Skip to content

Commit

Permalink
Accept and seal stringData into secret
Browse files Browse the repository at this point in the history 
Ref bitnami-labs#104
  • Loading branch information
@jiri-pinkava
jiri-pinkava committed Aug 14, 2019
1 parent 543ce88 commit e25eae4
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 1 deletion.
2 changes: 1 addition & 1 deletion cmd/kubeseal/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ func seal(in io.Reader, out io.Writer, codecs runtimeserializer.CodecFactory, pu
return err
}

if len(secret.Data) == 0 {
if len(secret.Data) == 0 && len(secret.StringData) == 0 {
// No data. This is _theoretically_ just fine, but
// almost certainly indicates a misuse of the tools.
// If you _really_ want to encrypt an empty secret,
Expand Down
6 changes: 6 additions & 0 deletions cmd/kubeseal/main_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,9 @@ func TestSeal(t *testing.T) {
Data: map[string][]byte{
"foo": []byte("sekret"),
},
StringData: map[string]string{
"foos": string("stringsekret"),
},
}

info, ok := runtime.SerializerInfoForMediaType(scheme.Codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)
Expand Down Expand Up @@ -170,5 +173,8 @@ func TestSeal(t *testing.T) {
if len(result.Spec.EncryptedData["foo"]) < 100 {
t.Errorf("Encrypted data is implausibly short: %v", result.Spec.EncryptedData)
}
if len(result.Spec.EncryptedData["foos"]) < 100 {
t.Errorf("Encrypted data is implausibly short: %v", result.Spec.EncryptedData)
}
// NB: See sealedsecret_test.go for e2e crypto test
}
8 changes: 8 additions & 0 deletions pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,14 @@ func NewSealedSecret(codecs runtimeserializer.CodecFactory, pubKey *rsa.PublicKe
s.Spec.EncryptedData[key] = base64.StdEncoding.EncodeToString(ciphertext)
}

for key, value := range secret.StringData {
ciphertext, err := crypto.HybridEncrypt(rand.Reader, pubKey, []byte(value), label)
if err != nil {
return nil, err
}
s.Spec.EncryptedData[key] = base64.StdEncoding.EncodeToString(ciphertext)
}

if clusterWide {
if s.Annotations == nil {
s.Annotations = map[string]string{}
Expand Down
53 changes: 53 additions & 0 deletions pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,59 @@ func TestSealRoundTrip(t *testing.T) {
}
}

func TestSealRoundTripStringDataConversion(t *testing.T) {
scheme := runtime.NewScheme()
codecs := serializer.NewCodecFactory(scheme)

SchemeBuilder.AddToScheme(scheme)
v1.SchemeBuilder.AddToScheme(scheme)

rand := testRand()
key, err := rsa.GenerateKey(rand, 2048)
if err != nil {
t.Fatalf("Failed to generate test key: %v", err)
}

secret := v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "myname",
Namespace: "myns",
},
Data: map[string][]byte{
"foo": []byte("bar"),
"fss": []byte("brr"),
},
StringData: map[string]string{
"fss": "baa",
},
}

unsealed := v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "myname",
Namespace: "myns",
},
Data: map[string][]byte{
"foo": []byte("bar"),
"fss": []byte("baa"),
},
}

ssecret, err := NewSealedSecret(codecs, &key.PublicKey, &secret)
if err != nil {
t.Fatalf("NewSealedSecret returned error: %v", err)
}

secret2, err := ssecret.Unseal(codecs, key)
if err != nil {
t.Fatalf("Unseal returned error: %v", err)
}

if !reflect.DeepEqual(unsealed.Data, secret2.Data) {
t.Errorf("Unsealed secret != original secret: %v != %v", unsealed, secret2)
}
}

func TestSealRoundTripWithClusterWide(t *testing.T) {
scheme := runtime.NewScheme()
codecs := serializer.NewCodecFactory(scheme)
Expand Down

0 comments on commit e25eae4

Please sign in to comment.