Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow specifying k8s context on sealed-secret commands #674

Merged
merged 1 commit into from
Apr 8, 2022
Merged

Allow specifying k8s context on sealed-secret commands #674

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 20 additions & 8 deletions src/_base/harness/config/secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,24 @@
command('secret image-pull-config [--cert=<cert>] [--scope=<scope>] [--namespace=<namespace>]'):
command('secret image-pull-config [--cert=<cert>] [--scope=<scope>] [--context=<context>] [--namespace=<namespace>]'):
env:
SEALED_SECRETS: "= boolToString(@('helm.feature.sealed_secrets'))"
DEFAULT_CONFIG: = docker_config(@('docker.registry'))
SEALED_SECRETS_CONTROLLER_NAME: = @('helm.sealed_secrets.controller_name')
SEALED_SECRETS_CONTROLLER_NAMESPACE: = @('helm.sealed_secrets.controller_namespace')
SEALED_SECRETS_CERTIFICATE_FILE: "= input.option('cert') ?: @('helm.sealed_secrets.certificate_file')"
K8S_CONTEXT: "= input.option('context') ?: ''"
SECRET_NAMESPACE: "= input.option('namespace') ?: @('helm.sealed_secrets.namespace')"
SECRET_SCOPE: "= input.option('scope') ?: @('helm.sealed_secrets.scope')"
exec: |
#!bash
if [ "$SEALED_SECRETS" == 'yes' ] && ! command -v kubeseal >/dev/null; then
echo 'kubeseal is needed in order to use this command' >&2
if [ "$SEALED_SECRETS" == 'yes' ] && ! command -v kubeseal kubectl >/dev/null; then
echo 'kubeseal and kubectl are needed in order to use this command' >&2
exit 1
fi

if [ -z "${K8S_CONTEXT:-}" ]; then
K8S_CONTEXT="$(kubectl config current-context)"
fi

if [ -t 0 ] ; then
# Use an editor with a temp file to allow longer terminal input
TMPFILE="$(mktemp -t tmp.XXXXXXXXX)"
Expand All @@ -28,9 +33,10 @@ command('secret image-pull-config [--cert=<cert>] [--scope=<scope>] [--namespace
DOCKER_CONFIG="${DOCKER_CONFIG:-${DEFAULT_CONFIG}}"

if [ "$SEALED_SECRETS" == 'yes' ]; then
echo 'Encrypting as a sealed-secret value with certificate from current kubectl context' >&2
echo "Encrypting as a sealed-secret value with certificate from kubectl context '${K8S_CONTEXT}'" >&2
DEFAULT_SCOPE=cluster-wide
KUBESEAL_OPTS=(
--context "${K8S_CONTEXT}"
--name "image-pull-config"
)
if [ -n "${SEALED_SECRETS_CONTROLLER_NAME:-}" ]; then
Expand Down Expand Up @@ -61,9 +67,10 @@ command('secret image-pull-config [--cert=<cert>] [--scope=<scope>] [--namespace
echo "${DOCKER_CONFIG}" | base64
fi

command('sealed-secret encrypt (string|blob) [--cert=<cert>] [--scope=<scope>] [--namespace=<namespace>] <secret-name>'):
command('sealed-secret encrypt (string|blob) [--cert=<cert>] [--scope=<scope>] [--context=<context>] [--namespace=<namespace>] <secret-name>'):
env:
INPUT_TYPE: = input.command(3)
K8S_CONTEXT: "= input.option('context') ?: ''"
SEALED_SECRETS_CONTROLLER_NAME: = @('helm.sealed_secrets.controller_name')
SEALED_SECRETS_CONTROLLER_NAMESPACE: = @('helm.sealed_secrets.controller_namespace')
SEALED_SECRETS_CERTIFICATE_FILE: "= input.option('cert') ?: @('helm.sealed_secrets.certificate_file')"
Expand All @@ -72,11 +79,15 @@ command('sealed-secret encrypt (string|blob) [--cert=<cert>] [--scope=<scope>] [
SECRET_SCOPE: "= input.option('scope') ?: @('helm.sealed_secrets.scope')"
exec: |
#!bash
if ! command -v kubeseal >/dev/null; then
echo 'kubeseal is needed in order to use this command' >&2
if ! command -v kubeseal kubectl >/dev/null; then
echo 'kubeseal and kubectl are needed in order to use this command' >&2
exit 1
fi

if [ -z "${K8S_CONTEXT:-}" ]; then
K8S_CONTEXT="$(kubectl config current-context)"
fi

echo "Enter the secret ${INPUT_TYPE} to encrypt" >&2
case "${INPUT_TYPE}" in
string)
Expand All @@ -96,9 +107,10 @@ command('sealed-secret encrypt (string|blob) [--cert=<cert>] [--scope=<scope>] [
;;
esac

echo 'Encrypting as a sealed-secret value with certificate from current kubectl context' >&2
echo "Encrypting as a sealed-secret value with certificate from kubectl context '${K8S_CONTEXT}'" >&2
DEFAULT_SCOPE=cluster-wide
KUBESEAL_OPTS=(
--context "${K8S_CONTEXT}"
--name "${SECRET_NAME}"
)
if [ -n "${SEALED_SECRETS_CONTROLLER_NAME:-}" ]; then
Expand Down