@codemowers/oidc-key-manager 0.1.0 → 0.2.0

package/README.md

@@ -7,9 +7,6 @@ CLI to manage secret keys required by oidc-gateway
 * [Usage](#usage)
 * [Commands](#commands)
 <!-- tocstop -->
-* [Usage](#usage)
-* [Commands](#commands)
-<!-- tocstop -->
 # Usage
 <!-- usage -->
 ```sh-session
@@ -17,28 +14,17 @@ $ npm install -g @codemowers/oidc-key-manager
 $ key-manager COMMAND
 running command...
 $ key-manager (--version)
-@codemowers/oidc-key-manager/0.1.0 linux-x64 node-v16.17.0
+@codemowers/oidc-key-manager/0.2.0 linux-x64 node-v16.17.0
 $ key-manager --help [COMMAND]
 USAGE
   $ key-manager COMMAND
 ...
 ```
 <!-- usagestop -->
-```sh-session
-$ npm install -g oidc-key-manager
-$ key-manager COMMAND
-running command...
-$ key-manager (--version)
-oidc-key-manager/0.0.0 linux-x64 node-v18.15.0
-$ key-manager --help [COMMAND]
-USAGE
-  $ key-manager COMMAND
-...
-```
-<!-- usagestop -->
 # Commands
 <!-- commands -->
 * [`key-manager initialize`](#key-manager-initialize)
+* [`key-manager rotate`](#key-manager-rotate)
 
 ## `key-manager initialize`
 
@@ -71,33 +57,37 @@ EXAMPLES
   $ key-manager initialize --namespace <kube namespace> --secret <secret name> --recreate
 ```
 
-_See code: [dist/commands/initialize.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.1.0/dist/commands/initialize.ts)_
-<!-- commandsstop -->
-* [`key-manager initialize`](#key-manager-initialize)
-
-## `key-manager initialize`
-
-Initialize the secret with initial keys
-
-```
-USAGE
-  $ key-manager initialize [-n <value>] [-s <value>] [--recreate]
-
-FLAGS
-  -n, --namespace=<value>  namespace, defaults to current namespace if service account is used
-  -s, --secret=<value>     [default: oidc-keys] secret name
-  --recreate               recreate the secret if it exists
-
-DESCRIPTION
-  Initialize the secret with initial keys
-
-EXAMPLES
-  $ key-manager initialize
-
-  $ key-manager initialize -n <kube namespace> -s <secret name>
-
-  $ key-manager initialize --namespace <kube namespace> --secret <secret name> --recreate
-```
-
-_See code: [dist/commands/initialize.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.0.0/dist/commands/initialize.ts)_
+_See code: [dist/commands/initialize.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.2.0/dist/commands/initialize.ts)_
+
+## `key-manager rotate`
+
+Append new JWK|cookie key|both and rotate the array, optionally restarting the deployment
+
+```
+USAGE
+  $ key-manager rotate -c local|cluster [-n <value>] [-s <value>] [--both] [--jwks] [--cookie-keys]
+    [--max-number-of-jwks <value>] [--max-number-of-cookie-keys <value>] [--restart-deployment-backoff <value>
+    --restart-deployment <value>]
+
+FLAGS
+  -c, --config=<option>                 (required) use local or in-cluster Kubernetes config
+                                        <options: local|cluster>
+  -n, --namespace=<value>               namespace, defaults to current namespace if service account is used
+  -s, --secret=<value>                  [default: oidc-keys] secret name
+  --both                                rotate both JWKs and cookie keys
+  --cookie-keys                         rotate cookie keys
+  --jwks                                rotate JWKs
+  --max-number-of-cookie-keys=<value>   [default: 3]
+  --max-number-of-jwks=<value>          [default: 3]
+  --restart-deployment=<value>          Kubernetes deployment name to restart while rotating
+  --restart-deployment-backoff=<value>  [default: 60] Seconds to wait for deployment to restart
+
+DESCRIPTION
+  Append new JWK|cookie key|both and rotate the array, optionally restarting the deployment
+
+EXAMPLES
+  $ key-manager rotate
+```
+
+_See code: [dist/commands/rotate.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.2.0/dist/commands/rotate.ts)_
 <!-- commandsstop -->

package/dist/commands/initialize.d.ts

@@ -4,10 +4,10 @@ export default class Initialize extends Command {
     static enableJsonFlag: boolean;
     static examples: string[];
     static flags: {
+        recreate: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
         namespace: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
         secret: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
         config: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
-        recreate: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     static args: {};
     run(): Promise<void>;

package/dist/commands/initialize.js

@@ -10,14 +10,14 @@ class Initialize extends core_1.Command {
         const { flags } = await this.parse(Initialize);
         const kubeApiService = new kube_api_service_1.KubeApiService(this, flags);
         kubeApiService.printConfiguration();
-        const exists = await kubeApiService.checkSecretExistence();
+        const exists = await kubeApiService.getSecret();
         if (exists && !flags.recreate) {
             this.exit(0);
         }
         if (exists) {
             await kubeApiService.deleteSecret();
         }
-        const secret = new secret_1.Secret();
+        const secret = new secret_1.Secret(this);
         this.log('Generating secret');
         secret.generateNew();
         await kubeApiService.createSecret(secret);
@@ -34,5 +34,6 @@ Initialize.examples = [
 ];
 Initialize.flags = {
     ...common_flags_1.default,
+    recreate: core_1.Flags.boolean({ description: 'recreate the secret if it exists', aliases: ['recreate'], required: false }),
 };
 Initialize.args = {};

package/dist/commands/rotate.d.ts

@@ -0,0 +1,19 @@
+import { Command } from '@oclif/core';
+export default class Rotate extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        both: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        jwks: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        'cookie-keys': import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        'max-number-of-jwks': import("@oclif/core/lib/interfaces").OptionFlag<number, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        'max-number-of-cookie-keys': import("@oclif/core/lib/interfaces").OptionFlag<number, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        'restart-deployment': import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        'restart-deployment-backoff': import("@oclif/core/lib/interfaces").OptionFlag<number, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        namespace: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        secret: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        config: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+    };
+    static args: {};
+    run(): Promise<void>;
+}

package/dist/commands/rotate.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const core_1 = require("@oclif/core");
+const common_flags_1 = tslib_1.__importDefault(require("../helpers/common-flags"));
+const kube_api_service_1 = require("../helpers/kube-api-service");
+const secret_1 = require("../helpers/secret");
+class Rotate extends core_1.Command {
+    async run() {
+        const { flags } = await this.parse(Rotate);
+        const kubeApiService = new kube_api_service_1.KubeApiService(this, flags);
+        kubeApiService.printConfiguration();
+        const kubeSecret = await kubeApiService.getSecret();
+        if (!kubeSecret) {
+            this.error('Secret does not exist');
+            this.exit(1);
+        }
+        const secret = new secret_1.Secret(this);
+        secret.fromKubeSecret(kubeSecret);
+        if (flags.both || flags.jwks) {
+            secret.appendJWK(flags['max-number-of-jwks']);
+        }
+        if (flags.both || flags['cookie-keys']) {
+            secret.appendCookieKey(flags['max-number-of-cookie-keys']);
+        }
+        await kubeApiService.replaceSecret(secret);
+        if (flags['restart-deployment']) {
+            await kubeApiService.restartDeployment(flags['restart-deployment'], flags['restart-deployment-backoff']);
+        }
+        if (flags.both || flags.jwks) {
+            secret.rotateJWKs();
+        }
+        if (flags.both || flags.jwks) {
+            secret.rotateCookieKeys();
+        }
+        await kubeApiService.replaceSecret(secret);
+        if (flags['restart-deployment']) {
+            await kubeApiService.restartDeployment(flags['restart-deployment'], flags['restart-deployment-backoff']);
+        }
+    }
+}
+exports.default = Rotate;
+Rotate.description = 'Append new JWK|cookie key|both and rotate the array, optionally restarting the deployment';
+Rotate.examples = [
+    '<%= config.bin %> <%= command.id %>',
+];
+Rotate.flags = {
+    ...common_flags_1.default,
+    both: core_1.Flags.boolean({ description: 'rotate both JWKs and cookie keys', exactlyOne: ['both', 'jwks', 'cookie-keys'] }),
+    jwks: core_1.Flags.boolean({ description: 'rotate JWKs' }),
+    'cookie-keys': core_1.Flags.boolean({ description: 'rotate cookie keys' }),
+    'max-number-of-jwks': core_1.Flags.integer({ default: 3 }),
+    'max-number-of-cookie-keys': core_1.Flags.integer({ default: 3 }),
+    'restart-deployment': core_1.Flags.string({ description: 'Kubernetes deployment name to restart while rotating' }),
+    'restart-deployment-backoff': core_1.Flags.integer({ description: 'Seconds to wait for deployment to restart', default: 60, dependsOn: ['restart-deployment'] }),
+};
+Rotate.args = {};

package/dist/helpers/common-flags.d.ts

@@ -1,7 +1,6 @@
 export interface CommonFlagsInterface {
     namespace: string | undefined;
     secret: string;
-    recreate: boolean;
     config: string;
 }
 export declare enum ConfigType {
@@ -12,6 +11,5 @@ declare const _default: {
     namespace: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
     secret: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
     config: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
-    recreate: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
 };
 export default _default;

package/dist/helpers/common-flags.js

@@ -11,5 +11,4 @@ exports.default = {
     namespace: core_1.Flags.string({ char: 'n', description: 'namespace, defaults to current namespace if service account is used', aliases: ['namespace'], required: false }),
     secret: core_1.Flags.string({ char: 's', description: 'secret name', aliases: ['secret'], default: 'oidc-keys', required: false }),
     config: core_1.Flags.string({ char: 'c', description: 'use local or in-cluster Kubernetes config', aliases: ['config'], required: true, options: [ConfigType.Local, ConfigType.InCluster] }),
-    recreate: core_1.Flags.boolean({ description: 'recreate the secret if it exists', aliases: ['recreate'], required: false }),
 };

package/dist/helpers/kube-api-service.d.ts

@@ -1,3 +1,4 @@
+import { V1Secret } from '@kubernetes/client-node';
 import { CommonFlagsInterface } from './common-flags';
 import { Command } from '@oclif/core';
 import { Secret } from './secret';
@@ -5,12 +6,15 @@ export declare class KubeApiService {
     #private;
     private kc;
     private coreV1Api;
+    private appsV1Api;
     private namespace;
     private command;
     private secretName;
     constructor(command: Command, flags: CommonFlagsInterface);
     printConfiguration(): void;
-    checkSecretExistence(): Promise<boolean>;
+    restartDeployment(deploymentName: string, timeoutInSeconds: number): Promise<any>;
+    getSecret(): Promise<V1Secret | undefined | null>;
     deleteSecret(): Promise<void>;
     createSecret(secret: Secret): Promise<void>;
+    replaceSecret(secret: Secret): Promise<void>;
 }

package/dist/helpers/kube-api-service.js

@@ -15,6 +15,7 @@ class KubeApiService {
         flags.config === common_flags_1.ConfigType.InCluster ? this.kc.loadFromCluster() : this.kc.loadFromDefault();
         this.namespace = (_c = (_a = flags.namespace) !== null && _a !== void 0 ? _a : (_b = this.kc.getContextObject(this.kc.getCurrentContext())) === null || _b === void 0 ? void 0 : _b.namespace) !== null && _c !== void 0 ? _c : Undefined;
         this.coreV1Api = this.kc.makeApiClient(client_node_1.CoreV1Api);
+        this.appsV1Api = this.kc.makeApiClient(client_node_1.AppsV1Api);
         this.secretName = flags.secret;
         tslib_1.__classPrivateFieldGet(this, _KubeApiService_instances, "m", _KubeApiService_validate).call(this);
     }
@@ -26,17 +27,57 @@ class KubeApiService {
             secretName: this.secretName,
         });
     }
-    async checkSecretExistence() {
+    async restartDeployment(deploymentName, timeoutInSeconds) {
+        this.command.log(`Restarting deployment ${deploymentName}`);
+        await this.appsV1Api.patchNamespacedDeployment(deploymentName, this.namespace, {
+            spec: {
+                template: {
+                    metadata: {
+                        annotations: {
+                            'kubectl.kubernetes.io/restartedAt': String(Date.now()),
+                        },
+                    },
+                },
+            },
+        }, undefined, undefined, undefined, undefined, undefined, { headers: { 'Content-type': client_node_1.PatchUtils.PATCH_FORMAT_JSON_MERGE_PATCH } });
+        return new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+                informer.stop();
+                reject(new Error(`Failed to observe new ReplicaSet before ${timeoutInSeconds} seconds`));
+            }, timeoutInSeconds * 1000);
+            // eslint-disable-next-line unicorn/consistent-function-scoping
+            const listFn = () => this.appsV1Api.listNamespacedDeployment(this.namespace);
+            const informer = (0, client_node_1.makeInformer)(this.kc, `/apis/apps/v1/namespaces/${this.namespace}/deployments/`, listFn);
+            informer.on('update', (obj) => {
+                var _a;
+                const conditions = (_a = obj === null || obj === void 0 ? void 0 : obj.status) === null || _a === void 0 ? void 0 : _a.conditions;
+                if (conditions) {
+                    const progressingCondition = conditions.find((c) => c.type === 'Progressing');
+                    if ((progressingCondition === null || progressingCondition === void 0 ? void 0 : progressingCondition.reason) === 'NewReplicaSetAvailable') {
+                        this.command.log('Deployment finished restarting');
+                        clearTimeout(timeout);
+                        informer.stop();
+                        resolve(obj);
+                    }
+                }
+            });
+            informer.start();
+            this.command.log('Waiting for deployment to restart');
+        });
+    }
+    async getSecret() {
         this.command.log(`Checking if secret ${this.secretName} exists`);
-        const exists = await this.coreV1Api.readNamespacedSecret(this.secretName, this.namespace)
-            .then(() => true)
+        const secret = await this.coreV1Api.readNamespacedSecret(this.secretName, this.namespace)
+            .then(response => response.body)
             .catch(error => {
-            if (error.status === 404) {
-                return false;
+            if (error.statusCode !== 404) {
+                this.command.error(error);
+                this.command.exit(1);
             }
+            return null;
         });
-        this.command.log(exists ? `Secret ${this.secretName} already exists` : `Secret ${this.secretName} does not exist`);
-        return Boolean(exists);
+        this.command.log(secret ? `Secret ${this.secretName} exists` : `Secret ${this.secretName} does not exist`);
+        return secret;
     }
     async deleteSecret() {
         this.command.log(`Deleting existing secret ${this.secretName}`);
@@ -48,6 +89,10 @@ class KubeApiService {
         await this.coreV1Api.createNamespacedSecret(this.namespace, secret.toKubeSecret(this.secretName));
         this.command.log(`Created secret ${this.secretName}`);
     }
+    async replaceSecret(secret) {
+        this.command.log(`Replacing secret ${this.secretName}`);
+        await this.coreV1Api.replaceNamespacedSecret(this.secretName, this.namespace, secret.toKubeSecret(this.secretName));
+    }
 }
 exports.KubeApiService = KubeApiService;
 _KubeApiService_instances = new WeakSet(), _KubeApiService_validate = function _KubeApiService_validate() {

package/dist/helpers/secret.d.ts

@@ -1,9 +1,16 @@
 import { V1Secret } from '@kubernetes/client-node';
+import { Command } from '@oclif/core';
 export declare class Secret {
     #private;
     private JWKs;
     private CookieKeys;
-    constructor();
+    private command;
+    constructor(command: Command);
     generateNew(): void;
     toKubeSecret(secretName: string): V1Secret;
+    fromKubeSecret(kubeSecret: V1Secret): void;
+    appendJWK(maxNumber: number): void;
+    appendCookieKey(maxNumber: number): void;
+    rotateJWKs(): void;
+    rotateCookieKeys(): void;
 }

package/dist/helpers/secret.js

@@ -1,5 +1,5 @@
 "use strict";
-var _Secret_instances, _Secret_generateRSAJwk, _Secret_generateCookieKey, _Secret_arrayToB64String, _Secret_getKubeSecretMetadata;
+var _Secret_instances, _Secret_append, _Secret_rotate, _Secret_generateRSAJwk, _Secret_generateCookieKey, _Secret_arrayToB64String, _Secret_getKubeSecretMetadata;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Secret = void 0;
 const tslib_1 = require("tslib");
@@ -9,10 +9,11 @@ const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
 const JWKSKeyName = 'OIDC_JWKS';
 const CookieKeysKeyName = 'OIDC_COOKIE_KEYS';
 class Secret {
-    constructor() {
+    constructor(command) {
         _Secret_instances.add(this);
         this.JWKs = [];
         this.CookieKeys = [];
+        this.command = command;
     }
     generateNew() {
         this.JWKs = [tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_generateRSAJwk).call(this, 4096)];
@@ -26,9 +27,41 @@ class Secret {
         secret.data[CookieKeysKeyName] = tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_arrayToB64String).call(this, this.CookieKeys);
         return secret;
     }
+    fromKubeSecret(kubeSecret) {
+        var _a;
+        const data = (_a = kubeSecret === null || kubeSecret === void 0 ? void 0 : kubeSecret.data) !== null && _a !== void 0 ? _a : {};
+        this.JWKs = JSON.parse(Buffer.from(data[JWKSKeyName], 'base64').toString());
+        this.CookieKeys = JSON.parse(Buffer.from(data[CookieKeysKeyName], 'base64').toString());
+    }
+    appendJWK(maxNumber) {
+        tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_append).call(this, 'JWKs', maxNumber, () => tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_generateRSAJwk).call(this, 4096));
+    }
+    appendCookieKey(maxNumber) {
+        tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_append).call(this, 'CookieKeys', maxNumber, () => tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_generateCookieKey).call(this, 32));
+    }
+    rotateJWKs() {
+        tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_rotate).call(this, 'JWKs');
+    }
+    rotateCookieKeys() {
+        tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_rotate).call(this, 'CookieKeys');
+    }
 }
 exports.Secret = Secret;
-_Secret_instances = new WeakSet(), _Secret_generateRSAJwk = function _Secret_generateRSAJwk(len) {
+_Secret_instances = new WeakSet(), _Secret_append = function _Secret_append(property, maxNumber, generatorFn) {
+    if (this[property].length + 1 > maxNumber) {
+        this.command.log(`Removing extra ${this[property].length + 1 - maxNumber} ${property}`);
+        this.JWKs.splice(maxNumber - 1);
+    }
+    this.command.log(`Appending new value to end of ${property}`);
+    this[property] = [...this[property], generatorFn()];
+}, _Secret_rotate = function _Secret_rotate(property) {
+    this.command.log(`Rotating new value to the start of ${property}`);
+    const newValue = this[property].pop();
+    if (newValue) {
+        this[property] = [newValue, ...this[property]];
+    }
+}, _Secret_generateRSAJwk = function _Secret_generateRSAJwk(len) {
+    this.command.log(`Generating ${len}bit RSA key pair`);
     const keypair = jsrsasign_1.KEYUTIL.generateKeypair('RSA', len);
     const jwk = jsrsasign_1.KEYUTIL.getJWK(keypair.prvKeyObj);
     return {

package/oclif.manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.1.0",
+  "version": "0.2.0",
   "commands": {
     "initialize": {
       "id": "initialize",
@@ -73,6 +73,105 @@
         }
       },
       "args": {}
+    },
+    "rotate": {
+      "id": "rotate",
+      "description": "Append new JWK|cookie key|both and rotate the array, optionally restarting the deployment",
+      "strict": true,
+      "pluginName": "@codemowers/oidc-key-manager",
+      "pluginAlias": "@codemowers/oidc-key-manager",
+      "pluginType": "core",
+      "aliases": [],
+      "examples": [
+        "<%= config.bin %> <%= command.id %>"
+      ],
+      "flags": {
+        "namespace": {
+          "name": "namespace",
+          "type": "option",
+          "char": "n",
+          "description": "namespace, defaults to current namespace if service account is used",
+          "required": false,
+          "multiple": false,
+          "aliases": [
+            "namespace"
+          ]
+        },
+        "secret": {
+          "name": "secret",
+          "type": "option",
+          "char": "s",
+          "description": "secret name",
+          "required": false,
+          "multiple": false,
+          "default": "oidc-keys",
+          "aliases": [
+            "secret"
+          ]
+        },
+        "config": {
+          "name": "config",
+          "type": "option",
+          "char": "c",
+          "description": "use local or in-cluster Kubernetes config",
+          "required": true,
+          "multiple": false,
+          "options": [
+            "local",
+            "cluster"
+          ],
+          "aliases": [
+            "config"
+          ]
+        },
+        "both": {
+          "name": "both",
+          "type": "boolean",
+          "description": "rotate both JWKs and cookie keys",
+          "allowNo": false
+        },
+        "jwks": {
+          "name": "jwks",
+          "type": "boolean",
+          "description": "rotate JWKs",
+          "allowNo": false
+        },
+        "cookie-keys": {
+          "name": "cookie-keys",
+          "type": "boolean",
+          "description": "rotate cookie keys",
+          "allowNo": false
+        },
+        "max-number-of-jwks": {
+          "name": "max-number-of-jwks",
+          "type": "option",
+          "multiple": false,
+          "default": 3
+        },
+        "max-number-of-cookie-keys": {
+          "name": "max-number-of-cookie-keys",
+          "type": "option",
+          "multiple": false,
+          "default": 3
+        },
+        "restart-deployment": {
+          "name": "restart-deployment",
+          "type": "option",
+          "description": "Kubernetes deployment name to restart while rotating",
+          "multiple": false
+        },
+        "restart-deployment-backoff": {
+          "name": "restart-deployment-backoff",
+          "type": "option",
+          "description": "Seconds to wait for deployment to restart",
+          "multiple": false,
+          "dependsOn": [
+            "restart-deployment"
+          ],
+          "default": 60
+        }
+      },
+      "args": {}
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@codemowers/oidc-key-manager",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "CLI to manage secret keys required by oidc-gateway",
   "author": "Erki Aas",
   "bin": {