kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up "create secret encryptionconfig"

This commit is contained in:
John Gardiner Myers 2021-07-24 12:34:37 -07:00
parent a4b91dab0d
commit df325d28a3
2 changed files with 38 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
cmd/kops/create_secret_encryptionconfig.go
View File

@ -21,35 +21,36 @@ import (
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"os"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"k8s.io/kops/cmd/kops/util" "k8s.io/kops/cmd/kops/util"
"k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/commands/commandutils"
"k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi"
"k8s.io/kubectl/pkg/util/i18n" "k8s.io/kubectl/pkg/util/i18n"
"k8s.io/kubectl/pkg/util/templates" "k8s.io/kubectl/pkg/util/templates"
) )
var ( var (
createSecretEncryptionconfigLong = templates.LongDesc(i18n.T(` createSecretEncryptionConfigLong = templates.LongDesc(i18n.T(`
Create a new encryption config, and store it in the state store. Create a new encryption config and store it in the state store.
Used to configure encryption-at-rest by the kube-apiserver process Used to configure encryption-at-rest by the kube-apiserver process.`))
on each of the master nodes. The config is not updated by this command.`))
createSecretEncryptionconfigExample = templates.Examples(i18n.T(` createSecretEncryptionConfigExample = templates.Examples(i18n.T(`
# Create a new encryption config. # Create a new encryption config.
kops create secret encryptionconfig -f config.yaml \ kops create secret encryptionconfig -f config.yaml \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
# Create a new encryption config via stdin. # Create a new encryption config via stdin.
generate-encryption-config.sh | kops create secret encryptionconfig -f - \ generate-encryption-config.sh | kops create secret encryptionconfig -f - \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
# Replace an existing encryption config secret. # Replace an existing encryption config secret.
kops create secret encryptionconfig -f config.yaml --force \ kops create secret encryptionconfig -f config.yaml --force \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
`)) `))
createSecretEncryptionconfigShort = i18n.T(`Create an encryption config.`) createSecretEncryptionConfigShort = i18n.T(`Create an encryption config.`)
) )
type CreateSecretEncryptionConfigOptions struct { type CreateSecretEncryptionConfigOptions struct {
@ -62,47 +63,28 @@ func NewCmdCreateSecretEncryptionConfig(f *util.Factory, out io.Writer) *cobra.C
options := &CreateSecretEncryptionConfigOptions{} options := &CreateSecretEncryptionConfigOptions{}
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "encryptionconfig", Use: "encryptionconfig [CLUSTER] -f FILENAME",
Short: createSecretEncryptionconfigShort, Short: createSecretEncryptionConfigShort,
Long: createSecretEncryptionconfigLong, Long: createSecretEncryptionConfigLong,
Example: createSecretEncryptionconfigExample, Example: createSecretEncryptionConfigExample,
Run: func(cmd *cobra.Command, args []string) { Args: rootCommand.clusterNameArgs(&options.ClusterName),
ctx := context.TODO() ValidArgsFunction: commandutils.CompleteClusterName(&rootCommand, true, false),
RunE: func(cmd *cobra.Command, args []string) error {
if len(args) != 0 { return RunCreateSecretEncryptionConfig(context.TODO(), f, out, options)
exitWithError(fmt.Errorf("syntax: -f <EncryptionConfigPath>"))
}
err := rootCommand.ProcessArgs(args[0:])
if err != nil {
exitWithError(err)
}
options.ClusterName = rootCommand.ClusterName(true)
err = RunCreateSecretEncryptionConfig(ctx, f, os.Stdout, options)
if err != nil {
exitWithError(err)
}
}, },
} }
cmd.Flags().StringVarP(&options.EncryptionConfigPath, "", "f", "", "Path to encryption config yaml file") cmd.Flags().StringVarP(&options.EncryptionConfigPath, "filename", "f", "", "Path to encryption config YAML file")
cmd.Flags().BoolVar(&options.Force, "force", options.Force, "Force replace the kOps secret if it already exists") cmd.MarkFlagRequired("filename")
cmd.RegisterFlagCompletionFunc("filename", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
return []string{"yaml", "json"}, cobra.ShellCompDirectiveFilterFileExt
})
cmd.Flags().BoolVar(&options.Force, "force", options.Force, "Force replace the secret if it already exists")
return cmd return cmd
} }
func RunCreateSecretEncryptionConfig(ctx context.Context, f *util.Factory, out io.Writer, options *CreateSecretEncryptionConfigOptions) error { func RunCreateSecretEncryptionConfig(ctx context.Context, f *util.Factory, out io.Writer, options *CreateSecretEncryptionConfigOptions) error {
if options.EncryptionConfigPath == "" {
return fmt.Errorf("encryption config path is required (use -f)")
}
secret, err := fi.CreateSecret()
if err != nil {
return fmt.Errorf("error creating encryption config secret: %v", err)
}
cluster, err := GetCluster(ctx, f, options.ClusterName) cluster, err := GetCluster(ctx, f, options.ClusterName)
if err != nil { if err != nil {
return err return err
@ -121,35 +103,37 @@ func RunCreateSecretEncryptionConfig(ctx context.Context, f *util.Factory, out i
if options.EncryptionConfigPath == "-" { if options.EncryptionConfigPath == "-" {
data, err = ConsumeStdin() data, err = ConsumeStdin()
if err != nil { if err != nil {
return fmt.Errorf("error reading encryption config from stdin: %v", err) return fmt.Errorf("reading encryption config from stdin: %v", err)
} }
} else { } else {
data, err = ioutil.ReadFile(options.EncryptionConfigPath) data, err = ioutil.ReadFile(options.EncryptionConfigPath)
if err != nil { if err != nil {
return fmt.Errorf("error reading encryption config %v: %v", options.EncryptionConfigPath, err) return fmt.Errorf("reading encryption config %v: %v", options.EncryptionConfigPath, err)
} }
} }
var parsedData map[string]interface{} var parsedData map[string]interface{}
err = kops.ParseRawYaml(data, &parsedData) err = kops.ParseRawYaml(data, &parsedData)
if err != nil { if err != nil {
return fmt.Errorf("Unable to parse yaml %v: %v", options.EncryptionConfigPath, err) return fmt.Errorf("unable to parse YAML %v: %v", options.EncryptionConfigPath, err)
} }
secret.Data = data secret := &fi.Secret{
Data: data,
}
if !options.Force { if !options.Force {
_, created, err := secretStore.GetOrCreateSecret("encryptionconfig", secret) _, created, err := secretStore.GetOrCreateSecret("encryptionconfig", secret)
if err != nil { if err != nil {
return fmt.Errorf("error adding encryptionconfig secret: %v", err) return fmt.Errorf("adding encryptionconfig secret: %v", err)
} }
if !created { if !created {
return fmt.Errorf("failed to create the encryptionconfig secret as it already exists. The `--force` flag can be passed to replace an existing secret.") return fmt.Errorf("failed to create the encryptionconfig secret as it already exists. Pass the `--force` flag to replace an existing secret")
} }
} else { } else {
_, err := secretStore.ReplaceSecret("encryptionconfig", secret) _, err := secretStore.ReplaceSecret("encryptionconfig", secret)
if err != nil { if err != nil {
return fmt.Errorf("error updating encryptionconfig secret: %v", err) return fmt.Errorf("updating encryptionconfig secret: %v", err)
} }
} }

12
docs/cli/kops_create_secret_encryptionconfig.md generated
View File

@ -7,10 +7,10 @@ Create an encryption config.
### Synopsis ### Synopsis
Create a new encryption config, and store it in the state store. Used to configure encryption-at-rest by the kube-apiserver process on each of the master nodes. The config is not updated by this command. Create a new encryption config and store it in the state store. Used to configure encryption-at-rest by the kube-apiserver process.
``` ```
kops create secret encryptionconfig [flags] kops create secret encryptionconfig [CLUSTER] -f FILENAME [flags]
``` ```
### Examples ### Examples
@ -19,9 +19,11 @@ kops create secret encryptionconfig [flags]
# Create a new encryption config. # Create a new encryption config.
kops create secret encryptionconfig -f config.yaml \ kops create secret encryptionconfig -f config.yaml \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
# Create a new encryption config via stdin. # Create a new encryption config via stdin.
generate-encryption-config.sh | kops create secret encryptionconfig -f - \ generate-encryption-config.sh | kops create secret encryptionconfig -f - \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
# Replace an existing encryption config secret. # Replace an existing encryption config secret.
kops create secret encryptionconfig -f config.yaml --force \ kops create secret encryptionconfig -f config.yaml --force \
--name k8s-cluster.example.com --state s3://my-state-store --name k8s-cluster.example.com --state s3://my-state-store
@ -30,9 +32,9 @@ kops create secret encryptionconfig [flags]
### Options ### Options
``` ```
-f, -- string Path to encryption config yaml file -f, --filename string Path to encryption config YAML file
--force Force replace the kOps secret if it already exists --force Force replace the secret if it already exists
-h, --help help for encryptionconfig -h, --help help for encryptionconfig
``` ```
### Options inherited from parent commands ### Options inherited from parent commands