add support for Kubernetes TLS keys for flux create secret tls

Add support for using `tls.key`, `tls.crt` and `ca.crt` keys while generating a Secret, using the `--tls-key-file`, `--tls-crt-file` and `--ca-crt-file` flags respectively. Mark the flags `--key-file`, `--cert-file` and `--ca-file` as deprecated. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
2026-02-06 19:05:55 +00:00 · 2023-08-09 17:10:45 +05:30
parent a2ac94b625
commit bf36a29ca2
7 changed files with 213 additions and 39 deletions
--- a/pkg/manifestgen/sourcesecret/options.go
+++ b/pkg/manifestgen/sourcesecret/options.go
@@ -33,13 +33,19 @@ const (
 const (
 	UsernameSecretKey   = "username"
 	PasswordSecretKey   = "password"
-	CAFileSecretKey     = "caFile"
-	CertFileSecretKey   = "certFile"
-	KeyFileSecretKey    = "keyFile"
+	CACrtSecretKey      = "ca.crt"
+	TlsCrtSecretKey     = "tls.crt"
+	TlsKeySecretKey     = "tls.key"
 	PrivateKeySecretKey = "identity"
 	PublicKeySecretKey  = "identity.pub"
 	KnownHostsSecretKey = "known_hosts"
 	BearerTokenKey      = "bearerToken"
+
+	// Depreacted: These keys are used in the generated secrets if the
+	// command was invoked with the deprecated TLS flags.
+	CAFileSecretKey   = "caFile"
+	CertFileSecretKey = "certFile"
+	KeyFileSecretKey  = "keyFile"
 )

 type Options struct {
@@ -54,12 +60,18 @@ type Options struct {
 	Keypair             *ssh.KeyPair
 	Username            string
 	Password            string
-	CAFile              []byte
-	CertFile            []byte
-	KeyFile             []byte
+	CACrt               []byte
+	TlsCrt              []byte
+	TlsKey              []byte
 	TargetPath          string
 	ManifestFile        string
 	BearerToken         string
+
+	// Depreacted: These fields are used to store TLS data that
+	// specified by the deprecated TLS flags.
+	CAFile   []byte
+	CertFile []byte
+	KeyFile  []byte
 }

 func MakeDefaultOptions() Options {
--- a/pkg/manifestgen/sourcesecret/sourcesecret.go
+++ b/pkg/manifestgen/sourcesecret/sourcesecret.go
@@ -89,7 +89,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 		}
 	}

-	secret := buildSecret(keypair, hostKey, options.CAFile, options.CertFile, options.KeyFile, dockerCfgJson, options)
+	secret := buildSecret(keypair, hostKey, dockerCfgJson, options)
 	b, err := yaml.Marshal(secret)
 	if err != nil {
 		return nil, err
@@ -130,7 +130,7 @@ func LoadKeyPair(privateKey []byte, password string) (*ssh.KeyPair, error) {
 	}, nil
 }

-func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile, dockerCfg []byte, options Options) (secret corev1.Secret) {
+func buildSecret(keypair *ssh.KeyPair, hostKey, dockerCfg []byte, options Options) (secret corev1.Secret) {
 	secret.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Secret",
@@ -156,13 +156,18 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile, docke
 		secret.StringData[BearerTokenKey] = options.BearerToken
 	}

-	if len(caFile) != 0 {
-		secret.StringData[CAFileSecretKey] = string(caFile)
+	if len(options.CACrt) != 0 {
+		secret.StringData[CACrtSecretKey] = string(options.CACrt)
+	} else if len(options.CAFile) != 0 {
+		secret.StringData[CAFileSecretKey] = string(options.CAFile)
 	}

-	if len(certFile) != 0 && len(keyFile) != 0 {
-		secret.StringData[CertFileSecretKey] = string(certFile)
-		secret.StringData[KeyFileSecretKey] = string(keyFile)
+	if len(options.TlsCrt) != 0 && len(options.TlsKey) != 0 {
+		secret.StringData[TlsCrtSecretKey] = string(options.TlsCrt)
+		secret.StringData[TlsKeySecretKey] = string(options.TlsKey)
+	} else if len(options.CertFile) != 0 && len(options.KeyFile) != 0 {
+		secret.StringData[CertFileSecretKey] = string(options.CertFile)
+		secret.StringData[KeyFileSecretKey] = string(options.KeyFile)
 	}

 	if keypair != nil && len(hostKey) != 0 {