Merge pull request #1 from mlorenzo-stratio/add_Opaque_secrets_support

Add support for `Opaque` secrets & avoid replicated ones
ml0renz0 · Apr 11, 2024 · 0ab4ee9 · 0ab4ee9
2 parents 2d5891f + abe2950
commit 0ab4ee9
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 36 deletions.
diff --git a/cmd/kubectl-view-cert/model.go b/cmd/kubectl-view-cert/model.go
@@ -8,6 +8,7 @@ import (
 type Certificate struct {
 	SecretName   string
 	Namespace    string
+	Type         string
 	Version      int
 	SerialNumber string
 	Issuer       string

diff --git a/cmd/kubectl-view-cert/root.go b/cmd/kubectl-view-cert/root.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"gopkg.in/yaml.v2"
 
 	"github.com/lmolas/kubectl-view-cert/internal/parse"
 
@@ -27,13 +28,15 @@ const (
 	expiredFlag            = "expired"
 	showCaCertFlag         = "show-ca"
 	expiredDaysFromNowFlag = "expired-days-from-now"
+	yamlOutput             = "yaml"
 )
 
 type parsedFlags struct {
 	allNs         bool
 	expired       bool
 	showCaCert    bool
 	expiredInDays int
+	yamlOutput    bool
 	secretName    string
 	secretKey     string
 }
@@ -99,6 +102,7 @@ func init() {
 	rootCmd.Flags().BoolP(expiredFlag, "E", false, "Show only expired certificates")
 	rootCmd.Flags().BoolP(showCaCertFlag, "S", false, "Show CA certificates")
 	rootCmd.Flags().IntP(expiredDaysFromNowFlag, "D", 0, "Show expired certificates at date in future (now plus number of days)")
+	rootCmd.Flags().BoolP(yamlOutput, "Y", false, "YAML output")
 
 	cf.AddFlags(rootCmd.Flags())
 	if err := flag.Set("logtostderr", "true"); err != nil {
@@ -147,6 +151,11 @@ func parseFlagsAndArguments(command *cobra.Command, args []string) parsedFlags {
 		expiredInDays = 0
 	}
 
+	yamlOutput, err := command.Flags().GetBool(yamlOutput)
+	if err != nil {
+		yamlOutput = false
+	}
+
 	var secretName, secretKey string
 	if len(args) > 0 {
 		secretName = args[0]
@@ -156,7 +165,7 @@ func parseFlagsAndArguments(command *cobra.Command, args []string) parsedFlags {
 		secretKey = args[1]
 	}
 
-	return parsedFlags{allNs, expired, showCaCert, expiredInDays, secretName, secretKey}
+	return parsedFlags{allNs, expired, showCaCert, expiredInDays, yamlOutput, secretName, secretKey}
 }
 
 // nolint gocognit // Better readability in one block
@@ -182,7 +191,7 @@ func run(command *cobra.Command, args []string) error {
 	}
 
 	if parsedFlags.secretName != "" {
-		datas, secretKeys, err := getData(ctx, parsedFlags.secretName, ns, parsedFlags.secretKey, ri)
+		datas, secretKeys, err := getData(ctx, parsedFlags.secretName, ns, parsedFlags.secretKey, ri, parsedFlags.showCaCert)
 		if err != nil {
 			return err
 		}
@@ -194,13 +203,13 @@ func run(command *cobra.Command, args []string) error {
 			}
 		} else {
 			// Display
-			err = displayDatas(datas)
+			err = displayDatas(datas, parsedFlags.yamlOutput)
 			if err != nil {
 				return err
 			}
 		}
 	} else {
-		datas, err := getDatas(ctx, ri)
+		datas, err := getDatas(ctx, ri, parsedFlags.showCaCert)
 		if err != nil {
 			return err
 		}
@@ -219,7 +228,7 @@ func run(command *cobra.Command, args []string) error {
 		}
 
 		// Display
-		err = displayDatas(filteredDatas)
+		err = displayDatas(filteredDatas, parsedFlags.yamlOutput)
 		if err != nil {
 			return err
 		}
@@ -228,7 +237,7 @@ func run(command *cobra.Command, args []string) error {
 	return nil
 }
 
-func getDatas(ctx context.Context, ri dynamic.ResourceInterface) ([]*Certificate, error) {
+func getDatas(ctx context.Context, ri dynamic.ResourceInterface, showCa bool) ([]*Certificate, error) {
 	datas := make([]*Certificate, 0)
 
 	tlsSecrets, err := ri.List(ctx, v1.ListOptions{FieldSelector: "type=kubernetes.io/tls"})
@@ -241,56 +250,68 @@ func getDatas(ctx context.Context, ri dynamic.ResourceInterface) ([]*Certificate
 	}
 	secrets := append(tlsSecrets.Items, OpaqueSecrets.Items...)
 
-	for _, tlsSecret := range secrets {
-		certData, caCertData, _, err := parseData(tlsSecret.GetNamespace(), tlsSecret.GetName(), tlsSecret.Object, "", false)
-		if err != nil {
-			return datas, err
+	var is_replicated bool
+	for _, secret := range secrets {
+		is_replicated = false
+		certData, caCertData, _ := parseData(secret.GetNamespace(), secret.GetName(), secret.Object, "", false, showCa)
+		for annotation_name := range secret.GetAnnotations() {
+			if annotation_name == "replicator.v1.mittwald.de/replicated-at" {
+				is_replicated = true
+				klog.V(2).Infoln("msg", "skipping secret replicated from another namespace '"+secret.GetNamespace()+"/"+secret.GetName()+"'")
+			}
+			continue
+		}
+		if is_replicated {
+			continue
 		}
-
 		if certData != nil {
+			klog.V(1).Infoln("msg", "adding certificate '"+certData.Subject+"'", "secret", "'"+secret.GetNamespace()+"/"+secret.GetName()+"'")
 			datas = append(datas, certData)
 		}
 
 		if caCertData != nil {
+			klog.V(1).Infoln("msg", "adding CA certificate '"+caCertData.Subject+"'", "secret", "'"+secret.GetNamespace()+"/"+secret.GetName()+"'")
 			datas = append(datas, caCertData)
 		}
 	}
 
 	return datas, nil
 }
 
-func getData(ctx context.Context, secretName, ns, secretKey string, ri dynamic.ResourceInterface) ([]*Certificate, *[]string, error) {
+func getData(ctx context.Context, secretName, ns, secretKey string, ri dynamic.ResourceInterface, showCA bool) ([]*Certificate, *[]string, error) {
 	datas := make([]*Certificate, 0)
 
 	secret, err := ri.Get(ctx, secretName, v1.GetOptions{})
 	if err != nil {
-		return datas, nil, fmt.Errorf("failed to get secret with name %s: %w", secretName, err)
+		return datas, nil, fmt.Errorf("failed to get secret '%s/%s': %w", ns, secretName, err)
 	}
 
-	certData, caCertData, secretKeys, err := parseData(ns, secretName, secret.Object, secretKey, true)
-	if err != nil {
-		return datas, nil, err
+	certData, caCertData, secretKeys := parseData(ns, secretName, secret.Object, secretKey, true, showCA)
+	if certData == nil {
+		return datas, nil, fmt.Errorf("failed to get secret '%s/%s'", ns, secretName)
 	}
 
 	if secretKeys != nil {
 		return datas, secretKeys, nil
 	}
 
-	if certData != nil {
-		datas = append(datas, certData)
-	}
-
+	datas = append(datas, certData)
 	if caCertData != nil {
 		datas = append(datas, caCertData)
 	}
 
 	return datas, nil, nil
 }
 
-func displayDatas(datas []*Certificate) error {
-	encoder := json.NewEncoder(os.Stdout)
-	encoder.SetIndent("", "    ")
-	return encoder.Encode(&datas)
+func displayDatas(datas []*Certificate, yamlOutput bool) error {
+	if yamlOutput {
+		encoder := yaml.NewEncoder(os.Stdout)
+		return encoder.Encode(&datas)
+	} else {
+		encoder := json.NewEncoder(os.Stdout)
+		encoder.SetIndent("", "    ")
+		return encoder.Encode(&datas)
+	}
 }
 
 func getResourceInterface(allNs bool, secretName string) (string, dynamic.ResourceInterface, error) {
@@ -329,25 +350,34 @@ func getResourceInterface(allNs bool, secretName string) (string, dynamic.Resour
 	return ns, ri, nil
 }
 
-func parseData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys bool) (certData, caCertData *Certificate, secretKeys *[]string, err error) {
-	secretCertData, err := parse.NewCertificateData(ns, secretName, data, secretKey, listKeys)
+func parseData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys bool, showCA bool) (certData, caCertData *Certificate, secretKeys *[]string) {
+	secretCertData, err := parse.NewCertificateData(ns, secretName, data, secretKey, listKeys, showCA)
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("failed to parse secret with name %s in namespace %s %v", secretName, ns, err)
+		klog.V(1).Infoln("msg", "failed to parse secret '"+ns+"/"+secretName+"'", "err", err)
+		return nil, nil, nil
+	}
+
+	if secretCertData == nil {
+		klog.V(1).Infoln("msg", "no 'data' key found in secret '"+ns+"/"+secretName+"'", "err", err)
+		return nil, nil, nil
 	}
 
 	if len(secretCertData.SecretKeys) > 0 {
-		return nil, nil, &secretCertData.SecretKeys, nil
+		klog.V(1).Infoln("msg", "return '"+ns+"/"+secretName+"'")
+		return nil, nil, &secretCertData.SecretKeys
 	}
 
 	parsedCerts, err := secretCertData.ParseCertificates()
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("unable to parse certificates for secret %s in namespace %s %v", secretName, ns, err)
+		klog.V(1).Infoln("msg", "unable to parse certificates for secret '"+ns+"/"+secretName+"'", "err", err)
+		return nil, nil, nil
 	}
 
 	if parsedCerts.Certificate != nil {
 		certData = &Certificate{
 			SecretName:   parsedCerts.SecretName,
 			Namespace:    parsedCerts.Namespace,
+			Type:         secretCertData.Type,
 			IsCA:         parsedCerts.Certificate.IsCA,
 			Issuer:       parsedCerts.Certificate.Issuer.String(),
 			SerialNumber: fmt.Sprintf("%x", parsedCerts.Certificate.SerialNumber),
@@ -364,6 +394,7 @@ func parseData(ns, secretName string, data map[string]interface{}, secretKey str
 		caCertData = &Certificate{
 			SecretName:   parsedCerts.SecretName,
 			Namespace:    parsedCerts.Namespace,
+			Type:         secretCertData.Type,
 			IsCA:         parsedCerts.CaCertificate.IsCA,
 			Issuer:       parsedCerts.CaCertificate.Issuer.String(),
 			SerialNumber: fmt.Sprintf("%x", parsedCerts.CaCertificate.SerialNumber),
@@ -376,5 +407,5 @@ func parseData(ns, secretName string, data map[string]interface{}, secretKey str
 		}
 	}
 
-	return certData, caCertData, nil, err
+	return certData, caCertData, nil
 }
diff --git a/internal/parse/parse.go b/internal/parse/parse.go
@@ -11,6 +11,7 @@ import (
 type CertificateData struct {
 	SecretName    string
 	Namespace     string
+	Type          string
 	Certificate   string
 	CaCertificate string
 	SecretKeys    []string
@@ -25,10 +26,10 @@ type ParsedCertificateData struct {
 }
 
 // NewCertificateData takes secret data and extracts base64 pem strings
-func NewCertificateData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys bool) (*CertificateData, error) {
+func NewCertificateData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys bool, showCa bool) (*CertificateData, error) {
 	_, ok := data["data"]
 	if !ok {
-		return nil, fmt.Errorf("unsupported secret")
+		return nil, nil
 	}
 	certsMap := data["data"].(map[string]interface{})
 
@@ -52,11 +53,12 @@ func NewCertificateData(ns, secretName string, data map[string]interface{}, secr
 		if val, ok := certsMap["tls.crt"]; ok {
 			certData.Certificate = fmt.Sprintf("%v", val)
 		}
-
-		if val, ok := certsMap["ca.crt"]; ok {
-			certData.CaCertificate = fmt.Sprintf("%v", val)
+		if showCa {
+			if val, ok := certsMap["ca.crt"]; ok {
+				certData.CaCertificate = fmt.Sprintf("%v", val)
+			}
 		}
-
+		certData.Type = secretType
 		return &certData, nil
 	}