This repository has been archived by the owner on Apr 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 29
/
install.go
110 lines (88 loc) · 2.89 KB
/
install.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package sealedsecrets
import (
"context"
"fmt"
"sort"
"github.com/flanksource/karina/pkg/ca"
"github.com/flanksource/karina/pkg/platform"
"github.com/pkg/errors"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
)
const (
Namespace = "sealed-secrets"
// SealedSecretsKeyLabel is that label used to locate active key pairs used to decrypt sealed secrets.
SealedSecretsKeyLabel = "sealedsecrets.bitnami.com/sealed-secrets-key"
// Prefix is used to prefix tls secret key
SecretPrefix = "sealed-secrets-key"
)
var (
keySelector = fields.OneTermEqualSelector(SealedSecretsKeyLabel, "active")
)
func Install(platform *platform.Platform) error {
if platform.SealedSecrets.IsDisabled() {
return nil
}
if err := platform.CreateOrUpdateNamespace(Namespace, nil, nil); err != nil {
return fmt.Errorf("install: failed to create/update namespace: %v", err)
}
if platform.SealedSecrets.Certificate != nil && !platform.ApplyDryRun && !platform.SkipDecrypt {
ca, err := ca.ReadCA(platform.SealedSecrets.Certificate)
if err != nil {
return errors.Wrap(err, "failed to read platform ca")
}
client, err := platform.GetClientset()
if err != nil {
return errors.Wrap(err, "failed to get k8s client")
}
secretList, err := client.CoreV1().Secrets(Namespace).List(context.TODO(), metav1.ListOptions{
LabelSelector: keySelector.String(),
})
if err != nil {
return errors.Wrap(err, "failed to list secrets")
}
items := secretList.Items
sort.Sort(ByCreationTimestamp(items))
secrets := client.CoreV1().Secrets(Namespace)
if len(items) == 0 {
secret := &v1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
GenerateName: SecretPrefix,
Labels: map[string]string{
SealedSecretsKeyLabel: "active",
},
},
Data: ca.AsTLSSecret(),
Type: "kubernetes.io/tls",
}
platform.Infof("Creating %s/secret/%s", Namespace, SecretPrefix)
if _, err := secrets.Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
return errors.Wrap(err, "failed to create new secret")
}
} else {
secret := items[len(items)-1]
secret.Data = ca.AsTLSSecret()
platform.Infof("Updating %s/secret/%s", Namespace, secret.Name)
if _, err := secrets.Update(context.TODO(), &secret, metav1.UpdateOptions{}); err != nil {
return errors.Wrapf(err, "failed to update secret %s", secret.Name)
}
}
}
return platform.ApplySpecs(Namespace, "sealed-secrets.yaml")
}
// ByCreationTimestamp is used to sort a list of secrets
type ByCreationTimestamp []v1.Secret
func (s ByCreationTimestamp) Len() int {
return len(s)
}
func (s ByCreationTimestamp) Swap(i, j int) {
s[i], s[j] = s[j], s[i]
}
func (s ByCreationTimestamp) Less(i, j int) bool {
return s[i].GetCreationTimestamp().Unix() < s[j].GetCreationTimestamp().Unix()
}