2021-12-07 22:31:32 +00:00
|
|
|
package cmds
|
|
|
|
|
|
|
|
import (
|
2022-03-02 23:47:27 +00:00
|
|
|
"github.com/k3s-io/k3s/pkg/version"
|
2021-12-07 22:31:32 +00:00
|
|
|
"github.com/urfave/cli"
|
|
|
|
)
|
|
|
|
|
|
|
|
const SecretsEncryptCommand = "secrets-encrypt"
|
|
|
|
|
2022-12-05 23:28:01 +00:00
|
|
|
var (
|
2023-01-31 20:57:48 +00:00
|
|
|
forceFlag = &cli.BoolFlag{
|
2022-12-05 23:28:01 +00:00
|
|
|
Name: "f,force",
|
|
|
|
Usage: "Force this stage.",
|
|
|
|
Destination: &ServerConfig.EncryptForce,
|
2021-12-07 22:31:32 +00:00
|
|
|
}
|
2022-12-05 23:28:01 +00:00
|
|
|
EncryptFlags = []cli.Flag{
|
|
|
|
DataDirFlag,
|
|
|
|
ServerToken,
|
2023-01-31 20:57:48 +00:00
|
|
|
&cli.StringFlag{
|
2022-12-05 23:28:01 +00:00
|
|
|
Name: "server, s",
|
|
|
|
Usage: "(cluster) Server to connect to",
|
|
|
|
EnvVar: version.ProgramUpper + "_URL",
|
|
|
|
Value: "https://127.0.0.1:6443",
|
|
|
|
Destination: &ServerConfig.ServerURL,
|
2021-12-07 22:31:32 +00:00
|
|
|
},
|
2022-12-05 23:28:01 +00:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-08-01 17:20:21 +00:00
|
|
|
func NewSecretsEncryptCommands(status, enable, disable, prepare, rotate, reencrypt, rotateKeys func(ctx *cli.Context) error) cli.Command {
|
2022-12-05 23:28:01 +00:00
|
|
|
return cli.Command{
|
|
|
|
Name: SecretsEncryptCommand,
|
|
|
|
Usage: "Control secrets encryption and keys rotation",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Subcommands: []cli.Command{
|
|
|
|
{
|
|
|
|
Name: "status",
|
|
|
|
Usage: "Print current status of secrets encryption",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: status,
|
|
|
|
Flags: append(EncryptFlags, &cli.StringFlag{
|
|
|
|
Name: "output,o",
|
|
|
|
Usage: "Status format. Default: text. Optional: json",
|
|
|
|
Destination: &ServerConfig.EncryptOutput,
|
2021-12-07 22:31:32 +00:00
|
|
|
}),
|
2022-12-05 23:28:01 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "enable",
|
|
|
|
Usage: "Enable secrets encryption",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: enable,
|
|
|
|
Flags: EncryptFlags,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "disable",
|
|
|
|
Usage: "Disable secrets encryption",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: disable,
|
|
|
|
Flags: EncryptFlags,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "prepare",
|
|
|
|
Usage: "Prepare for encryption keys rotation",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: prepare,
|
2023-01-31 20:57:48 +00:00
|
|
|
Flags: append(EncryptFlags, forceFlag),
|
2022-12-05 23:28:01 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "rotate",
|
|
|
|
Usage: "Rotate secrets encryption keys",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: rotate,
|
2023-01-31 20:57:48 +00:00
|
|
|
Flags: append(EncryptFlags, forceFlag),
|
2022-12-05 23:28:01 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "reencrypt",
|
|
|
|
Usage: "Reencrypt all data with new encryption key",
|
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: reencrypt,
|
|
|
|
Flags: append(EncryptFlags,
|
2023-01-31 20:57:48 +00:00
|
|
|
forceFlag,
|
2022-12-05 23:28:01 +00:00
|
|
|
&cli.BoolFlag{
|
|
|
|
Name: "skip",
|
|
|
|
Usage: "Skip removing old key",
|
|
|
|
Destination: &ServerConfig.EncryptSkip,
|
|
|
|
}),
|
|
|
|
},
|
2023-08-01 17:20:21 +00:00
|
|
|
{
|
|
|
|
Name: "rotate-keys",
|
2023-08-02 22:17:41 +00:00
|
|
|
Usage: "(experimental) Dynamically add a new secrets encryption key and re-encrypt secrets",
|
2023-08-01 17:20:21 +00:00
|
|
|
SkipArgReorder: true,
|
|
|
|
Action: rotateKeys,
|
|
|
|
Flags: EncryptFlags,
|
|
|
|
},
|
2021-12-07 22:31:32 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|