Add support for providing certificate file

alphabet5 · Jun 20, 2022 · 7159142 · 7159142
1 parent be8f0eb
commit 7159142
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -44,33 +44,35 @@ sudo mv kubeseal /usr/local/bin/kubeseal
 % ks -h
 usage: ks [-h|--help] [-s|--secret "<value>" [-s|--secret "<value>" ...]]
           [-i|--input "<value>"] [-o|--output "<value>"] [-c|--controller
-          "<value>"] [-n|--namespace "<value>"] [--scope "<value>"]
+          "<value>"] [-n|--namespace "<value>"] [--scope "<value>"] [--cert
+          "<value>"]
+
 
-
         Converts secrets into sealedsecrets using kubeseal.
         Secrets can be entered as strings with -s, or as an input .yaml file
           with -i
         When specifying files -o will be merged with the encrypted values from
-          -i. 
-        For example: 
-        $.values.child1.yoursecret: "value to encrypt" 
+          -i.
+        For example:
+        $.values.child1.yoursecret: "value to encrypt"
         will be merged into
         values:
           child1:
             yoursecret:
           AgDXO9g9vDAhJbNxlIBbYDTkGE3gqEilK6DMxy4aJD12FGAclg2Sxa4q4VA90VcCPdDzojezD8vsh7X/Ef/1FhVATgd4+62jb9EVpqj5fFpdagZMm4Fx4FNSamrtbKEnzAhH//YaB+2Ak3fE0HjgtIZpRUomCgOsuRPIXfJlQ4n0l5wlc1wohZvoSkhaHm2SWgGjU9JY6GxYHK811gfw7xe+DSm1qoJvAs8XvXZw3jTF839sVGlSA6I4VguWH1Bx7Ev7H8+mKnnrZcSEicKedzYOXWdG58JaIjCPVNzsDhvmBlXQHlOBvSF07zQp3hvVS/aqx4MHiOrKC9IGRS42A9WtNB+pQXRyUrKGY8xCnjVFgaIDGiLWWF+gMNJPTb//fHOldiS+nQH6s/EQX3dv1rjLC+F8qY50emts/VPVUwyU7i0qIo99sdArRabaITbJ6fBdPA8QL4gvbqtH4Fhrfb7EtMm0MeyaaqL58qq5N/r9LVbYtKbbdNHmR4MLIN7FjIoEpmWxDYb4MFs+M+smuVmmWZmGR02XEP/W2d0ag7TiNFo+N6tIuMDPzYsNhTBWGen5b1CjkAVwcP9lgunUGHqloXpTeVdPODa8eY/MLOnlB8cosVWoWyd5G5Sp5z1ZeCLvYuOmiHSwoRq09qBRShd1lhv2Xhw5vlGquw3ODFZnL5Qpwg7IUUu5GsvMc7l1UBnHcXct
-            
+
 
 Arguments:
 
   -h  --help        Print help information
   -s  --secret      Secrets.
-  -i  --input       Input secrets file.. Default: 
-  -o  --output      Output file to put the secrest.. Default: 
-  -c  --controller  Sealed secrets controller name.. Default: sealed-secrets
-  -n  --namespace   Sealed secrets controller namespace.. Default:
+  -i  --input       Input secrets file. Default:
+  -o  --output      Output file to put the secrets. Default:
+  -c  --controller  Sealed secrets controller name. Default: sealed-secrets
+  -n  --namespace   Sealed secrets controller namespace. Default:
                     sealed-secrets
-      --scope       Sealed secret scope.. Default: cluster-wide
+      --scope       Sealed secret scope. Default: cluster-wide
+      --cert        Certificate file. Default:
 ```
 
 ```bash
@@ -85,6 +87,10 @@ parent.child2.grandchild2: please also encrypt me" -o output.yaml
 ks -i input.yaml -o output.yaml
 ```
 
+```
+ks -i input.yaml -o output.yaml --cert=downloaded-certificate.pem
+```
+
 ## Changelog
 
 ### 0.0.3

diff --git a/ks.go b/ks.go
@@ -42,11 +42,12 @@ func main() {
             `)
 	// Create string flag
 	s := parser.StringList("s", "secret", &argparse.Options{Required: false, Default: nil, Help: "Secrets."})
-	i := parser.String("i", "input", &argparse.Options{Required: false, Default: "", Help: "Input secrets file."})
-	o := parser.String("o", "output", &argparse.Options{Required: false, Default: "", Help: "Output file to put the secrest."})
-	c := parser.String("c", "controller", &argparse.Options{Required: false, Default: "sealed-secrets", Help: "Sealed secrets controller name."})
-	n := parser.String("n", "namespace", &argparse.Options{Required: false, Default: "sealed-secrets", Help: "Sealed secrets controller namespace."})
-	scope := parser.String("", "scope", &argparse.Options{Required: false, Default: "cluster-wide", Help: "Sealed secret scope."})
+	i := parser.String("i", "input", &argparse.Options{Required: false, Default: "", Help: "Input secrets file"})
+	o := parser.String("o", "output", &argparse.Options{Required: false, Default: "", Help: "Output file to put the secrets"})
+	c := parser.String("c", "controller", &argparse.Options{Required: false, Default: "sealed-secrets", Help: "Sealed secrets controller name"})
+	n := parser.String("n", "namespace", &argparse.Options{Required: false, Default: "sealed-secrets", Help: "Sealed secrets controller namespace"})
+	scope := parser.String("", "scope", &argparse.Options{Required: false, Default: "cluster-wide", Help: "Sealed secret scope"})
+	cert := parser.String("", "cert", &argparse.Options{Required: false, Default: "", Help: "Certificate file"})
 	// Parse input
 	err := parser.Parse(os.Args)
 	if err != nil {
@@ -57,15 +58,24 @@ func main() {
 	input_controller := *c
 	input_namespace := *n
 	input_scope := *scope
+	certificate_file := *cert
+
+	// If certificate file is provided, use this instead of specifying namespace and controller.
+	var cert_args string
+	if *cert != "" {
+		cert_args = "--cert=" + certificate_file
+	} else {
+		cert_args = "--controller-namespace=" + input_namespace + " --controller-name=" + input_controller
+	}
+
 	if len(*s) > 0 && (*o == "") {
 		input_secrets := *s
 		for _, secret := range input_secrets {
 			fmt.Println(secret)
 			cmd := exec.Command("bash", "-c",
 				"echo -n '"+secret+
-					"' | kubeseal --controller-namespace "+input_namespace+
-					" --raw --scope "+input_scope+
-					" --from-file=/dev/stdin --controller-name "+input_controller,
+					"' | kubeseal --scope="+input_scope+" "+cert_args+
+					" --raw --from-file=/dev/stdin",
 			)
 			stdout, err := cmd.Output()
 			if err != nil {
@@ -106,9 +116,8 @@ func main() {
 		for path, value := range inputValues {
 			cmd := exec.Command("bash", "-c",
 				"echo -n \""+fmt.Sprintf("%v", value)+
-					"\" | kubeseal --controller-namespace "+input_namespace+
-					" --raw --scope "+input_scope+
-					" --from-file=/dev/stdin --controller-name "+input_controller,
+					"\" | kubeseal --scope="+input_scope+" "+cert_args+
+					" --raw --from-file=/dev/stdin",
 			)
 			stdout, err := cmd.Output()
 			if err != nil {