Class: RKSeal::Commands::Reencrypt

Inherits:
Object
  • Object
show all
Defined in:
lib/rkseal/commands/reencrypt.rb

Overview

Orchestrates the ‘rkseal reencrypt <namespace> <secret-name>` flow.

Re-encrypts an existing SealedSecret onto the controller’s newest sealing key without ever exposing plaintext (‘kubeseal –re-encrypt`). The input is the SealedSecret itself, not the unsealed Secret – so unlike `edit`, this flow never touches `$EDITOR`, a RAM workspace, or cluster Secret values.

Input resolution, in order:

1. the local `<name>.yaml` in the output directory (a previous run);
2. otherwise the live SealedSecret via {RKSeal::Kubectl#get_sealedsecret}.

If neither exists, fail fast and point the user at ‘create`.

Deploy is opt-in and identical to ‘edit`: RKSeal::ContextGuard surfaces the active context and confirms before `kubectl apply` (skipped with `assume_yes`).

Examples:

refresh to the newest key, write only

RKSeal::Commands::Reencrypt.new(namespace: "app", name: "db").call

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(namespace:, name:, deploy: false, assume_yes: false, kubectl: Kubectl.new, kubeseal: Kubeseal.new, context_guard: nil, prompt: Thor::Shell::Basic.new, output_dir: Dir.pwd) ⇒ Reencrypt

Returns a new instance of Reencrypt.

Parameters:

  • namespace (String)

    target namespace (positional CLI arg).

  • name (String)

    Secret name (positional CLI arg).

  • deploy (Boolean) (defaults to: false)

    opt-in deploy after writing; defaults to false.

  • assume_yes (Boolean) (defaults to: false)

    skip the deploy confirmation (with deploy:).

  • kubectl (RKSeal::Kubectl) (defaults to: Kubectl.new)

    cluster adapter (read + apply).

  • kubeseal (RKSeal::Kubeseal) (defaults to: Kubeseal.new)

    sealing adapter (re-encrypt).

  • context_guard (RKSeal::ContextGuard, nil) (defaults to: nil)

    deploy gatekeeper; built from kubectl + prompt when nil and a deploy is requested.

  • prompt (Thor::Shell::Basic) (defaults to: Thor::Shell::Basic.new)

    shell for the deploy confirmation.

  • output_dir (String) (defaults to: Dir.pwd)

    directory the manifest is read from / written to (CWD).



44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'lib/rkseal/commands/reencrypt.rb', line 44

def initialize(namespace:, name:, deploy: false, assume_yes: false,
               kubectl: Kubectl.new, kubeseal: Kubeseal.new,
               context_guard: nil, prompt: Thor::Shell::Basic.new,
               output_dir: Dir.pwd)
  @namespace = namespace
  @name = name
  @deploy = deploy
  @assume_yes = assume_yes
  @kubectl = kubectl
  @kubeseal = kubeseal
  @context_guard = context_guard
  @prompt = prompt
  @output_dir = output_dir
end

Instance Attribute Details

#deployBoolean (readonly)

Returns:

  • (Boolean) 


31
32
33
 
# File 'lib/rkseal/commands/reencrypt.rb', line 31

def deploy
  @deploy
end

#nameString (readonly)

Returns:

  • (String) 


29
30
31
 
# File 'lib/rkseal/commands/reencrypt.rb', line 29

def name
  @name
end

#namespaceString (readonly)

Returns:

  • (String) 


27
28
29
 
# File 'lib/rkseal/commands/reencrypt.rb', line 27

def namespace
  @namespace
end

Instance Method Details

#callRKSeal::Commands::Result

Run the re-encrypt flow end to end.

Side effects: reads the local ‘<name>.yaml` or the cluster SealedSecret; shells out to `kubeseal –re-encrypt`; writes `<name>.yaml`; and, only when #deploy is true and the operator confirms, runs `kubectl apply`.

Returns:

Raises:



69
70
71
72
73
74
75
76
77
78
 
# File 'lib/rkseal/commands/reencrypt.rb', line 69

def call
  @kubectl.ensure_available!
  @kubeseal.ensure_available!

  reencrypted = @kubeseal.re_encrypt(source_sealed_yaml)
  path = write_manifest(reencrypted)
  deployed = @deploy && deploy_confirmed?
  @kubectl.apply(file: path) if deployed
  Result.new(secret_name: @name, namespace: @namespace, output_path: path, deployed: deployed)
end