kubesealr 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 35b04586dd5c804bf697478a11e919da402c87519cdb22bc940c9060b0b07792
+  data.tar.gz: cfba159bc9ce48fbe5add4a7640bfb3edfa1f66a79617855e22784e5fa60aaf9
+SHA512:
+  metadata.gz: 5b199eef47106927b95b724393e1d4bd9bf003bdad5c13b3251b58e600c3afcac53d9824d2c2e922ef8dc1b0ac848acbd7404f8600a7b5f5769b65c49802a9bf
+  data.tar.gz: 41a52d3229fda407fa074cffae4b8b1af562182142d54c664bce35ae52493f5693d6343d638644bbb729b3f36fd931dbd89c4cdfbae4eed8c1c7a98107034ad9

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in kubesealr.gemspec
+gemspec
+
+# override dep resolution to fix Ruby 3.0 support
+# (libs dependent on this lib must do this on their own)
+gem 'k8s-ruby', github: 'tsutsu/k8s-ruby', branch: 'fork-master'
+gem 'recursive-open-struct', github: 'tsutsu/recursive-open-struct', branch: 'fix-ruby3-support'
+
+# development dependencies
+gem 'rake', '~> 13.0'
+gem 'rspec', '~> 3.0'

data/Gemfile.lock

@@ -0,0 +1,95 @@
+GIT
+  remote: https://github.com/tsutsu/k8s-ruby.git
+  revision: 177ba953169f32b6b40b85eedae85659825381b5
+  branch: fork-master
+  specs:
+    k8s-ruby (0.10.5)
+      dry-struct (~> 1.3.0)
+      dry-types (~> 1.4.0)
+      excon (~> 0.78)
+      hashdiff (~> 1.0.1)
+      jsonpath (~> 1.1.0)
+      recursive-open-struct (~> 1.1.3)
+      yajl-ruby (~> 1.4.1)
+      yaml-safe_load_stream2 (~> 0.1)
+
+GIT
+  remote: https://github.com/tsutsu/recursive-open-struct.git
+  revision: 1467ac3107582ab32de016fa320c1e204b10a1af
+  branch: fix-ruby3-support
+  specs:
+    recursive-open-struct (1.1.3)
+
+PATH
+  remote: .
+  specs:
+    kubesealr (0.1.0)
+      k8s-ruby
+      openssl-oaep
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    concurrent-ruby (1.1.7)
+    diff-lcs (1.4.4)
+    dry-configurable (0.12.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.5, >= 0.5.0)
+    dry-container (0.7.2)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.1, >= 0.1.3)
+    dry-core (0.5.0)
+      concurrent-ruby (~> 1.0)
+    dry-equalizer (0.3.0)
+    dry-inflector (0.2.0)
+    dry-logic (1.1.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.5, >= 0.5)
+    dry-struct (1.3.0)
+      dry-core (~> 0.4, >= 0.4.4)
+      dry-equalizer (~> 0.3)
+      dry-types (~> 1.3)
+      ice_nine (~> 0.11)
+    dry-types (1.4.0)
+      concurrent-ruby (~> 1.0)
+      dry-container (~> 0.3)
+      dry-core (~> 0.4, >= 0.4.4)
+      dry-equalizer (~> 0.3)
+      dry-inflector (~> 0.1, >= 0.1.2)
+      dry-logic (~> 1.0, >= 1.0.2)
+    excon (0.78.1)
+    hashdiff (1.0.1)
+    ice_nine (0.11.2)
+    jsonpath (1.1.0)
+      multi_json
+    multi_json (1.15.0)
+    openssl-oaep (0.1.0)
+    rake (13.0.3)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.1)
+    yajl-ruby (1.4.1)
+    yaml-safe_load_stream2 (0.1.1)
+
+PLATFORMS
+  x86_64-darwin-20
+
+DEPENDENCIES
+  k8s-ruby!
+  kubesealr!
+  rake (~> 13.0)
+  recursive-open-struct!
+  rspec (~> 3.0)
+
+BUNDLED WITH
+   2.2.5

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Levi Aul
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,110 @@
+# KubesealR
+
+KubesealR is a pure-Ruby implementation of the CLI client `kubeseal` component
+of Bitnami's [Kubernetes sealed-secrets](https://github.com/bitnami-labs/sealed-secrets)
+system.
+
+KubesealR also embeds a transformer plugin for [KustomizeR](https://github.com/tsutsu/kustomizer),
+a pure-Ruby [Kustomize](https://kustomize.io) implementation. This plugin allows
+KustomizeR to seal [generated *or* provided] secrets, as a resource-config
+transformation pass.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'kubesealr'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install kubesealr
+
+## Usage
+
+### CLI usage
+
+(TODO; will mostly match CLI usage of `kubeseal`)
+
+### KustomizeR Plugin usage
+
+KubesealR provides one [Kustomize transformer plugin](https://kubectl.docs.kubernetes.io/guides/extending_kustomize/#specification-in-kustomizationyaml),
+`SealSecretsTransform`, with the following K8s document-type:
+
+```yaml
+apiVersion: kubesealr.covalenthq.com/v1
+kind: SealSecretsTransform
+```
+
+Possible fields on this configuration:
+
+#### `.spec.match`
+
+```
+.spec.match: "all" | [String] | {pattern: RegexpString}
+```
+
+`.spec.match` controls which secrets will be sealed.
+
+  * The literal string `all` will match all secrets.
+  * A list of strings means "match secrets with these names exactly."
+  * Setting `.spec.match.pattern` to a string will treat that string as
+    a regular expression and use it to match secret names.
+
+Defaults to `all`.
+
+#### `.spec.keepUnsealed`
+
+```
+.spec.keepUnsealed: true | false
+```
+
+`.spec.keepUnsealed` controls whether the original, unsealed versions of
+the secrets will be emitted by the transform alongside the sealed versions.
+Defaults to `false`. You may want to set this to `true` if you have further
+transformation passes that depend on the unsealed secrets in some way.
+
+Add a new resource path to the `transformers` resource-list in your
+`kustomization.yaml`. For example:
+
+#### Full example Kustomize configuration
+
+In `kustomization.yaml`:
+
+```yaml
+---
+transformers:
+  - seal-secrets.yaml
+```
+
+
+In `seal-secrets.yaml`:
+
+```yaml
+---
+apiVersion: kubesealr.covalenthq.com/v1
+kind: SealSecretsTransform
+spec:
+  match:
+    pattern: "-conn$"
+  keepUnsealed: false
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/tsutsu/kubesealr.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "kubesealr"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/kubesealr

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require 'kubeseal/cli'
+Kubeseal::CLI.start(ARGV)

data/kubesealr.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "lib/kubeseal/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "kubesealr"
+  spec.version       = Kubeseal::VERSION
+  spec.authors       = ["Levi Aul"]
+  spec.email         = ["levi@leviaul.com"]
+
+  spec.summary       = "K8s sealed-secret client and KustomizeR transformer"
+  spec.description   = <<-EOF
+  KubesealR is a pure-Ruby implementation of Bitnami's Sealed-Secrets
+  CLI client "kubeseal." KubesealR also embeds a plugin for KustomizeR,
+  allowing KustomizeR to seal (generated or provided) secrets as a
+  resource-config transformation pass.
+  EOF
+  spec.homepage      = "https://github.com/tsutsu/kubesealr"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'k8s-ruby'
+  spec.add_runtime_dependency 'openssl-oaep'
+end

data/lib/kubeseal.rb

@@ -0,0 +1,259 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'securerandom'
+require 'base64'
+
+require 'openssl/oaep'
+
+require 'kubeseal/version'
+
+class Kubeseal
+  DEFAULT_KEY_FETCHER = lambda do |_|
+    raise NotImplementedError, "no cert getter passed"
+  end
+
+  def initialize(&cluster_sealer_key_fetcher)
+    @cluster_sealer_key_fetcher = cluster_sealer_key_fetcher || DEFAULT_KEY_FETCHER
+  end
+
+  def cluster_sealer_public_key
+    @cluster_sealer_public_key ||= @cluster_sealer_key_fetcher.call(:public_key)
+  end
+
+  def cluster_sealer_private_keys
+    @cluster_sealer_private_keys ||= @cluster_sealer_key_fetcher.call(:private_keys)
+  end
+
+  AED_IV = ("\x00" * 12).freeze
+  private_constant :AED_IV
+
+  def seal_and_wrap(secret_rc, scope: :strict)
+    rc_name = secret_rc.dig('metadata', 'name')
+    rc_namespace = secret_rc.dig('metadata', 'namespace')
+    rc_type = secret_rc['type'] || 'Opaque'
+    scope_label = label_for(scope, rc_namespace, rc_name)
+
+    raw_data =
+      if secret_rc.has_key?('data')
+        unarmor(secret_rc['data'])
+      elsif secret_rc.has_key?('stringData')
+        secret_rc['stringData']
+      else
+        {}
+      end
+
+    encrypted_data = raw_data.map do |key, plaintext|
+      ciphertext = seal(plaintext, scope_label)
+      [key, ciphertext]
+    end.to_h
+
+    secret_type = secret_rc['type'] || 'Opaque'
+
+    sealed_secret_rc =
+      build_sealed_secret_rc(
+        rc_namespace,
+        rc_name,
+        secret_type,
+        armor(encrypted_data)
+      )
+
+    patch_with_scope(sealed_secret_rc, scope)
+  end
+
+  def unwrap_and_unseal(sealed_secret_rc, armor: true)
+    rc_name = sealed_secret_rc.dig('metadata', 'name')
+    rc_namespace = sealed_secret_rc.dig('metadata', 'namespace')
+    rc_type = sealed_secret_rc['type'] || 'Opaque'
+
+    scope = scope_from_annotations(sealed_secret_rc.dig('metadata', 'annotations'))
+    scope_label = label_for(scope, rc_namespace, rc_name)
+
+    # decode data if encoded
+    encrypted_data = unarmor(sealed_secret_rc.dig('spec', 'encryptedData'))
+
+    string_data = encrypted_data.map do |key, ciphertext|
+      plaintext = unseal(ciphertext, scope_label)
+      [key, plaintext]
+    end.to_h
+
+    merge_part =
+      if armor
+        {'data' => armor(string_data)}
+      else
+        {'stringData' => string_data}
+      end
+
+    secret_type = sealed_secret_rc.dig('spec', 'template', 'type') || 'Opaque'
+
+    build_secret_rc(
+      rc_namespace,
+      rc_name,
+      secret_type,
+      merge_part
+    )
+  end
+
+  private
+  def seal(plaintext, scope_label)
+    cs_pubkey = self.cluster_sealer_public_key
+
+    session_key = SecureRandom.bytes(32)
+
+    session_key_enc =
+      cs_pubkey.public_encrypt_oaep(
+        session_key,
+        scope_label,
+        OpenSSL::Digest::SHA256
+      )
+
+    aed_cipher = OpenSSL::Cipher.new("AES-256-GCM").encrypt
+    aed_cipher.key = session_key
+    aed_cipher.iv = AED_IV
+    aed_cipher.auth_data = ""
+
+    payload_enc =
+      aed_cipher.update(plaintext) +
+      aed_cipher.final +
+      aed_cipher.auth_tag
+
+    ciphertext_parts = [
+      session_key_enc.length,
+      session_key_enc,
+      payload_enc
+    ]
+
+    ciphertext_parts.pack('S>A*A*')
+  end
+
+  private
+  def unseal(ciphertext, scope_label)
+    cs_privkeys_to_try = self.cluster_sealer_private_keys.dup
+
+    session_key_enc_len, ciphertext = ciphertext.unpack('S>A*')
+    session_key_enc, ciphertext = ciphertext.unpack("A#{session_key_enc_len}A*")
+
+    session_key = nil
+    until session_key or cs_privkeys_to_try.empty?
+      begin
+        try_privkey = cs_privkeys_to_try.shift
+        session_key = try_privkey.private_decrypt_oaep(
+          session_key_enc,
+          scope_label,
+          OpenSSL::Digest::SHA256
+        )
+      rescue OpenSSL::PKey::RSAError => e
+      end
+    end
+
+    unless session_key
+      raise RuntimeError, "no keys from cluster were applicable to decrypting payload"
+    end
+
+    aed_decipher = OpenSSL::Cipher.new("AES-256-GCM").decrypt
+    aed_decipher.key = session_key
+    aed_decipher.iv = AED_IV
+
+    auth_tag_len = 16
+    auth_tag   = ciphertext[-auth_tag_len .. -1]
+    ciphertext = ciphertext[0 ... -auth_tag_len]
+
+    aed_decipher.auth_tag = auth_tag
+    aed_decipher.auth_data = ""
+
+    plaintext =
+      aed_decipher.update(ciphertext) +
+      aed_decipher.final
+
+    plaintext
+  end
+
+  private
+  def label_for(scope, rc_namespace, rc_name)
+    case scope
+    in :strict
+      "#{rc_namespace}/#{rc_name}"
+    in :"namespace-wide"
+      rc_namespace
+    in :"cluster-wide"
+      ""
+    end
+  end
+
+  CLUSTER_WIDE_ANNOT = 'sealedsecrets.bitnami.com/cluster-wide'.freeze
+  private_constant :CLUSTER_WIDE_ANNOT
+
+  NAMESPACE_WIDE_ANNOT = 'sealedsecrets.bitnami.com/namespace-wide'.freeze
+  private_constant :NAMESPACE_WIDE_ANNOT
+
+  private
+  def scope_from_annotations(annotations)
+    annotations ||= {}
+
+    if annotations[CLUSTER_WIDE_ANNOT] == 'true'
+      :"cluster-wide"
+    elsif annotations[NAMESPACE_WIDE_ANNOT] == 'true'
+      :"namespace-wide"
+    else
+      :strict
+    end
+  end
+
+  private
+  def build_secret_rc(rc_namespace, rc_name, secret_type, data_part)
+    {
+      'apiVersion' => 'v1',
+      'kind' => 'Secret',
+      'metadata' => {
+        'namespace' => rc_namespace,
+        'name' => rc_name
+      },
+      'type' => secret_type
+    }.merge(data_part)
+  end
+
+  private
+  def build_sealed_secret_rc(rc_namespace, rc_name, secret_type, encrypted_data)
+    {
+      'apiVersion' => 'bitnami.com/v1alpha1',
+      'kind' => 'SealedSecret',
+      'metadata' => {
+        'namespace' => rc_namespace,
+        'name' => rc_name
+      },
+      'spec' => {
+        'template' => {
+          'type' => secret_type,
+        },
+        'encryptedData' => encrypted_data
+      }
+    }
+  end
+
+  private
+  def patch_with_scope(sealed_secret_rc, scope)
+    case scope
+    in :strict
+      sealed_secret_rc
+    in :"namespace-wide"
+      sealed_secret_rc['metadata'] ||= {}
+      sealed_secret_rc['metadata']['annotations'] ||= {}
+      sealed_secret_rc['metadata']['annotations'][NAMESPACE_WIDE_ANNOT] = "true"
+      sealed_secret_rc
+    in :"cluster-wide"
+      sealed_secret_rc['metadata'] ||= {}
+      sealed_secret_rc['metadata']['annotations'] ||= {}
+      sealed_secret_rc['metadata']['annotations'][CLUSTER_WIDE_ANNOT] = "true"
+      sealed_secret_rc
+    end
+  end
+
+  def armor(h)
+    (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
+  end
+
+  def unarmor(h)
+    (h || {}).map{ |k, v| [k, Base64.decode64(v)] }.to_h
+  end
+end
+

data/lib/kubeseal/cli.rb

@@ -0,0 +1,101 @@
+require 'optparse'
+require 'yaml'
+
+require 'k8s-ruby'
+
+require 'kubeseal'
+
+class Kubeseal::CLI
+  def self.start(argv = ARGV)
+    trap('INT'){ Kernel.exit(0) }
+    self.new(argv).run
+  end
+
+  def initialize(argv = ARGV)
+    @k8s_client = K8s::Client.autoconfig
+
+    @mode = :encrypt
+    @scope = :strict
+    @decrypt_rearmor = true
+    self.option_parser.parse(argv)
+
+    @sealer = Kubeseal.new do |fetch_mode|
+      case fetch_mode
+      in :public_key
+        fetch_cluster_sealer_active_public_key
+      in :private_keys
+        fetch_cluster_sealer_all_private_keys
+      end
+    end
+  end
+
+  def option_parser
+    OptionParser.new do |parser|
+      parser.banner = "Usage: kubesealr [options]"
+
+      parser.on("-d", "--decrypt", "Unseal sealed secrets (requires k8s User to have get access to secrets in kube-system namespace)") do |t|
+        @mode = :decrypt
+      end
+
+      parser.on("-a", "--[no-]armor", "Emit base64-armored secrets when unsealing") do |t|
+        @decrypt_rearmor = t
+      end
+
+      parser.on("-sTYPE", "--scope TYPE", [:strict, :"namespace-wide", :"cluster-wide"],
+                "Select scope (strict, namespace-wide, cluster-wide)") do |v|
+        @scope = v
+      end
+    end
+  end
+
+  def run
+    case @mode
+    in :encrypt
+      $stdout.puts(seal_stream($stdin.read))
+    in :decrypt
+      $stdout.puts(unseal_stream($stdin.read))
+    end
+  end
+
+  private
+  def fetch_cluster_sealer_active_public_key
+    cert_req_opts = {
+      method: 'GET',
+      path: '/api/v1/namespaces/kube-system/services/sealed-secrets-controller:8080/proxy/v1/cert.pem'
+    }.merge(@k8s_client.transport.request_options)
+
+    cert_resp = @k8s_client.transport.excon.request(cert_req_opts)
+
+    cert_pem_str = cert_resp.body
+
+    cluster_certificate = OpenSSL::X509::Certificate.new(cert_pem_str)
+
+    cluster_certificate.public_key
+  end
+
+  private
+  def fetch_cluster_sealer_all_private_keys
+    privkey_pem_strs =
+      @k8s_client.api('v1')
+      .resource('secrets', namespace: 'kube-system')
+      .list(fieldSelector: {'type' => 'kubernetes.io/tls'})
+      .filter{ |r| r.metadata.generateName == 'sealed-secrets-key' }
+      .map{ |r| Base64.decode64(r.data['tls.key']) }
+
+    privkey_pem_strs.map{ |pem| OpenSSL::PKey::RSA.new(pem) }
+  end
+
+  private
+  def seal_stream(secret_yaml_stream)
+    YAML.load_stream(secret_yaml_stream).map do |secret_rc|
+      @sealer.seal_and_wrap(secret_rc, scope: @scope).to_yaml
+    end.join("")
+  end
+
+  private
+  def unseal_stream(sealed_secret_yaml_stream)
+    YAML.load_stream(sealed_secret_yaml_stream).map do |sealed_secret_rc|
+      @sealer.unwrap_and_unseal(sealed_secret_rc, armor: @decrypt_rearmor).to_yaml
+    end.join("")
+  end
+end

data/lib/kubeseal/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Kubeseal
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: kubesealr
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Levi Aul
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2021-01-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: k8s-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl-oaep
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+    KubesealR is a pure-Ruby implementation of Bitnami's Sealed-Secrets
+    CLI client "kubeseal." KubesealR also embeds a plugin for KustomizeR,
+    allowing KustomizeR to seal (generated or provided) secrets as a
+    resource-config transformation pass.
+email:
+- levi@leviaul.com
+executables:
+- kubesealr
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/kubesealr
+- kubesealr.gemspec
+- lib/kubeseal.rb
+- lib/kubeseal/cli.rb
+- lib/kubeseal/version.rb
+homepage: https://github.com/tsutsu/kubesealr
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/tsutsu/kubesealr
+  source_code_uri: https://github.com/tsutsu/kubesealr
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key:
+specification_version: 4
+summary: K8s sealed-secret client and KustomizeR transformer
+test_files: []