kubesealr 0.1.0 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35b04586dd5c804bf697478a11e919da402c87519cdb22bc940c9060b0b07792
-  data.tar.gz: cfba159bc9ce48fbe5add4a7640bfb3edfa1f66a79617855e22784e5fa60aaf9
+  metadata.gz: fbb5b323fccfd16bf9def64effd750701802ac652cbb1103041d4a1add260700
+  data.tar.gz: 0f5703b58200f864f4b67540eb7c459b5f5bf0740734ddcec87bfb19890af21b
 SHA512:
-  metadata.gz: 5b199eef47106927b95b724393e1d4bd9bf003bdad5c13b3251b58e600c3afcac53d9824d2c2e922ef8dc1b0ac848acbd7404f8600a7b5f5769b65c49802a9bf
-  data.tar.gz: 41a52d3229fda407fa074cffae4b8b1af562182142d54c664bce35ae52493f5693d6343d638644bbb729b3f36fd931dbd89c4cdfbae4eed8c1c7a98107034ad9
+  metadata.gz: e8b38ebdda58c849a445e2f545e1302f654d90eaf958d9c695567ca0b7b0f1c60e20afedc81d324541e947273191a2d7db3fc6bd45e3e342a5f470da48c9cc95
+  data.tar.gz: e3eb7c1c043d254884289f277925e8f14f3ade87378792597c7d679d2cb391f4c56233b14c652397a99f4ccff4390dfc424b22678e535c2d88d30411a3da0c12

data/.gitignore

@@ -6,6 +6,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+/vendor/
 
 # rspec failure tracking
 .rspec_status

data/Gemfile

@@ -7,8 +7,7 @@ gemspec
 
 # override dep resolution to fix Ruby 3.0 support
 # (libs dependent on this lib must do this on their own)
-gem 'k8s-ruby', github: 'tsutsu/k8s-ruby', branch: 'fork-master'
-gem 'recursive-open-struct', github: 'tsutsu/recursive-open-struct', branch: 'fix-ruby3-support'
+# gem 'k8s-ruby', github: 'tsutsu/k8s-ruby', branch: 'fork-master'
 
 # development dependencies
 gem 'rake', '~> 13.0'

data/Gemfile.lock

@@ -1,70 +1,55 @@
-GIT
-  remote: https://github.com/tsutsu/k8s-ruby.git
-  revision: 177ba953169f32b6b40b85eedae85659825381b5
-  branch: fork-master
-  specs:
-    k8s-ruby (0.10.5)
-      dry-struct (~> 1.3.0)
-      dry-types (~> 1.4.0)
-      excon (~> 0.78)
-      hashdiff (~> 1.0.1)
-      jsonpath (~> 1.1.0)
-      recursive-open-struct (~> 1.1.3)
-      yajl-ruby (~> 1.4.1)
-      yaml-safe_load_stream2 (~> 0.1)
-
-GIT
-  remote: https://github.com/tsutsu/recursive-open-struct.git
-  revision: 1467ac3107582ab32de016fa320c1e204b10a1af
-  branch: fix-ruby3-support
-  specs:
-    recursive-open-struct (1.1.3)
-
 PATH
   remote: .
   specs:
-    kubesealr (0.1.0)
-      k8s-ruby
+    kubesealr (0.1.4)
+      k8s-ruby2 (~> 0.10.7)
       openssl-oaep
 
 GEM
   remote: https://rubygems.org/
   specs:
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
-    dry-configurable (0.12.0)
+    dry-configurable (0.13.0)
       concurrent-ruby (~> 1.0)
-      dry-core (~> 0.5, >= 0.5.0)
-    dry-container (0.7.2)
+      dry-core (~> 0.6)
+    dry-container (0.9.0)
       concurrent-ruby (~> 1.0)
-      dry-configurable (~> 0.1, >= 0.1.3)
-    dry-core (0.5.0)
+      dry-configurable (~> 0.13, >= 0.13.0)
+    dry-core (0.7.1)
       concurrent-ruby (~> 1.0)
-    dry-equalizer (0.3.0)
-    dry-inflector (0.2.0)
-    dry-logic (1.1.0)
+    dry-inflector (0.2.1)
+    dry-logic (1.2.0)
       concurrent-ruby (~> 1.0)
       dry-core (~> 0.5, >= 0.5)
-    dry-struct (1.3.0)
-      dry-core (~> 0.4, >= 0.4.4)
-      dry-equalizer (~> 0.3)
-      dry-types (~> 1.3)
+    dry-struct (1.4.0)
+      dry-core (~> 0.5, >= 0.5)
+      dry-types (~> 1.5)
       ice_nine (~> 0.11)
-    dry-types (1.4.0)
+    dry-types (1.5.1)
       concurrent-ruby (~> 1.0)
       dry-container (~> 0.3)
-      dry-core (~> 0.4, >= 0.4.4)
-      dry-equalizer (~> 0.3)
+      dry-core (~> 0.5, >= 0.5)
       dry-inflector (~> 0.1, >= 0.1.2)
       dry-logic (~> 1.0, >= 1.0.2)
-    excon (0.78.1)
+    excon (0.88.0)
     hashdiff (1.0.1)
     ice_nine (0.11.2)
     jsonpath (1.1.0)
       multi_json
+    k8s-ruby2 (0.10.7)
+      dry-struct (~> 1.4.0)
+      dry-types (~> 1.5.0)
+      excon (~> 0.78)
+      hashdiff (~> 1.0.1)
+      jsonpath (~> 1.1.0)
+      recursive-open-struct (~> 1.1.3)
+      yajl-ruby (~> 1.4.1)
+      yaml-safe_load_stream2 (~> 0.1.1)
     multi_json (1.15.0)
     openssl-oaep (0.1.0)
-    rake (13.0.3)
+    rake (13.0.6)
+    recursive-open-struct (1.1.3)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
@@ -74,22 +59,20 @@ GEM
     rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.1)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-support (3.10.1)
+    rspec-support (3.10.2)
     yajl-ruby (1.4.1)
     yaml-safe_load_stream2 (0.1.1)
 
 PLATFORMS
-  x86_64-darwin-20
+  ruby
 
 DEPENDENCIES
-  k8s-ruby!
   kubesealr!
   rake (~> 13.0)
-  recursive-open-struct!
   rspec (~> 3.0)
 
 BUNDLED WITH
-   2.2.5
+   2.2.30

data/kubesealr.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   EOF
   spec.homepage      = "https://github.com/tsutsu/kubesealr"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.6.0")
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'k8s-ruby'
+  spec.add_runtime_dependency 'k8s-ruby2', '~> 0.10.7'
   spec.add_runtime_dependency 'openssl-oaep'
 end

data/lib/kubeseal/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class Kubeseal
-  VERSION = "0.1.0"
+  VERSION = "0.1.4"
 end

data/lib/kubeseal.rb

@@ -10,11 +10,12 @@ require 'kubeseal/version'
 
 class Kubeseal
   DEFAULT_KEY_FETCHER = lambda do |_|
-    raise NotImplementedError, "no cert getter passed"
+    raise NotImplementedError, "no cluster key-fetcher passed"
   end
 
-  def initialize(&cluster_sealer_key_fetcher)
-    @cluster_sealer_key_fetcher = cluster_sealer_key_fetcher || DEFAULT_KEY_FETCHER
+  def initialize(key_fetcher: nil, resealer: nil)
+    @cluster_sealer_key_fetcher = key_fetcher || DEFAULT_KEY_FETCHER
+    @cluster_sealer_resealer = resealer
   end
 
   def cluster_sealer_public_key
@@ -94,7 +95,6 @@ class Kubeseal
     )
   end
 
-  private
   def seal(plaintext, scope_label)
     cs_pubkey = self.cluster_sealer_public_key
 
@@ -126,7 +126,6 @@ class Kubeseal
     ciphertext_parts.pack('S>A*A*')
   end
 
-  private
   def unseal(ciphertext, scope_label)
     cs_privkeys_to_try = self.cluster_sealer_private_keys.dup
 
@@ -168,6 +167,47 @@ class Kubeseal
     plaintext
   end
 
+  def reseal(...)
+    if @cluster_sealer_resealer
+      reseal_serverside(...)
+    else
+      reseal_clientside(...)
+    end
+  end
+
+  def reseal_clientside(ciphertext, scope_label)
+    plaintext = unseal(ciphertext, scope_label)
+    seal(plaintext, scope_label)
+  end
+
+  def reseal_serverside(ciphertext, scope_label)
+    rc_namespace, rc_name, scope =
+      case scope_label.split('/', 2)
+      in []
+        ["dummy", "dummy", :"cluster-wide"]
+      in [ns]
+        [ns, "dummy", :"namespace-wide"]
+      in [ns, name]
+        [ns, name, :strict]
+      end
+
+    rc = build_sealed_secret_rc(
+      rc_namespace,
+      rc_name,
+      'Opaque',
+      armor({'dummy' => ciphertext}, strict: true)
+    )
+    rc = patch_with_scope(rc, scope)
+
+    resealed_rc = reseal_wrapped_serverside(rc)
+
+    Base64.decode64(resealed_rc.dig('spec', 'encryptedData', 'dummy'))
+  end
+
+  def reseal_wrapped_serverside(sealed_secret_rc)
+    YAML.load(@cluster_sealer_resealer.call(sealed_secret_rc.to_yaml))
+  end
+
   private
   def label_for(scope, rc_namespace, rc_name)
     case scope
@@ -248,8 +288,12 @@ class Kubeseal
     end
   end
 
-  def armor(h)
-    (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
+  def armor(h, strict: false)
+    if strict
+      (h || {}).map{ |k, v| [k, Base64.strict_encode64(v)] }.to_h
+    else
+      (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
+    end
   end
 
   def unarmor(h)

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: kubesealr
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.4
 platform: ruby
 authors:
 - Levi Aul
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-01-20 00:00:00.000000000 Z
+date: 2021-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: k8s-ruby
+  name: k8s-ruby2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.7
 - !ruby/object:Gem::Dependency
   name: openssl-oaep
   requirement: !ruby/object:Gem::Requirement
@@ -78,14 +78,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: K8s sealed-secret client and KustomizeR transformer