Feature: Use env vars to set list of Opaque secret keys

Signed-off-by: Marcos Lorenzo <[email protected]>
ml0renz0 · Apr 26, 2024 · 68bcd61 · 68bcd61
1 parent 1108711
commit 68bcd61
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 7 deletions.
diff --git a/.krew.yaml → .krew.yaml.not b/.krew.yaml → .krew.yaml.not
diff --git a/cmd/kubectl-view-cert/model.go b/cmd/kubectl-view-cert/model.go
@@ -8,6 +8,7 @@ import (
 type Certificate struct {
 	SecretName   string
 	Namespace    string
+	SecretKey    string
 	Type         string
 	Version      int
 	SerialNumber string

diff --git a/cmd/kubectl-view-cert/root.go b/cmd/kubectl-view-cert/root.go
@@ -353,7 +353,7 @@ func getResourceInterface(allNs bool, secretName string) (string, dynamic.Resour
 }
 
 func parseData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys, showCA bool) (certData, caCertData *Certificate, secretKeys *[]string) {
-	secretCertData, err := parse.NewCertificateData(ns, secretName, data, secretKey, listKeys, showCA)
+	secretCertData, secretKeysList, err := parse.NewCertificateData(ns, secretName, data, secretKey, listKeys, showCA)
 	if err != nil {
 		klog.V(1).Infoln("msg", "failed to parse secret '"+ns+"/"+secretName+"'", "err", err)
 		return nil, nil, nil
@@ -380,6 +380,7 @@ func parseData(ns, secretName string, data map[string]interface{}, secretKey str
 			SecretName:   parsedCerts.SecretName,
 			Namespace:    parsedCerts.Namespace,
 			Type:         secretCertData.Type,
+			SecretKey:    secretKeysList[0],
 			IsCA:         parsedCerts.Certificate.IsCA,
 			Issuer:       parsedCerts.Certificate.Issuer.String(),
 			SerialNumber: fmt.Sprintf("%x", parsedCerts.Certificate.SerialNumber),
@@ -396,6 +397,7 @@ func parseData(ns, secretName string, data map[string]interface{}, secretKey str
 		caCertData = &Certificate{
 			SecretName:   parsedCerts.SecretName,
 			Namespace:    parsedCerts.Namespace,
+			SecretKey:    secretKeysList[1],
 			Type:         secretCertData.Type,
 			IsCA:         parsedCerts.CaCertificate.IsCA,
 			Issuer:       parsedCerts.CaCertificate.Issuer.String(),

diff --git a/internal/parse/parse.go b/internal/parse/parse.go
@@ -5,6 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"os"
+	"strings"
 )
 
 // CertificateData struct contains base64 pem data
@@ -26,10 +28,13 @@ type ParsedCertificateData struct {
 }
 
 // NewCertificateData takes secret data and extracts base64 pem strings
-func NewCertificateData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys, showCa bool) (*CertificateData, error) {
+func NewCertificateData(ns, secretName string, data map[string]interface{}, secretKey string, listKeys, showCa bool) (*CertificateData, []string, error) {
 	_, ok := data["data"]
+	var keysList []string
+	returnCertPemKey := "tls.crt"
+	returnCaPemKey := "ca.crt"
 	if !ok {
-		return nil, nil
+		return nil, nil, nil
 	}
 	certsMap := data["data"].(map[string]interface{})
 
@@ -43,24 +48,43 @@ func NewCertificateData(ns, secretName string, data map[string]interface{}, secr
 			certData.Certificate = fmt.Sprintf("%v", val)
 		}
 
-		return &certData, nil
+		return &certData, nil, nil
 	}
 
 	secretType := fmt.Sprintf("%v", data["type"])
 
+	secretCrtPemKeyList := strings.Split(os.Getenv("CRT_PEM_KEY_LIST"), ",")
+	secretCaPemKeyList := strings.Split(os.Getenv("CA_PEM_KEY_LIST"), ",")
 	// nolint gosec
 	if secretType == "kubernetes.io/tls" ||
 		secretType == "Opaque" {
 		if val, ok := certsMap["tls.crt"]; ok {
 			certData.Certificate = fmt.Sprintf("%v", val)
+		} else {
+			for _, crtPemKey := range secretCrtPemKeyList {
+				if val, ok := certsMap[crtPemKey]; ok {
+					certData.Certificate = fmt.Sprintf("%v", val)
+					returnCertPemKey = crtPemKey
+					break
+				}
+			}
 		}
 		if showCa {
 			if val, ok := certsMap["ca.crt"]; ok {
 				certData.CaCertificate = fmt.Sprintf("%v", val)
+			} else {
+				for _, caPemKey := range secretCaPemKeyList {
+					if val, ok := certsMap[caPemKey]; ok {
+						certData.CaCertificate = fmt.Sprintf("%v", val)
+						returnCaPemKey = caPemKey
+						break
+					}
+				}
 			}
 		}
+		keysList = append(keysList, returnCertPemKey, returnCaPemKey)
 		certData.Type = secretType
-		return &certData, nil
+		return &certData, keysList, nil
 	}
 
 	if listKeys && certsMap != nil && len(certsMap) > 0 {
@@ -72,10 +96,10 @@ func NewCertificateData(ns, secretName string, data map[string]interface{}, secr
 			i++
 		}
 
-		return &certData, nil
+		return &certData, nil, nil
 	}
 
-	return nil, fmt.Errorf("unsupported secret type %s", secretType)
+	return nil, nil, fmt.Errorf("unsupported secret type %s", secretType)
 }
 
 // ParseCertificates method parses each base64 pem strings and creates x509 certificates