forked from grafeas/kritis
/
secrets.go
90 lines (76 loc) · 2.58 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
/*
Copyright 2018 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package secrets
import (
"fmt"
kubernetesutil "github.com/grafeas/kritis/pkg/kritis/kubernetes"
v1 "k8s.io/api/core/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
// Public Key constant for Attestation Secrets.
PrivateKey = "private"
// Private Key constant for Attestation Secrets.
PublicKey = "public"
// Passphrase constant for Attestation Secrets.
Passphrase = "passphrase"
)
var (
// For testing
getSecretFunc = getSecret
)
// PGPSigningSecret represents gpg private/public key pair secret in your
// kubernetes cluster, where private key was decrypted with the passphrase.
// The secret expects private and public key to be stored in "private" and
// "public" keys, and private key to be decrypted with the "passphrase" key e.g.
// kubectl create secret generic my-secret --from-file=public=pub.gpg \
// --from-file=private=priv.key --from-literal=passphrase=<value>
type PGPSigningSecret struct {
PgpKey *PgpKey
SecretName string
}
// Fetcher is the function used to fetch kubernetes secret.
type Fetcher func(namespace string, name string) (*PGPSigningSecret, error)
// Fetch fetches kubernetes secret
func Fetch(namespace string, name string) (*PGPSigningSecret, error) {
secret, err := getSecretFunc(namespace, name)
if err != nil {
return nil, err
}
pub, ok := secret.Data[PublicKey]
if !ok {
return nil, fmt.Errorf("invalid secret %s. could not find key %s", name, PublicKey)
}
priv, ok := secret.Data[PrivateKey]
if !ok {
return nil, fmt.Errorf("invalid secret %s. could not find key %s", name, PrivateKey)
}
// Get passphrase.
// Empty phrase if key does not exist.
phrase := secret.Data[Passphrase]
pgpKey, err := NewPgpKey(string(priv), string(phrase), string(pub))
if err != nil {
return nil, err
}
return &PGPSigningSecret{
PgpKey: pgpKey,
SecretName: secret.Name,
}, nil
}
func getSecret(namespace string, name string) (*v1.Secret, error) {
c, err := kubernetesutil.GetClientset()
if err != nil {
return nil, err
}
return c.CoreV1().Secrets(namespace).Get(name, meta_v1.GetOptions{})
}