forked from volck/raven
-
Notifications
You must be signed in to change notification settings - Fork 0
/
reconcile.go
133 lines (113 loc) · 4.68 KB
/
reconcile.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package main
import (
"fmt"
sealedSecretPkg "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealed-secrets/v1alpha1"
"github.com/hashicorp/vault/api"
log "github.com/sirupsen/logrus"
k8sJson "k8s.io/apimachinery/pkg/runtime/serializer/json"
"os"
"path/filepath"
"strings"
)
/*
HarvestRipeSecrets() checks local files based on RipeSecrets returned from PickRipeSecrets() and marks them for deletion.
*/
func HarvestRipeSecrets(RipeSecrets []string, config config) {
if len(RipeSecrets) > 0 {
repo := InitializeGitRepo(config)
worktree := initializeWorkTree(repo)
removeFromWorkingtree(RipeSecrets, worktree, config)
status, err := getGitStatus(worktree)
if err != nil {
log.WithFields(log.Fields{"err": err}).Error("HarvestRipeSecret Worktree status failed")
}
if !status.IsClean() {
log.WithFields(log.Fields{"worktree": worktree, "status": status}).Debug("HarvestRipeSecret !status.IsClean() ")
commitMessage := fmt.Sprintf("Raven removed ripe secret(s) from git")
commit, _ := makeCommit(worktree, commitMessage)
setPushOptions(config, repo, commit)
logHarvestDone(repo, commit)
}
kubernetesremove := os.Getenv("KUBERNETESREMOVE")
if kubernetesremove == "true" {
config.Clientset = initk8sServiceAccount()
kubernetesSecretList, err := kubernetesSecretList(config.Clientset, config.destEnv)
if err != nil {
log.WithFields(log.Fields{"err": err}).Error("harvestripesecret secretlist fetch failed")
}
config.Clientset = initk8sServiceAccount()
kubernetesRemove(RipeSecrets, kubernetesSecretList, config.Clientset, config.destEnv)
log.WithFields(log.Fields{}).Debug("HarvestRipeSecrets done")
}
}
}
func SerializeAndWriteToFile(SealedSecret *sealedSecretPkg.SealedSecret, fullPath string) {
f, err := os.Create(fullPath)
if err != nil {
log.WithFields(log.Fields{"fullPath": fullPath, "error": err.Error()}).Fatal("SerializeAndWriteToFile.Os.Create")
WriteErrorToTerminationLog(err.Error())
}
options := k8sJson.SerializerOptions{
Yaml: true,
Pretty: true,
Strict: true,
}
e := k8sJson.NewSerializerWithOptions(k8sJson.DefaultMetaFactory, nil, nil, options)
err = e.Encode(SealedSecret, f)
if err != nil {
log.WithFields(log.Fields{"fullPath": fullPath, "error": err.Error()}).Fatal("SerializeAndWriteToFile.e.encode")
WriteErrorToTerminationLog(err.Error())
}
}
/*
ensurePathandreturnWritePath:
* build stringpath
* create path
makes sure that basePath exists for SerializeAndWriteToFile, returning basePath.
*/
func ensurePathandreturnWritePath(config config, secretName string) (basePath string) {
base := filepath.Join(config.clonePath, "declarative", config.destEnv, "sealedsecrets")
err := os.MkdirAll(base, os.ModePerm)
if err != nil {
log.WithFields(log.Fields{"error": err.Error()}).Fatal("ensurePathandreturnWritePath.os.Mkdir")
}
if strings.HasSuffix(secretName, "/") {
fmt.Println("need to replace strings here", secretName)
secretName = strings.Replace(secretName, "/", "", -1)
}
basePath = base + "/" + secretName + ".yaml"
return
}
func persistVaultChanges(secretList []interface{}, client *api.Client, config config) {
if secretList != nil {
for _, secret := range secretList {
log.WithFields(log.Fields{"secret": secret}).Debug("Checking secret")
input := fmt.Sprintf("%s/", config.secretEngine)
iterateList(input, client, secret.(string))
}
if mySecretList != nil {
for path, val := range mySecretList {
log.WithFields(log.Fields{"SingleKVFromVault": val}).Debug("getKVAndCreateSealedSecret.SingleKVFromVault")
k8sSecret := createK8sSecret(path, config, val)
SealedSecret := createSealedSecret(config.pemFile, &k8sSecret)
newBase := ensurePathandreturnWritePath(newConfig, SealedSecret.Name)
if _, err := os.Stat(newBase); os.IsNotExist(err) {
log.WithFields(log.Fields{"secret": SealedSecret.Name, "action": "request.operation.create"}).Info("Creating Sealed Secret")
SerializeAndWriteToFile(SealedSecret, newBase)
initKubernetesSearch(path, newConfig)
} else if !readSealedSecretAndCompareWithVaultStruct(SealedSecret.Name, val, newBase, newConfig.secretEngine) {
log.WithFields(log.Fields{"secret": val, "action": "request.operation.compare"}).Debug("readSealedSecretAndCompare: we already have this secret. Vault did not update")
} else {
// we need to update the secret.
log.WithFields(log.Fields{"secret": SealedSecret, "newBase": newBase, "action": "request.operation.update"}).Info("readSealedSecretAndCompare: updating secret")
SerializeAndWriteToFile(SealedSecret, newBase)
initKubernetesSearch(SealedSecret.Name, newConfig)
}
}
} else {
fmt.Println("mysecretList empty")
}
} else {
fmt.Println("secret list is empty")
}
}