-
Notifications
You must be signed in to change notification settings - Fork 1
/
update_secret.go
118 lines (93 loc) · 3.04 KB
/
update_secret.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package main
import (
"os"
"log"
"fmt"
"flag"
"context"
"encoding/pem"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/util/retry"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/apimachinery/pkg/api/errors"
v1 "k8s.io/api/core/v1"
metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
coreV1Types "k8s.io/client-go/kubernetes/typed/core/v1"
)
func getk8sSecretClient(namespace string) coreV1Types.SecretInterface {
kc := os.Getenv("HOME") + "/.kube/config"
c, err := clientcmd.BuildConfigFromFlags("", kc)
if err != nil {
log.Fatalf("config building failed: %v\n", err.Error())
}
nc, err := kubernetes.NewForConfig(c)
if err != nil {
log.Fatalf("creating new config failed: %v\n", err.Error())
}
sc := nc.CoreV1().Secrets(namespace)
return sc
}
func main() {
cp := flag.String("cert-path", "./build/secrets/server_crt.pem", "The path to your end-entity certificate")
kp := flag.String("key-path", "./build/secrets/server_key.pem", "The path to your end-entity private key")
ns := flag.String("namespace", "default", "Your namespace")
sn := flag.String("secret-name", "tls-secret", "Your secret name")
flag.Parse()
cpem, err := os.ReadFile(*cp)
if err != nil {
log.Fatalf("failed to read certificate: %v\n", err.Error())
}
kpem, err := os.ReadFile(*kp)
if err != nil {
log.Fatalf("failed to parse private key: %v\n", err.Error())
}
cblock, _ := pem.Decode(cpem)
if cblock == nil || cblock.Type != "CERTIFICATE" {
log.Fatal("failed to decode PEM block containing certificate")
}
kblock, _ := pem.Decode(kpem)
if kblock == nil || kblock.Type != "PRIVATE KEY" {
log.Fatal("failed to decode PEM block containing private key")
}
sc := getk8sSecretClient(*ns)
cert := string(cpem)
key := string(kpem)
// Retry updating secret until you no longer get a conflict error.
// This way, you can preserve changes made by other clients between.
// Ref: https://github.com/kubernetes/client-go/blob/master/examples/create-update-delete-deployment/main.go
retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
s, getErr := sc.Get(context.TODO(), *sn, metaV1.GetOptions{})
// If secret "tls-secret" is not found
if errors.IsNotFound(getErr) {
sd := make(map[string]string)
sd["tls.crt"] = cert
sd["tls.key"] = key
s_ := &v1.Secret{
Type: v1.SecretTypeTLS,
ObjectMeta: metaV1.ObjectMeta{
Name: *sn,
Namespace: *ns,
},
StringData: sd,
}
_, createErr := sc.Create(context.TODO(), s_, metaV1.CreateOptions{})
if createErr != nil {
log.Fatalf("Update failed: %v\n", createErr)
}
return createErr
}
// If you forget to add this statement, you will get an error (panic: assignment to entry in nil map)
if s.StringData == nil {
s.StringData = map[string]string{}
}
s.StringData["tls.crt"] = cert
s.StringData["tls.key"] = key
_, updateErr := sc.Update(context.TODO(), s, metaV1.UpdateOptions{})
return updateErr
})
if retryErr != nil {
log.Fatalf("Update failed: %v\n", retryErr)
}
fmt.Println("Secret tls-secret is successfully updated")
os.Exit(0)
}