kubesealr 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/lib/kubeseal.rb +51 -7
- data/lib/kubeseal/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e7a7de36bca5843043b35eed90dc582ba6717e12c50870ff2ce03f628680acb7
|
|
4
|
+
data.tar.gz: '01896547d9b98c3cb7e5e0836e21626d4a83406a2462ef4b0ebb5abe766d20ce'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 76cfd1be8a58295d74510419a624c5668fe385d8535be7a068c59436256b5c8ffe6ffd5ae11b62b21bda0b394125d20e508d8f0bf67bd3b480164fc504fcb7e6
|
|
7
|
+
data.tar.gz: d0c7f6ea29a85f176026d6aa590b4a1ebdcd296d953be3e4ec1299436835646434e073d332a86ad07cf6e670ec5ed56e8f165a5cf6edd433a706b418a5696166
|
data/Gemfile.lock
CHANGED
data/lib/kubeseal.rb
CHANGED
|
@@ -10,11 +10,12 @@ require 'kubeseal/version'
|
|
|
10
10
|
|
|
11
11
|
class Kubeseal
|
|
12
12
|
DEFAULT_KEY_FETCHER = lambda do |_|
|
|
13
|
-
raise NotImplementedError, "no
|
|
13
|
+
raise NotImplementedError, "no cluster key-fetcher passed"
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def initialize(
|
|
17
|
-
@cluster_sealer_key_fetcher =
|
|
16
|
+
def initialize(key_fetcher: nil, resealer: nil)
|
|
17
|
+
@cluster_sealer_key_fetcher = key_fetcher || DEFAULT_KEY_FETCHER
|
|
18
|
+
@cluster_sealer_resealer = resealer
|
|
18
19
|
end
|
|
19
20
|
|
|
20
21
|
def cluster_sealer_public_key
|
|
@@ -94,7 +95,6 @@ class Kubeseal
|
|
|
94
95
|
)
|
|
95
96
|
end
|
|
96
97
|
|
|
97
|
-
private
|
|
98
98
|
def seal(plaintext, scope_label)
|
|
99
99
|
cs_pubkey = self.cluster_sealer_public_key
|
|
100
100
|
|
|
@@ -126,7 +126,6 @@ class Kubeseal
|
|
|
126
126
|
ciphertext_parts.pack('S>A*A*')
|
|
127
127
|
end
|
|
128
128
|
|
|
129
|
-
private
|
|
130
129
|
def unseal(ciphertext, scope_label)
|
|
131
130
|
cs_privkeys_to_try = self.cluster_sealer_private_keys.dup
|
|
132
131
|
|
|
@@ -168,6 +167,47 @@ class Kubeseal
|
|
|
168
167
|
plaintext
|
|
169
168
|
end
|
|
170
169
|
|
|
170
|
+
def reseal(...)
|
|
171
|
+
if @cluster_sealer_resealer
|
|
172
|
+
reseal_serverside(...)
|
|
173
|
+
else
|
|
174
|
+
reseal_clientside(...)
|
|
175
|
+
end
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
def reseal_clientside(ciphertext, scope_label)
|
|
179
|
+
plaintext = unseal(ciphertext, scope_label)
|
|
180
|
+
seal(plaintext, scope_label)
|
|
181
|
+
end
|
|
182
|
+
|
|
183
|
+
def reseal_serverside(ciphertext, scope_label)
|
|
184
|
+
rc_namespace, rc_name, scope =
|
|
185
|
+
case scope_label.split('/', 2)
|
|
186
|
+
in []
|
|
187
|
+
["dummy", "dummy", :"cluster-wide"]
|
|
188
|
+
in [ns]
|
|
189
|
+
[ns, "dummy", :"namespace-wide"]
|
|
190
|
+
in [ns, name]
|
|
191
|
+
[ns, name, :strict]
|
|
192
|
+
end
|
|
193
|
+
|
|
194
|
+
rc = build_sealed_secret_rc(
|
|
195
|
+
rc_namespace,
|
|
196
|
+
rc_name,
|
|
197
|
+
'Opaque',
|
|
198
|
+
armor({'dummy' => ciphertext}, strict: true)
|
|
199
|
+
)
|
|
200
|
+
rc = patch_with_scope(rc, scope)
|
|
201
|
+
|
|
202
|
+
resealed_rc = reseal_wrapped_serverside(rc)
|
|
203
|
+
|
|
204
|
+
Base64.decode64(resealed_rc.dig('spec', 'encryptedData', 'dummy'))
|
|
205
|
+
end
|
|
206
|
+
|
|
207
|
+
def reseal_wrapped_serverside(sealed_secret_rc)
|
|
208
|
+
YAML.load(@cluster_sealer_resealer.call(sealed_secret_rc.to_yaml))
|
|
209
|
+
end
|
|
210
|
+
|
|
171
211
|
private
|
|
172
212
|
def label_for(scope, rc_namespace, rc_name)
|
|
173
213
|
case scope
|
|
@@ -248,8 +288,12 @@ class Kubeseal
|
|
|
248
288
|
end
|
|
249
289
|
end
|
|
250
290
|
|
|
251
|
-
def armor(h)
|
|
252
|
-
|
|
291
|
+
def armor(h, strict: false)
|
|
292
|
+
if strict
|
|
293
|
+
(h || {}).map{ |k, v| [k, Base64.strict_encode64(v)] }.to_h
|
|
294
|
+
else
|
|
295
|
+
(h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
|
|
296
|
+
end
|
|
253
297
|
end
|
|
254
298
|
|
|
255
299
|
def unarmor(h)
|
data/lib/kubeseal/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kubesealr
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Levi Aul
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-01-
|
|
11
|
+
date: 2021-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: k8s-ruby
|