From 6da235d231d06cd0fd7d15a21129f6018c82460b Mon Sep 17 00:00:00 2001 From: Angus Lees Date: Mon, 18 Sep 2017 16:39:25 +1000 Subject: [PATCH] kubeseal: Add --fetch-cert to dump cert to stdout This change adds a `--fetch-cert` option, which dumps the certificate to stdout and exits. Hopefully this makes it easier to use `--cert` and the offline workflow. Fixes #48 --- README.md | 11 ++++++----- cmd/kubeseal/main.go | 8 ++++++++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 57b879584b..6a87fc8e96 100644 --- a/README.md +++ b/README.md @@ -53,11 +53,12 @@ and needs to be available wherever `kubeseal` is going to be used. The certificate is not secret information, although you need to ensure you are using the correct file. -`kubeseal` will fetch the certificate from the controller at -runtime (requires secure access to the Kubernetes API server), but can -also be read from a local file for offline situations (eg: automated -jobs). The certificate is also printed to the controller log on -startup. +`kubeseal` will fetch the certificate from the controller at runtime +(requires secure access to the Kubernetes API server), which is +convenient for interactive use. The recommended automation workflow +is to store the certificate to local disk with `kubeseal --fetch-cert +>mycert.pem`, and use it offline with `kubeseal --cert mycert.pem`. +The certificate is also printed to the controller log on startup. ### Installation from source diff --git a/cmd/kubeseal/main.go b/cmd/kubeseal/main.go index 76aa30717c..ad5902d34b 100644 --- a/cmd/kubeseal/main.go +++ b/cmd/kubeseal/main.go @@ -35,6 +35,7 @@ var ( controllerNs = flag.String("controller-namespace", api.NamespaceSystem, "Namespace of sealed-secrets controller.") controllerName = flag.String("controller-name", "sealed-secrets-controller", "Name of sealed-secrets controller.") outputFormat = flag.String("format", "json", "Output format for sealed secret. Either json or yaml") + dumpCert = flag.Bool("fetch-cert", false, "Write certificate to stdout. Useful for later use with --cert") clientConfig clientcmd.ClientConfig ) @@ -219,6 +220,13 @@ func main() { } defer f.Close() + if *dumpCert { + if _, err := io.Copy(os.Stdout, f); err != nil { + panic(err.Error()) + } + return + } + pubKey, err := parseKey(f) if err != nil { panic(err.Error())