|
| 1 | +# qseal |
| 2 | + |
| 3 | +<img src="resources/gopher.png" alt="Gopher" width="200"/> |
| 4 | + |
| 5 | + |
| 6 | +**qseal** is a CLI tool that simplifies the process of sealing and unsealing Kubernetes secrets using [`kubeseal`](https://github.com/bitnami-labs/sealed-secrets). It uses a declarative configuration file (`qsealrc.yaml`) to manage your secrets. |
| 7 | + |
| 8 | +## Features |
| 9 | + |
| 10 | +- Declarative configuration of sealed secrets |
| 11 | +- Sealing and unsealing via a single `sync` operation |
| 12 | +- Conflict detection for sealed paths |
| 13 | + |
| 14 | +## Installation |
| 15 | + |
| 16 | +Clone the repository and build the binary: |
| 17 | + |
| 18 | +```bash |
| 19 | +go install gitlab.42paris.fr/froz/qseal@latest |
| 20 | +``` |
| 21 | + |
| 22 | +You can also download the latest release from the [releases page](https://gitlab.42paris.fr/froz/qseal/-/releases). |
| 23 | + |
| 24 | +## Usage |
| 25 | + |
| 26 | +```bash |
| 27 | +qseal [flags] |
| 28 | +qseal [command] |
| 29 | +qseal # without any command will run `qseal sync` |
| 30 | +``` |
| 31 | + |
| 32 | +### Available Commands |
| 33 | + |
| 34 | +| Command | Description | |
| 35 | +| ------------ | ---------------------------------------------------------------------------------------------- | |
| 36 | +| `init` | Initialize the `qsealrc.yaml` configuration file | |
| 37 | +| `seal-all` | Seal all secrets defined in the config file _(not recommended, use `qseal sync` or `qseal`)_ | |
| 38 | +| `unseal-all` | Unseal all secrets defined in the config file _(not recommended, use `qseal sync` or `qseal`)_ | |
| 39 | +| `completion` | Generate autocompletion script for your shell | |
| 40 | +| `help` | Display help for any command | |
| 41 | + |
| 42 | +### Flags |
| 43 | + |
| 44 | +- `-h`, `--help`: Show help information |
| 45 | + |
| 46 | +Use `qseal [command] --help` for detailed information about a specific command. |
| 47 | + |
| 48 | +## Configuration |
| 49 | + |
| 50 | +qseal expects a `qsealrc.yaml` file at the root of your project. This file defines all secrets to be managed. Each secret must include: |
| 51 | + |
| 52 | +- A name |
| 53 | +- The path to the sealed file |
| 54 | +- Then the path to the secret file (env file, files) |
| 55 | +- The type of secret (e.g., `kubernetes.io/dockerconfigjson`, `kubernetes.io/tls`, etc.) |
| 56 | + |
| 57 | +## Sync Logic |
| 58 | + |
| 59 | +The core of `qseal` is the `Sync` operation, which: |
| 60 | + |
| 61 | +1. Parses the secrets listed in `qsealrc.yaml` |
| 62 | +2. Groups them by sealed output path |
| 63 | +3. Determines whether each group needs to be sealed, unsealed, or skipped |
| 64 | +4. Detects conflicts (e.g. multiple actions for the same sealed path) |
| 65 | +5. Applies sealing or unsealing as needed |
| 66 | + |
| 67 | +Example log output: |
| 68 | + |
| 69 | +```txt |
| 70 | +[2025-04-16 10:00:00] SEALING secrets.yaml (3 secret(s)) |
| 71 | +[2025-04-16 10:00:00] SKIP secrets.yaml (up-to-date) |
| 72 | +[2025-04-16 10:00:00] UNSEALING secrets.yaml (2 secret(s)) |
| 73 | +``` |
| 74 | + |
| 75 | +## Conflict Handling |
| 76 | + |
| 77 | +If multiple secrets reference the same sealed file path but require different actions (`seal` vs `unseal`), `qseal` will raise an error. You can resolve this by explicitly running either: |
| 78 | + |
| 79 | +```bash |
| 80 | +qseal seal-all |
| 81 | +``` |
| 82 | + |
| 83 | +or |
| 84 | + |
| 85 | +```bash |
| 86 | +qseal unseal-all |
| 87 | +``` |
0 commit comments