DeepCypher/dc-kc
1
0
Fork 0
mirror of https://gitlab.com/deepcypher/dc-kc.git synced 2026-01-27 11:12:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated secret decryption

Browse Source 
Changelog: changed
Signed-off-by: GeorgeRaven <GeorgeRavenCommunity@pm.me>
This commit is contained in:
GeorgeRaven
2025-12-05 01:09:40 +00:00
parent aba264c349
commit ddadb3756d
1 changed files with 20 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
Taskfile.yaml
View File

@@ -155,10 +155,11 @@ tasks:
- for: sources
cmd: |
echo "Sealing - {{ .ITEM }} with {{ .KUBESEAL_PUBLIC_CERT }}"
outfile=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
OUTFILE=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
CONTENT=$(cat {{ .ITEM }} | sed '{{ "s/.*{{.*//" }}' | sed '{{ "s/---//" }}' )
if [ -s "{{ .ITEM }}" ]; then
cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml > $outfile
echo "Sealed - $outfile"
cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml > $OUTFILE
echo "Sealed - $OUTFILE"
else
echo "WARNING: no content in {{ .ITEM }}. Skipping."
fi
@@ -168,21 +169,24 @@ tasks:
desc: "Un-Kubeseal all *.sealed.yaml secrets into and over adjacent *.unsealed.yaml files."
silent: true
sources:
- "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
- "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
generates:
- "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
- "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
cmds:
- for: sources
cmd: |
echo "Unsealing - {{ .ITEM }} with {{ .KUBESEAL_PRIVATE_KEY }}"
outfile=$(sed -e 's/.sealed.yaml/.unsealed.yaml/' <<< "{{ .ITEM }}")
if [[ ! $(cat {{ .ITEM }} | yq ' .spec.template.metadata.labels."cromwell-tools.co.uk/binarysecret"') = 'true' ]]; then
cat {{ .ITEM }} | sed 's/.*{-.*//' | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml | yq '.data |= map_values(@base64d) | .stringData = .data | del(.data) | del(.metadata.ownerReferences)' > $outfile
else
cat {{ .ITEM }} | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml > $outfile
echo "WARNING: secret is binary. Skipping base64 decode."
fi
echo "Unsealed - $outfile"
- for: sources
cmd: |
echo "Unsealing - {{ .ITEM }} with {{ .KUBESEAL_PRIVATE_KEY }}"
OUTFILE=$(sed -e 's/.sealed.yaml/.unsealed.yaml/' <<< "{{ .ITEM }}")
CONTENT=$(cat {{ .ITEM }} | sed '{{ "s/.*{{.*//" }}' | sed '{{ "s/---//" }}' )
if [[ ! $( echo "${CONTENT}" | yq ' .spec.template.metadata.labels."secret.deepcypher.me/bas64only"') = 'true' ]]; then
echo "Unsealing and base64 decoding - ${{ .ITEM }}"
echo "${CONTENT}" | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml | yq '.data |= map_values(@base64d) | .stringData = .data | del(.data) | del(.metadata.ownerReferences)' > $OUTFILE
else
echo "Unsealing - ${{ .ITEM }}"
echo "${CONTENT}" | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml > $OUTFILE
echo "WARNING: secret is binary. Skipping base64 decode."
fi
echo "Unsealed - $OUTFILE"
method: none
crossplane-keycloak-reset: