetConnection() *pg.DB {
 }
 
 func (impl *GitOpsConfigRepositoryImpl) CreateGitOpsConfig(model *GitOpsConfig, tx *pg.Tx) (*GitOpsConfig, error) {
-	err := tx.Insert(model)
+	var err error
+	model.Token, err = securestore.EncryptString(model.Token.String())
+	if err != nil {
+		return model, err
+	}
+	err = tx.Insert(model)
 	if err != nil {
 		impl.logger.Error(err)
 		return model, err
 	}
 	return model, nil
 }
-func (impl *GitOpsConfigRepositoryImpl) UpdateGitOpsConfig(model *GitOpsConfig, tx *pg.Tx) error {
-	err := tx.Update(model)
+func (impl *GitOpsConfigRepositoryImpl) UpdateGitOpsConfig(model *GitOpsConfig, tx *pg.Tx) (err error) {
+	model.Token, err = securestore.EncryptString(model.Token.String())
+	if err != nil {
+		return err
+	}
+	err = tx.Update(model)
 	if err != nil {
 		impl.logger.Error(err)
 		return err

internal/sql/repository/dockerRegistry/DockerArtifactStoreRepository.go

@@ -18,6 +18,7 @@ package repository
 
 import (
 	"fmt"
+	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/devtron/pkg/sql"
 	"github.com/devtron-labs/devtron/util"
 	"github.com/go-pg/pg/orm"
@@ -46,21 +47,21 @@ type RegistryType string
 var OCI_REGISRTY_REPO_TYPE_LIST = []string{OCI_REGISRTY_REPO_TYPE_CONTAINER, OCI_REGISRTY_REPO_TYPE_CHART}
 
 type DockerArtifactStore struct {
-	tableName              struct{}     `sql:"docker_artifact_store" json:",omitempty"  pg:",discard_unknown_columns"`
-	Id                     string       `sql:"id,pk" json:"id,,omitempty"`
-	PluginId               string       `sql:"plugin_id,notnull" json:"pluginId,omitempty"`
-	RegistryURL            string       `sql:"registry_url" json:"registryUrl,omitempty"`
-	RegistryType           RegistryType `sql:"registry_type,notnull" json:"registryType,omitempty"`
-	IsOCICompliantRegistry bool         `sql:"is_oci_compliant_registry,notnull" json:"isOCICompliantRegistry,omitempty"`
-	AWSAccessKeyId         string       `sql:"aws_accesskey_id" json:"awsAccessKeyId,omitempty" `
-	AWSSecretAccessKey     string       `sql:"aws_secret_accesskey" json:"awsSecretAccessKey,omitempty"`
-	AWSRegion              string       `sql:"aws_region" json:"awsRegion,omitempty"`
-	Username               string       `sql:"username" json:"username,omitempty"`
-	Password               string       `sql:"password" json:"password,omitempty"`
-	IsDefault              bool         `sql:"is_default,notnull" json:"isDefault"`
-	Connection             string       `sql:"connection" json:"connection,omitempty"`
-	Cert                   string       `sql:"cert" json:"cert,omitempty"`
-	Active                 bool         `sql:"active,notnull" json:"active"`
+	tableName              struct{}                    `sql:"docker_artifact_store" json:",omitempty"  pg:",discard_unknown_columns"`
+	Id                     string                      `sql:"id,pk" json:"id,,omitempty"`
+	PluginId               string                      `sql:"plugin_id,notnull" json:"pluginId,omitempty"`
+	RegistryURL            string                      `sql:"registry_url" json:"registryUrl,omitempty"`
+	RegistryType           RegistryType                `sql:"registry_type,notnull" json:"registryType,omitempty"`
+	IsOCICompliantRegistry bool                        `sql:"is_oci_compliant_registry,notnull" json:"isOCICompliantRegistry,omitempty"`
+	AWSAccessKeyId         string                      `sql:"aws_accesskey_id" json:"awsAccessKeyId,omitempty" `
+	AWSSecretAccessKey     securestore.EncryptedString `sql:"aws_secret_accesskey" json:"awsSecretAccessKey,omitempty"`
+	AWSRegion              string                      `sql:"aws_region" json:"awsRegion,omitempty"`
+	Username               string                      `sql:"username" json:"username,omitempty"`
+	Password               securestore.EncryptedString `sql:"password" json:"password,omitempty"`
+	IsDefault              bool                        `sql:"is_default,notnull" json:"isDefault"`
+	Connection             string                      `sql:"connection" json:"connection,omitempty"`
+	Cert                   string                      `sql:"cert" json:"cert,omitempty"`
+	Active                 bool                        `sql:"active,notnull" json:"active"`
 	IpsConfig              *DockerRegistryIpsConfig
 	OCIRegistryConfig      []*OCIRegistryConfig
 	sql.AuditLog
@@ -109,7 +110,16 @@ func (impl DockerArtifactStoreRepositoryImpl) GetConnection() *pg.DB {
 	return impl.dbConnection
 }
 
-func (impl DockerArtifactStoreRepositoryImpl) Save(artifactStore *DockerArtifactStore, tx *pg.Tx) error {
+func (impl DockerArtifactStoreRepositoryImpl) Save(artifactStore *DockerArtifactStore, tx *pg.Tx) (err error) {
+	artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
+	if err != nil {
+		return err
+	}
+	artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
+	if err != nil {
+		return err
+	}
+
 	if util.IsBaseStack() {
 		return tx.Insert(artifactStore)
 	}
@@ -235,7 +245,15 @@ func (impl DockerArtifactStoreRepositoryImpl) FindOneInactive(storeId string) (*
 	return &provider, err
 }
 
-func (impl DockerArtifactStoreRepositoryImpl) Update(artifactStore *DockerArtifactStore, tx *pg.Tx) error {
+func (impl DockerArtifactStoreRepositoryImpl) Update(artifactStore *DockerArtifactStore, tx *pg.Tx) (err error) {
+	artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
+	if err != nil {
+		return err
+	}
+	artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
+	if err != nil {
+		return err
+	}
 	//TODO check for unique default
 	//there can be only one default
 

pkg/appStore/adapter/Adapter.go

@@ -159,7 +159,7 @@ func GenerateInstallAppVersionDTO(installedApp *repository.InstalledApps, instal
 			chartVersionApp.AppStore.DockerArtifactStore.RegistryURL,
 			chartVersionApp.AppStore.Name)
 		Username = chartVersionApp.AppStore.DockerArtifactStore.Username
-		Password = chartVersionApp.AppStore.DockerArtifactStore.Password
+		Password = chartVersionApp.AppStore.DockerArtifactStore.Password.String()
 	}
 	envBean := adapter2.NewEnvironmentBean(&installedApp.Environment)
 	installAppDto := &appStoreBean.InstallAppVersionDTO{

pkg/appStore/installedApp/service/AppStoreDeploymentService.go

@@ -992,10 +992,10 @@ func (impl *AppStoreDeploymentServiceImpl) linkHelmApplicationToChartStore(insta
 		registryCredential = &bean4.RegistryCredential{
 			RegistryUrl:         appStoreAppVersion.AppStore.DockerArtifactStore.RegistryURL,
 			Username:            appStoreAppVersion.AppStore.DockerArtifactStore.Username,
-			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password,
+			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password.String(),
 			AwsRegion:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSRegion,
 			AccessKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSAccessKeyId,
-			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey,
+			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey.String(),
 			RegistryType:        string(appStoreAppVersion.AppStore.DockerArtifactStore.RegistryType),
 			RepoName:            appStoreAppVersion.AppStore.Name,
 			IsPublic:            ociRegistryConfig.IsPublic,

pkg/appStore/installedApp/service/EAMode/deployment/EAModeDeploymentService.go

@@ -124,10 +124,10 @@ func (impl *EAModeDeploymentServiceImpl) InstallApp(installAppVersionRequest *ap
 		registryCredential = &gRPC.RegistryCredential{
 			RegistryUrl:         appStoreAppVersion.AppStore.DockerArtifactStore.RegistryURL,
 			Username:            appStoreAppVersion.AppStore.DockerArtifactStore.Username,
-			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password,
+			Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password.String(),
 			AwsRegion:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSRegion,
 			AccessKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSAccessKeyId,
-			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey,
+			SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey.String(),
 			RegistryType:        string(appStoreAppVersion.AppStore.DockerArtifactStore.RegistryType),
 			RepoName:            appStoreAppVersion.AppStore.Name,
 			IsPublic:            ociRegistryConfig.IsPublic,
@@ -356,10 +356,10 @@ func (impl *EAModeDeploymentServiceImpl) updateApplicationWithChartInfo(ctx cont
 		registryCredential = &gRPC.RegistryCredential{
 			RegistryUrl:         appStoreApplicationVersion.AppStore.DockerArtifactStore.RegistryURL,
 			Username:            appStoreApplicationVersion.AppStore.DockerArtifactStore.Username,
-			Password:            appStoreApplicationVersion.AppStore.DockerArtifactStore.Password,
+			Password:            appStoreApplicationVersion.AppStore.DockerArtifactStore.Password.String(),
 			AwsRegion:           appStoreApplicationVersion.AppStore.DockerArtifactStore.AWSRegion,
 			AccessKey:           appStoreApplicationVersion.AppStore.DockerArtifactStore.AWSAccessKeyId,
-			SecretKey:           appStoreApplicationVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey,
+			SecretKey:           appStoreApplicationVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey.String(),
 			RegistryType:        string(appStoreApplicationVersion.AppStore.DockerArtifactStore.RegistryType),
 			RepoName:            appStoreApplicationVersion.AppStore.Name,
 			IsPublic:            ociRegistryConfig.IsPublic,

pkg/appStore/installedApp/service/FullMode/deployment/InstalledAppGitOpsService.go

@@ -414,7 +414,7 @@ func (impl *FullModeDeploymentServiceImpl) CreateArgoRepoSecretIfNeeded(appStore
 
 	err = impl.argoClientWrapperService.AddOrUpdateOCIRegistry(
 		dockerArtifactStore.Username,
-		dockerArtifactStore.Password,
+		dockerArtifactStore.Password.String(),
 		dockerArtifactStore.OCIRegistryConfig[0].Id,
 		dockerArtifactStore.RegistryURL,
 		appStore.Name,

pkg/appStore/installedApp/service/FullMode/resource/NotesService.go

@@ -124,10 +124,10 @@ func (impl *InstalledAppResourceServiceImpl) findNotesForArgoApplication(install
 			registryCredential = &gRPC.RegistryCredential{
 				RegistryUrl:         appStoreAppVersion.AppStore.DockerArtifactStore.RegistryURL,
 				Username:            appStoreAppVersion.AppStore.DockerArtifactStore.Username,
-				Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password,
+				Password:            appStoreAppVersion.AppStore.DockerArtifactStore.Password.String(),
 				AwsRegion:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSRegion,
 				AccessKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSAccessKeyId,
-				SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey,
+				SecretKey:           appStoreAppVersion.AppStore.DockerArtifactStore.AWSSecretAccessKey.String(),
 				RegistryType:        string(appStoreAppVersion.AppStore.DockerArtifactStore.RegistryType),
 				RepoName:            appStoreAppVersion.AppStore.Name,
 				IsPublic:            ociRegistryConfig.IsPublic,