Class: RKSeal::Commands::Create

Inherits:

Object

• Object
• RKSeal::Commands::Create

Defined in:

lib/rkseal/commands/create.rb

Overview

Orchestrates the ‘rkseal create <namespace> <secret-name>` flow.

Pulls together the collaborators (workspace, editor, kubeseal, secret model) to: seed an empty Secret template, optionally pre-seed ‘–from-file` values, edit it in `$EDITOR` on a RAM-backed buffer, parse and validate the result, seal it, and write `<secret-name>.yaml` to the current working directory. Holds no business rules of its own beyond sequencing – each step’s logic lives in the collaborator it delegates to.

Collaborators are injected (defaulting to real implementations) so the whole flow is unit-testable with stubbed adapters and no cluster.

Examples:

RKSeal::Commands::Create.new(namespace: "app", name: "db", scope: :strict).call

Instance Attribute Summary

• #name ⇒ String readonly
• #namespace ⇒ String readonly
• #scope ⇒ Symbol readonly

  Sealing scope (:strict, :namespace_wide, :cluster_wide).

Instance Method Summary

• #call ⇒ RKSeal::Commands::Result

  Run the create flow end to end.

• #initialize(namespace:, name:, scope: :strict, type: Secret::DEFAULT_TYPE, from_file: nil, no_edit: false, string_data: false, kubeseal: Kubeseal.new, editor: Editor.new, workspace: SecureWorkspace, output_dir: Dir.pwd) ⇒ Create constructor

  A new instance of Create.

Constructor Details

#initialize(namespace:, name:, scope: :strict, type: Secret::DEFAULT_TYPE, from_file: nil, no_edit: false, string_data: false, kubeseal: Kubeseal.new, editor: Editor.new, workspace: SecureWorkspace, output_dir: Dir.pwd) ⇒ Create

Returns a new instance of Create.

Parameters:

• namespace (String) —

  target namespace (positional CLI arg).

• name (String) —

  Secret name (positional CLI arg).

• scope (Symbol) (defaults to: :strict) —

  sealing scope; defaults to :strict.

• type (String) (defaults to: Secret::DEFAULT_TYPE) —

  Secret type for the seed (e.g. “kubernetes.io/tls”).

• from_file (Hash{String=>String}, nil) (defaults to: nil) —

  optional key => file-path pairs to pre-seed into the buffer before editing.

• no_edit (Boolean) (defaults to: false) —

  skip the editor and seal the seeded/from-file Secret directly (for binary/TLS/dockerconfig payloads).

• string_data (Boolean) (defaults to: false) —

  seed an empty ‘stringData` (plaintext) block instead of `data` (base64); defaults to false.

• kubeseal (RKSeal::Kubeseal) (defaults to: Kubeseal.new) —

  sealing adapter.

• editor (RKSeal::Editor) (defaults to: Editor.new) —

  editor launcher.

• workspace (#with) (defaults to: SecureWorkspace) —

  RAM-backed scratch provider (block-scoped).

• output_dir (String) (defaults to: Dir.pwd) —

  directory the manifest is written to (CWD).

# File 'lib/rkseal/commands/create.rb', line 41

def initialize(namespace:, name:, scope: :strict, type: Secret::DEFAULT_TYPE,
               from_file: nil, no_edit: false, string_data: false,
               kubeseal: Kubeseal.new, editor: Editor.new,
               workspace: SecureWorkspace, output_dir: Dir.pwd)
  @namespace = namespace
  @name = name
  @scope = scope
  @type = type
  @from_file = from_file || {}
  @no_edit = no_edit
  @string_data = string_data
  @kubeseal = kubeseal
  @editor = editor
  @workspace = workspace
  @output_dir = output_dir
end

Instance Attribute Details

#name ⇒ String (readonly)

Returns:

• (String)

# File 'lib/rkseal/commands/create.rb', line 23

def name
  @name
end

#namespace ⇒ String (readonly)

Returns:

• (String)

# File 'lib/rkseal/commands/create.rb', line 21

def namespace
  @namespace
end

#scope ⇒ Symbol (readonly)

Returns sealing scope (:strict, :namespace_wide, :cluster_wide).

Returns:

• (Symbol) —

  sealing scope (:strict, :namespace_wide, :cluster_wide).

# File 'lib/rkseal/commands/create.rb', line 25

def scope
  @scope
end

Instance Method Details

#call ⇒ RKSeal::Commands::Result

Run the create flow end to end.

Side effects: spawns ‘$EDITOR` (unless –no-edit); provisions and tears down a RAM-backed workspace; shells out to `kubeseal`; writes `<name>.yaml` into the output directory.

Returns:

• (RKSeal::Commands::Result) —

  outcome (written path, deployed: false).

Raises:

• (RKSeal::InvalidInputError) —

  empty/malformed buffer, bad scope, or missing ‘–from-file` source.

• (RKSeal::EditorError) —

  editor unavailable or aborted.

• (RKSeal::WorkspaceError) —

  RAM-backed scratch could not be provided.

• (RKSeal::CommandError) —

  kubeseal failed, or the controller is unreachable with no offline cert (surfaced up front, before editing).

# File 'lib/rkseal/commands/create.rb', line 71

def call
  @kubeseal.ensure_available!
  # Resolve the cert before the editor/workspace open: an unreachable
  # controller (and no offline cert) must fail fast, not after the user has
  # spent time editing a buffer that can never be sealed.
  @kubeseal.ensure_cert!

  secret = preseeded_secret
  secret = edit(secret) unless @no_edit
  secret.validate!

  path = write_manifest(@kubeseal.seal(secret.to_manifest(scope: @scope), scope: @scope))
  Result.new(secret_name: @name, namespace: @namespace, output_path: path, deployed: false)
end