-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
114 lines (97 loc) · 2.6 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package main
import (
"fmt"
"os"
"log"
exec "os/exec"
json "encoding/json"
b64 "encoding/base64"
io "io/ioutil"
gjson "github.com/tidwall/gjson"
)
type SecretJSON struct {
ApiVersion string `json:"apiVersion"`
Kind string `json:"kind"`
Data Data `json:"data"`
Metadata MetaData `json:"metadata"`
}
type Data struct {
Raw string `json:"raw"`
}
type MetaData struct {
Name string `json:"name"`
}
func main(){
if len(os.Args) == 1{
fmt.Println("No secret provided")
} else {
// Get secret and base64 encode it
secret := os.Args[1]
b64encoded := b64.StdEncoding.EncodeToString([]byte(secret))
// Generate Kubernetes Secret Manifest Struct
data := Data{
Raw: b64encoded,
}
metadata := MetaData{
Name: "impenetrable",
}
secretStruct := SecretJSON{
ApiVersion: "v1",
Kind: "Secret",
Data: data,
Metadata: metadata,
}
// Convert Manifest Struct to JSON
secretJSON, err := json.Marshal(secretStruct)
// fmt.Println(string(secretJSON))
// Write Secret to tmpfile
tmpSecret, err := io.TempFile("", "tmp-secret.json")
if err != nil {
log.Fatal(err)
}
defer os.Remove(tmpSecret.Name()) // clean up
if _, err := tmpSecret.Write(secretJSON); err != nil {
log.Fatal(err)
}
// Generate Sealed Destination
tmpSealed, err := io.TempFile("", "tmp-sealed.json")
if err != nil {
log.Fatal(err)
}
defer os.Remove(tmpSealed.Name()) // clean up
// Check environment for cert
cert := os.Getenv("IMPENETRABLE_CERT")
var txt string
fmt.Println("")
if cert != "" {
fmt.Println("Using provided env cert..")
txt = "kubeseal" + " --cert=" + cert + " --scope=cluster-wide " + "<" + tmpSecret.Name() + " >" + tmpSealed.Name()
} else {
fmt.Println("Will atempt to fetch cert from cluster..")
txt = "kubeseal" + " --scope=cluster-wide " + "<" + tmpSecret.Name() + " >" + tmpSealed.Name()
}
// Execute kubeseal
cmd := exec.Command(os.Getenv("SHELL"), "-c", txt)
_ = cmd.Wait()
cmd.CombinedOutput()
// Read sealed secret
sealedJSON, err := os.Open(tmpSealed.Name())
if err != nil {
log.Fatal(err)
}
defer sealedJSON.Close()
body, err := io.ReadAll(sealedJSON)
if err != nil {
panic(err.Error())
}
bodyString := string(body)
res := gjson.Get(bodyString, "spec.encryptedData.raw")
fmt.Println("")
if bodyString == "" {
fmt.Println("Secret could not be sealed!")
} else {
fmt.Println(res)
}
fmt.Println("")
}
}