kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-04-27 11:30:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Slightly change spec

Browse Source
This commit is contained in:
Ettore Di Giacinto 2022-10-13 22:21:06 +00:00
parent 7c6fa7df06
commit 673bfcbd56
4 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
api/v1alpha1/sealedvolume_types.go
View File

@ -25,10 +25,9 @@ import (
// SealedVolumeSpec defines the desired state of SealedVolume // SealedVolumeSpec defines the desired state of SealedVolume
type SealedVolumeSpec struct { type SealedVolumeSpec struct {
TPMHash string `json:"TPMHash,omitempty"` TPMHash string `json:"TPMHash,omitempty"`
Label string `json:"label,omitempty"` Passphrase map[string]*SecretSpec `json:"partitionSecrets,omitempty"`
Passphrase *SecretSpec `json:"passphraseRef,omitempty"` Quarantined bool `json:"quarantined,omitempty"`
Quarantined bool `json:"quarantined,omitempty"`
} }
type SecretSpec struct { type SecretSpec struct {

14
api/v1alpha1/zz_generated.deepcopy.go
View File

@ -89,8 +89,18 @@ func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
*out = *in *out = *in
if in.Passphrase != nil { if in.Passphrase != nil {
in, out := &in.Passphrase, &out.Passphrase in, out := &in.Passphrase, &out.Passphrase
*out = new(SecretSpec) *out = make(map[string]*SecretSpec, len(*in))
**out = **in for key, val := range *in {
var outVal *SecretSpec
if val == nil {
(*out)[key] = nil
} else {
in, out := &val, &outVal
*out = new(SecretSpec)
**out = **in
}
(*out)[key] = outVal
}
} }
} }

8
examples/sealedvolume.yaml
View File

@ -15,8 +15,8 @@ metadata:
namespace: default namespace: default
spec: spec:
TPMHash: "something" TPMHash: "something"
label: "label" partitionSecrets:
passphraseRef: LABEL:
name: mysecret name: mysecret
path: pass path: pass
quarantined: false quarantined: false

17
pkg/challenger/challenger.go
View File

@ -87,10 +87,16 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
found := false found := false
var volume keyserverv1alpha1.SealedVolume var volume keyserverv1alpha1.SealedVolume
var passsecret *keyserverv1alpha1.SecretSpec
for _, v := range volumeList.Items { for _, v := range volumeList.Items {
if hashEncoded == v.Spec.TPMHash && v.Spec.Label == label { if hashEncoded == v.Spec.TPMHash {
found = true for l, secretRef := range v.Spec.Passphrase {
volume = v if l == label {
found = true
volume = v
passsecret = secretRef
}
}
} }
} }
@ -119,11 +125,10 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
writer, _ := conn.NextWriter(websocket.BinaryMessage) writer, _ := conn.NextWriter(websocket.BinaryMessage)
if !volume.Spec.Quarantined { if !volume.Spec.Quarantined {
secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, volume.Spec.Passphrase.Name, v1.GetOptions{}) secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, passsecret.Name, v1.GetOptions{})
if err == nil { if err == nil {
passphrase := secret.Data[volume.Spec.Passphrase.Path] passphrase := secret.Data[passsecret.Path]
json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)}) json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
} }
} else { } else {
conn.Close() conn.Close()