k8sCertsFlatify 0.1.0-universal-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +7 -0
  2. data/README +7 -0
  3. data/bin/k8sCertsFlatify.rb +142 -0
  4. metadata +88 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 60516c53924fea13e7ec6a4b244942bdf1b413434a4baafa5a45bc34d09190d4
4
+ data.tar.gz: 773342e530314e16e1b6f365482ebe836a4b007f14099ad2efc4585b1ee8357a
5
+ SHA512:
6
+ metadata.gz: 79a8f0b49a9891ad41c59842cabff067c8895b5f258fc0fa20a39fd1e73ad320f7c062b21a347b299c39a13c766ca3cda499ccd6aba5f834cbbb263f36432189
7
+ data.tar.gz: dd67c748b2f549151a7e3b8a57fae375864f7f918f0ff2aaa9c0cf282ffa86c602ed1475934783ad72b6d89e0278e0a809f5f7ae8a2c57a7ec07925c8b71dceb
data/README ADDED
@@ -0,0 +1,7 @@
1
+ A script which extracts 1 or multiple tls/ssl certificates from a kubernetes cluster to PWD.
2
+ NOTE: Will not check the TLS certificate of the connecting kubernetes cluster as of the current time.
3
+ Switch --kubeconfig/-c <kubernetes kubeconfig file>. If not present default to ~/.kube/config
4
+ switch --namespaces/-n -- Namespace to dump certificates in. If not present, will dump certificates of all namespaces.
5
+ --context/-k -- The context to use in the kubeconfig file.
6
+ --dumpdir/-d -- Dump certificates to this directory instead of PWD
7
+ Will dump certificates in PWD in a directory with the name as the DNS to which the certificate belongs.
data/bin/k8sCertsFlatify.rb ADDED
@@ -0,0 +1,142 @@
1
+ #! /usr/bin/ruby
2
+ # NOTE: Will not check the TLS certificate of the connecting kubernetes cluster as of the current time.
3
+ require 'curb'
4
+ require 'oj'
5
+ require 'base64'
6
+ require 'fileutils.rb'
7
+ require 'optparse'
8
+ require 'kubeclient'
9
+
10
+ # Stores options as passed in switches to the script
11
+ @switchOptions = Hash.new
12
+ opts = OptionParser.new
13
+ kubecfg = nil
14
+ opts.banner = "Dump certificates which exists in a Kubernetes cluster to flat files in PWD."
15
+ opts.on('-k', '--context CONTEXT', 'The context to use in the kubeconfig file.') {
16
+ |kubecontext|
17
+ @switchOptions[:context] = kubecontext
18
+ }
19
+ opts.on('-c', '--kubeconfig KUBECONFIG', 'If not present default to ~/.kube/config') {
20
+ |kubeconfig|
21
+ kubecfg = kubeconfig
22
+ }
23
+ opts.on('-n', '--namespaces NAMESPACE', 'Namespace to dump certificates in. If not present, will dump certificates of all namespaces.') {
24
+ |ns|
25
+ @switchOptions[:ns] = ns
26
+ }
27
+ opts.on('-d', '--dumpdir DIR', 'Dump certificates to this directory instead of PWD') {
28
+ |dir|
29
+ Dir.chdir(dir)
30
+ }
31
+ opts.parse!
32
+
33
+ kubecfg = "#{ENV['HOME']}/.kube/config" if kubecfg == nil
34
+ if @switchOptions[:context] == nil
35
+ kubeContext = Kubeclient::Config.read(kubecfg).context
36
+ else
37
+ kubeContext = Kubeclient::Config.read(kubecfg).context(@switchOptions[:context])
38
+ end
39
+ @bearer = "Bearer #{kubeContext.auth_options[:bearer_token]}"
40
+ # API endpoint templates for all ingress
41
+ @allingendpoint = "apis/networking.k8s.io/v1/ingresses"
42
+ # API endpoint templates for single ingress
43
+ @aningendpoint = "apis/networking.k8s.io/v1/namespaces/$${namespace}/ingresses"
44
+ # old k8s
45
+ # @allingendpoint = "apis/networking.k8s.io/v1beta1/ingresses"
46
+ @secendpoint = "api/v1/namespaces/$${namespace}/secrets/$${name}"
47
+ @server = kubeContext.api_endpoint
48
+ # TODO: Could not get CA certificate.
49
+ # puts kubeContext.ssl_options[:cert_store].class
50
+ # GC
51
+ kubeContext = nil
52
+ kubecfg = nil
53
+
54
+
55
+ # TODO: Could not get CA certificate.
56
+ @ca = nil
57
+ allinghash = String.new
58
+ Oj.default_options = { :symbol_keys => true, :bigdecimal_as_decimal => true, :mode => :compat, 'load' => :compat }
59
+
60
+ # will return an array. First element being the certificate, 2nd the secret. Will return false in case of issues (like secrets does not hold a certificate)
61
+ def getCerts(name, namespace)
62
+ if name.class != String
63
+ puts "name not present for namespace #{namespace}"
64
+ return nil
65
+ end
66
+ if namespace.class != String
67
+ puts "namespace not present for name #{name}"
68
+ return nil
69
+ end
70
+ endpoint = @secendpoint.dup
71
+ endpoint.gsub!(%r{\$\$\{name\}}, name)
72
+ endpoint.gsub!(%r{\$\$\{namespace\}}, namespace)
73
+ thesec = String.new
74
+ k8sconnection = Curl::Easy.new(@server + endpoint) {
75
+ |request|
76
+ request.headers = { :Authorization => @bearer }
77
+ # TODO: Could not get CA certificate.
78
+ # request.cacert = @ca
79
+ request.ssl_verify_host = false
80
+ request.ssl_verify_peer = false
81
+ request.http_get
82
+ thesec = Oj.load(request.body_str)
83
+ }
84
+ if thesec[:type] != 'kubernetes.io/tls'
85
+ puts "Secret with name #{name} in namespace #{namespace} is not of type kubernetes.io/tls"
86
+ return nil
87
+ end
88
+ if (thesec[:data][:'tls.crt'] == nil || thesec[:data][:'tls.key'] == nil)
89
+ puts "tls.crt or/and tls.key keys in the secret is empty for secret #{namespace}/#{name}"
90
+ return nil
91
+ end
92
+ return [Base64.strict_decode64(thesec[:data][:'tls.crt']), Base64.strict_decode64(thesec[:data][:'tls.key'])]
93
+ end
94
+
95
+ # select endpoint based on mode of operation -- single certificate or all of them.
96
+ endpoint = nil
97
+ if @switchOptions[:ns] == nil
98
+ endpoint = @allingendpoint
99
+ else
100
+ endpoint = @aningendpoint.dup.gsub!(%r{\$\$\{namespace\}}, @switchOptions[:ns])
101
+ end
102
+ puts endpoint
103
+ k8sconnection = Curl::Easy.new(@server + endpoint) {
104
+ |request|
105
+ request.headers = { :Authorization => @bearer }
106
+ # TODO: Could not get CA certificate.
107
+ # request.cacert = @ca
108
+ request.ssl_verify_host = false
109
+ request.ssl_verify_peer = false
110
+ request.http_get
111
+ allinghash = Oj.load(request.body_str)
112
+ }
113
+
114
+ k8sconnection = nil
115
+ allinghash[:items].each {
116
+ |ingress|
117
+ ingNamespace = ingress[:metadata][:namespace]
118
+ if ingress == nil
119
+ puts "ingress entry was empty in namespace #{ingNamespace}"
120
+ elsif ingress[:spec] == nil
121
+ puts "ingress spec was empty for ingress #{ingress[:metadata][:name]} in namespace #{ingNamespace}"
122
+ elsif ingress[:spec][:tls] == nil
123
+ puts "No tls certificate specified in ingress #{ingress[:metadata][:name]} in namespace #{ingNamespace}"
124
+ elsif ingress[:spec][:tls].length >= 1
125
+ ingress[:spec][:tls].each {
126
+ |secretref|
127
+ if certpair = getCerts(secretref[:secretName], ingNamespace)
128
+ begin
129
+ FileUtils.mkdir(secretref[:hosts])
130
+ rescue Errno::EEXIST
131
+ end
132
+ secretref[:hosts].each {
133
+ |host|
134
+ IO.binwrite("#{host}/cert.crt", certpair[0])
135
+ IO.binwrite("#{host}/key.key", certpair[1])
136
+ }
137
+ end
138
+ }
139
+ else
140
+ puts "No TLS entry found for ingress #{ingress[:metadata][:name]} in namespace #{ingNamespace}"
141
+ end
142
+ }
metadata ADDED
@@ -0,0 +1,88 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: k8sCertsFlatify
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: universal-linux
6
+ authors:
7
+ - dE
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2024-11-05 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: curb
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '1'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '1'
27
+ - !ruby/object:Gem::Dependency
28
+ name: oj
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '3'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '3'
41
+ - !ruby/object:Gem::Dependency
42
+ name: kubeclient
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '4'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '4'
55
+ description:
56
+ email: de.techno@gmail.com
57
+ executables:
58
+ - k8sCertsFlatify.rb
59
+ extensions: []
60
+ extra_rdoc_files: []
61
+ files:
62
+ - README
63
+ - bin/k8sCertsFlatify.rb
64
+ homepage: http://delogics.blogspot.com
65
+ licenses:
66
+ - Apache-2.0
67
+ metadata: {}
68
+ post_install_message:
69
+ rdoc_options: []
70
+ require_paths:
71
+ - lib
72
+ required_ruby_version: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - ">="
75
+ - !ruby/object:Gem::Version
76
+ version: '0'
77
+ required_rubygems_version: !ruby/object:Gem::Requirement
78
+ requirements:
79
+ - - ">="
80
+ - !ruby/object:Gem::Version
81
+ version: '0'
82
+ requirements: []
83
+ rubygems_version: 3.4.22
84
+ signing_key:
85
+ specification_version: 4
86
+ summary: A script which extracts 1 or multiple tls/ssl certificates from a kubernetes
87
+ cluster.
88
+ test_files: []