add: initial goseal functionality

Author: MaxBreida

.gitignore

@@ -13,3 +13,7 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# editors
+.idea
+.vscode

README.md

@@ -1 +1,67 @@
-# easy-kubeseal
+# goseal
+
+goseal is a simple CLI tool to easily create kubernetes secrets using kubectl and kubeseal (optional).
+
+## Prerequisites
+
+[kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/)
+
+[kubeseal](https://fluxcd.io/docs/guides/sealed-secrets/)
+
+## Installation
+
+```sh
+go install github.com/MaxBreida/goseal
+```
+
+## Usage
+
+### Available commands
+
+```text
+NAME:
+   goseal - Used to automatically generate kubernetes secret files (and optionally seal them)
+
+USAGE:
+   goseal [global options] command [command options] [arguments...]
+
+COMMANDS:
+   yaml, y  Creates a secret file from yaml input
+   file     Creates a secret file from file input
+   help, h  Shows a list of commands or help for one command
+
+GLOBAL OPTIONS:
+   --help, -h  show help (default: false)
+```
+
+### Create secret from yaml key-value pairs
+
+```text
+NAME:
+   yaml - Creates a secret file from yaml input
+
+USAGE:
+   yaml [command options] [arguments...]
+
+DESCRIPTION:
+   creates a sealed secret from yaml input
+
+OPTIONS:
+   --help, -h                      show help (default: false)
+   --namespace value, --nsp value  the namespace of the secret
+   --file value, -f value          the input file in yaml format
+   --name value, -n value          the secret name
+   --cert value, -c value          if set, will run kubeseal with given cert
+```
+
+To create an unsealed kubernetes, run:
+
+```sh
+goseal yaml -f my-file.yaml -nsp my-namespace -n my-secret > output.yaml
+```
+
+To seal the secret, simply add the --cert or -c flag to the command:
+
+```sh
+goseal yaml -f my-file.yaml -nsp my-namespace -n my-secret -c path/to/my/cert.pem > output.yaml
+```

go.mod

@@ -0,0 +1,9 @@
+module github.com/MaxBreida/goseal
+
+go 1.16
+
+require (
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/urfave/cli/v2 v2.3.0
+	gopkg.in/yaml.v2 v2.4.0
+)

go.sum

@@ -0,0 +1,16 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.1 h1:r/myEWzV9lfsM1tFLgDyu0atFtJ1fXn261LKYj/3DxU=
+github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
+github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

goseal.go

@@ -0,0 +1,227 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/urfave/cli/v2"
+	"gopkg.in/yaml.v2"
+)
+
+func main() {
+	app := &cli.App{
+		Name:  "goseal",
+		Usage: "Used to automatically generate kubernetes secret files (and optionally seal them)",
+		Commands: []*cli.Command{
+			{
+				Name:        "yaml",
+				HelpName:    "yaml",
+				Description: "creates a sealed secret from yaml input",
+				Usage:       "Creates a secret file from yaml input",
+				Aliases:     []string{"y"},
+				Flags:       getStandardFlags(),
+				Action:      Yaml,
+			},
+			{
+				Name:        "file",
+				HelpName:    "file",
+				Description: "creates a sealed secret with a file as secret value",
+				Usage:       "Creates a secret file from file input",
+				Flags: append(getStandardFlags(), &cli.StringFlag{
+					Name:    "cert",
+					Usage:   "if set, will run kubeseal with given cert",
+					Aliases: []string{"c"},
+				}),
+				Action: File,
+			},
+		},
+	}
+
+	app.EnableBashCompletion = true
+
+	if err := app.Run(os.Args); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func getStandardFlags() []cli.Flag {
+	return []cli.Flag{
+		cli.BashCompletionFlag,
+		cli.HelpFlag,
+		&cli.StringFlag{
+			Name:     "namespace",
+			Usage:    "the namespace of the secret",
+			Required: true,
+			Aliases:  []string{"nsp"},
+		},
+		&cli.StringFlag{
+			Name:     "file",
+			Usage:    "the input file in yaml format",
+			Required: true,
+			Aliases:  []string{"f"},
+		},
+		&cli.StringFlag{
+			Name:     "name",
+			Usage:    "the secret name",
+			Required: true,
+			Aliases:  []string{"n"},
+		},
+		&cli.StringFlag{
+			Name:    "cert",
+			Usage:   "if set, will run kubeseal with given cert",
+			Aliases: []string{"c"},
+		},
+	}
+}
+
+// Yaml is a cli command
+func Yaml(c *cli.Context) error {
+	filePath := c.String("file")
+	namespace := c.String("namespace")
+	secretName := c.String("name")
+	certPath := c.String("cert")
+
+	file, err := os.ReadFile(filePath)
+	if err != nil {
+		return err
+	}
+
+	var secrets map[string]string
+
+	if err := yaml.Unmarshal(file, &secrets); err != nil {
+		return err
+	}
+
+	if certPath != "" {
+		return sealSecret(secrets, secretName, namespace, certPath)
+	}
+
+	return createSecret(secrets, secretName, namespace)
+}
+
+// File is a cli command
+func File(c *cli.Context) error {
+	filePath := c.String("file")
+	secretKey := c.String("key")
+	namespace := c.String("namespace")
+	secretName := c.String("name")
+	certPath := c.String("cert")
+
+	file, err := os.ReadFile(filePath)
+	if err != nil {
+		return err
+	}
+
+	secrets := map[string]string{secretKey: string(file)}
+
+	if certPath != "" {
+		return sealSecret(secrets, secretName, namespace, certPath)
+	}
+
+	return createSecret(secrets, secretName, namespace)
+}
+
+// runs the kubectl create secret command and prints the output to stdout.
+func createSecret(secrets map[string]string, secretName, namespace string) error {
+	kubectlCreateSecret := getCreateSecretFileCmd(secrets, secretName, namespace)
+
+	var stdout bytes.Buffer
+	kubectlCreateSecret.Stdout = &stdout
+
+	if err := runCommand(kubectlCreateSecret); err != nil {
+		return err
+	}
+
+	fmt.Println(stdout.String())
+
+	return nil
+}
+
+// runs the kubectl create secret command, pipes the output to the kubeseal command and prints the output to stdout.
+func sealSecret(secrets map[string]string, secretName, namespace, certPath string) error {
+	kubectlCreateSecret := getCreateSecretFileCmd(secrets, secretName, namespace)
+	kubeseal := exec.Command("kubeseal", "--format", "yaml", "--cert", certPath)
+
+	var (
+		err            error
+		stdout, stderr bytes.Buffer
+	)
+
+	kubeseal.Stdout = &stdout
+	kubeseal.Stderr = &stderr
+
+	// Get stdout of first command and attach it to stdin of second command.
+	kubeseal.Stdin, err = kubectlCreateSecret.StdoutPipe()
+	if err != nil {
+		return err
+	}
+
+	if err := kubeseal.Start(); err != nil {
+		return err
+	}
+
+	if err = runCommand(kubectlCreateSecret); err != nil {
+		return err
+	}
+
+	if err = kubeseal.Wait(); err != nil {
+		return errors.New(getErrText(err, kubeseal.Args, stderr.String()))
+	}
+
+	fmt.Println(stdout.String())
+
+	return nil
+}
+
+// retrieve a printable error text from cmd errors
+func getErrText(err error, cmdArgs []string, stdErr string) string {
+	text := fmt.Sprintf(
+		"command '%s' failed: %s",
+		strings.Join(cmdArgs, " "),
+		err.Error(),
+	)
+
+	errText := strings.TrimSpace(stdErr)
+	if len(errText) > 0 {
+		text += "\n" + errText
+	}
+
+	return text
+}
+
+func runCommand(cmd *exec.Cmd) error {
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return errors.New(getErrText(err, cmd.Args, stderr.String()))
+	}
+
+	return nil
+}
+
+// creates
+func getCreateSecretFileCmd(secrets map[string]string, secretName, namespace string) *exec.Cmd {
+	args := []string{
+		"create",
+		"secret",
+		"generic",
+		secretName,
+		"-n",
+		namespace,
+		"--dry-run",
+		"-o",
+		"yaml",
+	}
+
+	for k, v := range secrets {
+		args = append(args, fmt.Sprintf("--from-literal=%s=%s", k, v))
+	}
+
+	return exec.Command("kubectl", args...)
+}

testdata/test-input.yaml

@@ -0,0 +1,5 @@
+secret: my-secret
+password: really secret
+cert: qwertzuiop
+
+redis-secret.yaml: 1234567890123456789