diff --git a/src/_base/harness/config/secrets.yml b/src/_base/harness/config/secrets.yml index 7a778cbdb..5e87c5150 100644 --- a/src/_base/harness/config/secrets.yml +++ b/src/_base/harness/config/secrets.yml @@ -1,19 +1,24 @@ -command('secret image-pull-config [--cert=] [--scope=] [--namespace=]'): +command('secret image-pull-config [--cert=] [--scope=] [--context=] [--namespace=]'): env: SEALED_SECRETS: "= boolToString(@('helm.feature.sealed_secrets'))" DEFAULT_CONFIG: = docker_config(@('docker.registry')) SEALED_SECRETS_CONTROLLER_NAME: = @('helm.sealed_secrets.controller_name') SEALED_SECRETS_CONTROLLER_NAMESPACE: = @('helm.sealed_secrets.controller_namespace') SEALED_SECRETS_CERTIFICATE_FILE: "= input.option('cert') ?: @('helm.sealed_secrets.certificate_file')" + K8S_CONTEXT: "= input.option('context') ?: ''" SECRET_NAMESPACE: "= input.option('namespace') ?: @('helm.sealed_secrets.namespace')" SECRET_SCOPE: "= input.option('scope') ?: @('helm.sealed_secrets.scope')" exec: | #!bash - if [ "$SEALED_SECRETS" == 'yes' ] && ! command -v kubeseal >/dev/null; then - echo 'kubeseal is needed in order to use this command' >&2 + if [ "$SEALED_SECRETS" == 'yes' ] && ! command -v kubeseal kubectl >/dev/null; then + echo 'kubeseal and kubectl are needed in order to use this command' >&2 exit 1 fi + if [ -z "${K8S_CONTEXT:-}" ]; then + K8S_CONTEXT="$(kubectl config current-context)" + fi + if [ -t 0 ] ; then # Use an editor with a temp file to allow longer terminal input TMPFILE="$(mktemp -t tmp.XXXXXXXXX)" @@ -28,9 +33,10 @@ command('secret image-pull-config [--cert=] [--scope=] [--namespace DOCKER_CONFIG="${DOCKER_CONFIG:-${DEFAULT_CONFIG}}" if [ "$SEALED_SECRETS" == 'yes' ]; then - echo 'Encrypting as a sealed-secret value with certificate from current kubectl context' >&2 + echo "Encrypting as a sealed-secret value with certificate from kubectl context '${K8S_CONTEXT}'" >&2 DEFAULT_SCOPE=cluster-wide KUBESEAL_OPTS=( + --context "${K8S_CONTEXT}" --name "image-pull-config" ) if [ -n "${SEALED_SECRETS_CONTROLLER_NAME:-}" ]; then @@ -61,9 +67,10 @@ command('secret image-pull-config [--cert=] [--scope=] [--namespace echo "${DOCKER_CONFIG}" | base64 fi -command('sealed-secret encrypt (string|blob) [--cert=] [--scope=] [--namespace=] '): +command('sealed-secret encrypt (string|blob) [--cert=] [--scope=] [--context=] [--namespace=] '): env: INPUT_TYPE: = input.command(3) + K8S_CONTEXT: "= input.option('context') ?: ''" SEALED_SECRETS_CONTROLLER_NAME: = @('helm.sealed_secrets.controller_name') SEALED_SECRETS_CONTROLLER_NAMESPACE: = @('helm.sealed_secrets.controller_namespace') SEALED_SECRETS_CERTIFICATE_FILE: "= input.option('cert') ?: @('helm.sealed_secrets.certificate_file')" @@ -72,11 +79,15 @@ command('sealed-secret encrypt (string|blob) [--cert=] [--scope=] [ SECRET_SCOPE: "= input.option('scope') ?: @('helm.sealed_secrets.scope')" exec: | #!bash - if ! command -v kubeseal >/dev/null; then - echo 'kubeseal is needed in order to use this command' >&2 + if ! command -v kubeseal kubectl >/dev/null; then + echo 'kubeseal and kubectl are needed in order to use this command' >&2 exit 1 fi + if [ -z "${K8S_CONTEXT:-}" ]; then + K8S_CONTEXT="$(kubectl config current-context)" + fi + echo "Enter the secret ${INPUT_TYPE} to encrypt" >&2 case "${INPUT_TYPE}" in string) @@ -96,9 +107,10 @@ command('sealed-secret encrypt (string|blob) [--cert=] [--scope=] [ ;; esac - echo 'Encrypting as a sealed-secret value with certificate from current kubectl context' >&2 + echo "Encrypting as a sealed-secret value with certificate from kubectl context '${K8S_CONTEXT}'" >&2 DEFAULT_SCOPE=cluster-wide KUBESEAL_OPTS=( + --context "${K8S_CONTEXT}" --name "${SECRET_NAME}" ) if [ -n "${SEALED_SECRETS_CONTROLLER_NAME:-}" ]; then