Class: Kubeseal

Inherits:
Object
  • Object
show all
Defined in:
lib/kubeseal.rb,
lib/kubeseal/version.rb

Defined Under Namespace

Classes: CLI

Constant Summary collapse

DEFAULT_KEY_FETCHER = 
lambda do |_|
  raise NotImplementedError, "no cluster key-fetcher passed"
end
VERSION = 
"0.1.6"

Instance Method Summary collapse

Constructor Details

#initialize(key_fetcher: nil, resealer: nil) ⇒ Kubeseal

Returns a new instance of Kubeseal.



16
17
18
19
 
# File 'lib/kubeseal.rb', line 16

def initialize(key_fetcher: nil, resealer: nil)
  @cluster_sealer_key_fetcher = key_fetcher || DEFAULT_KEY_FETCHER
  @cluster_sealer_resealer = resealer
end

Instance Method Details

#cluster_sealer_private_keysObject 



25
26
27
 
# File 'lib/kubeseal.rb', line 25

def cluster_sealer_private_keys
  @cluster_sealer_private_keys ||= @cluster_sealer_key_fetcher.call(:private_keys)
end

#cluster_sealer_public_keyObject 



21
22
23
 
# File 'lib/kubeseal.rb', line 21

def cluster_sealer_public_key
  @cluster_sealer_public_key ||= @cluster_sealer_key_fetcher.call(:public_key)
end

#resealObject 



170
171
172
173
174
175
176
 
# File 'lib/kubeseal.rb', line 170

def reseal(...)
  if @cluster_sealer_resealer
    reseal_serverside(...)
  else
    reseal_clientside(...)
  end
end

#reseal_clientside(ciphertext, scope_label) ⇒ Object 



178
179
180
181
 
# File 'lib/kubeseal.rb', line 178

def reseal_clientside(ciphertext, scope_label)
  plaintext = unseal(ciphertext, scope_label)
  seal(plaintext, scope_label)
end

#reseal_serverside(ciphertext, scope_label) ⇒ Object 



183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/kubeseal.rb', line 183

def reseal_serverside(ciphertext, scope_label)
  rc_namespace, rc_name, scope =
    case scope_label.split('/', 2)
    in []
      ["dummy", "dummy", :"cluster-wide"]
    in [ns]
      [ns, "dummy", :"namespace-wide"]
    in [ns, name]
      [ns, name, :strict]
    end

  rc = build_sealed_secret_rc(
    rc_namespace,
    rc_name,
    'Opaque',
    armor({'dummy' => ciphertext}, strict: true)
  )
  rc = patch_with_scope(rc, scope)

  resealed_rc = reseal_wrapped_serverside(rc)

  Base64.decode64(resealed_rc.dig('spec', 'encryptedData', 'dummy'))
end

#reseal_wrapped_serverside(sealed_secret_rc) ⇒ Object 



207
208
209
 
# File 'lib/kubeseal.rb', line 207

def reseal_wrapped_serverside(sealed_secret_rc)
  YAML.load(@cluster_sealer_resealer.call(sealed_secret_rc.to_yaml))
end

#seal(plaintext, scope_label) ⇒ Object 



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'lib/kubeseal.rb', line 98

def seal(plaintext, scope_label)
  cs_pubkey = self.cluster_sealer_public_key

  session_key = SecureRandom.bytes(32)

  session_key_enc =
    cs_pubkey.public_encrypt_oaep(
      session_key,
      scope_label,
      OpenSSL::Digest::SHA256
    )

  aed_cipher = OpenSSL::Cipher.new("AES-256-GCM").encrypt
  aed_cipher.key = session_key
  aed_cipher.iv = AED_IV
  aed_cipher.auth_data = ""

  payload_enc =
    aed_cipher.update(plaintext) +
    aed_cipher.final +
    aed_cipher.auth_tag

  ciphertext_parts = [
    session_key_enc.length,
    session_key_enc,
    payload_enc
  ]

  ciphertext_parts.pack('S>A*A*')
end

#seal_and_wrap(secret_rc, scope: :strict) ⇒ Object 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/kubeseal.rb', line 32

def seal_and_wrap(secret_rc, scope: :strict)
  rc_name = secret_rc.dig('metadata', 'name')
  rc_namespace = secret_rc.dig('metadata', 'namespace')
  rc_type = secret_rc['type'] || 'Opaque'
  scope_label = label_for(scope, rc_namespace, rc_name)

  raw_data =
    if secret_rc.has_key?('data')
      unarmor(secret_rc['data'])
    elsif secret_rc.has_key?('stringData')
      secret_rc['stringData']
    else
      {}
    end

  encrypted_data = raw_data.map do |key, plaintext|
    ciphertext = seal(plaintext, scope_label)
    [key, ciphertext]
  end.to_h

  secret_type = secret_rc['type'] || 'Opaque'

  sealed_secret_rc =
    build_sealed_secret_rc(
      rc_namespace,
      rc_name,
      secret_type,
      armor(encrypted_data)
    )

  patch_with_scope(sealed_secret_rc, scope)
end

#unseal(ciphertext, scope_label) ⇒ Object 



129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
# File 'lib/kubeseal.rb', line 129

def unseal(ciphertext, scope_label)
  cs_privkeys_to_try = self.cluster_sealer_private_keys.dup

  session_key_enc_len, ciphertext = ciphertext.unpack('S>A*')
  session_key_enc, ciphertext = ciphertext.unpack("A#{session_key_enc_len}A*")

  session_key = nil
  until session_key or cs_privkeys_to_try.empty?
    begin
      try_privkey = cs_privkeys_to_try.shift
      session_key = try_privkey.private_decrypt_oaep(
        session_key_enc,
        scope_label,
        OpenSSL::Digest::SHA256
      )
    rescue OpenSSL::PKey::RSAError => e
    end
  end

  unless session_key
    raise RuntimeError, "no keys from cluster were applicable to decrypting payload"
  end

  aed_decipher = OpenSSL::Cipher.new("AES-256-GCM").decrypt
  aed_decipher.key = session_key
  aed_decipher.iv = AED_IV

  auth_tag_len = 16
  auth_tag   = ciphertext[-auth_tag_len .. -1]
  ciphertext = ciphertext[0 ... -auth_tag_len]

  aed_decipher.auth_tag = auth_tag
  aed_decipher.auth_data = ""

  plaintext =
    aed_decipher.update(ciphertext) +
    aed_decipher.final

  plaintext
end

#unwrap_and_unseal(sealed_secret_rc, armor: true) ⇒ Object 



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/kubeseal.rb', line 65

def unwrap_and_unseal(sealed_secret_rc, armor: true)
  rc_name = sealed_secret_rc.dig('metadata', 'name')
  rc_namespace = sealed_secret_rc.dig('metadata', 'namespace')
  rc_type = sealed_secret_rc['type'] || 'Opaque'

  scope = scope_from_annotations(sealed_secret_rc.dig('metadata', 'annotations'))
  scope_label = label_for(scope, rc_namespace, rc_name)

  # decode data if encoded
  encrypted_data = unarmor(sealed_secret_rc.dig('spec', 'encryptedData'))

  string_data = encrypted_data.map do |key, ciphertext|
    plaintext = unseal(ciphertext, scope_label)
    [key, plaintext]
  end.to_h

  merge_part =
    if armor
      {'data' => armor(string_data)}
    else
      {'stringData' => string_data}
    end

  secret_type = sealed_secret_rc.dig('spec', 'template', 'type') || 'Opaque'

  build_secret_rc(
    rc_namespace,
    rc_name,
    secret_type,
    merge_part
  )
end