-
-
Notifications
You must be signed in to change notification settings - Fork 15
/
seal.go
119 lines (104 loc) · 2.67 KB
/
seal.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
package seal
import (
"bytes"
"context"
"crypto/rsa"
"io"
"log"
"os"
"github.com/bakito/sealed-secrets-web/pkg/config"
"github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
"github.com/bitnami-labs/sealed-secrets/pkg/kubeseal"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/tools/clientcmd"
)
type Sealer interface {
Raw(data Raw) ([]byte, error)
Certificate(ctx context.Context) ([]byte, error)
Seal(outputFormat string, secret io.Reader) ([]byte, error)
Validate(ctx context.Context, secret io.Reader) error
}
var _ Sealer = &apiSealer{}
func NewAPISealer(ctx context.Context, ss config.SealedSecrets) (Sealer, error) {
log.Printf("Connection to sealed secrets with (%s)\n", ss.String())
loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
cc := clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, nil, os.Stdout)
f, err := kubeseal.OpenCert(ctx, cc, ss.Namespace, ss.Service, ss.CertURL)
if err != nil {
return nil, err
}
defer func() { _ = f.Close() }()
pubKey, err := kubeseal.ParseKey(f)
if err != nil {
return nil, err
}
return &apiSealer{
clientConfig: cc,
ss: ss,
pubKey: pubKey,
}, nil
}
type apiSealer struct {
clientConfig clientcmd.ClientConfig
ss config.SealedSecrets
pubKey *rsa.PublicKey
}
func (a *apiSealer) Certificate(ctx context.Context) ([]byte, error) {
f, err := kubeseal.OpenCert(ctx, a.clientConfig, a.ss.Namespace, a.ss.Service, a.ss.CertURL)
if err != nil {
return nil, err
}
defer func() { _ = f.Close() }()
data, err := io.ReadAll(f)
if err != nil {
return nil, err
}
return data, nil
}
func (a *apiSealer) Seal(outputFormat string, secret io.Reader) ([]byte, error) {
var buf bytes.Buffer
if err := kubeseal.Seal(
a.clientConfig,
outputFormat,
secret,
&buf,
scheme.Codecs,
a.pubKey,
v1alpha1.DefaultScope,
false,
"",
"",
); err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func (a *apiSealer) Raw(data Raw) ([]byte, error) {
var buf bytes.Buffer
scope := v1alpha1.DefaultScope
if data.Scope != "" {
_ = scope.Set(data.Scope)
}
if err := kubeseal.EncryptSecretItem(
&buf, data.Name, data.Namespace, []byte(data.Value),
scope, a.pubKey); err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func (a *apiSealer) Validate(ctx context.Context, secret io.Reader) error {
return kubeseal.ValidateSealedSecret(
ctx,
a.clientConfig,
a.ss.Namespace,
a.ss.Service,
secret,
)
}
type Raw struct {
Value string `json:"value"`
Name string `json:"name"`
Namespace string `json:"namespace"`
Scope string `json:"scope"`
}