privilegedescalation/headlamp-sealed-secrets-plugin
Archived
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity

chore: move source to repo root and standardize config

Browse Source 
Phase 1 — Structural overhaul:
- Move all source from headlamp-sealed-secrets/ subdirectory to repo root
- Delete 23 AI-generated docs, 8 pre-built tarballs, release snapshots dir
- Remove all working-directory refs from CI/release workflows
- Update install-plugin.sh and typedoc.json paths

Phase 2 — Config standardization:
- Create .eslintrc.js and .prettierrc.js (standard Headlamp configs)
- Remove inline eslintConfig/prettier from package.json (drop jsx-a11y, prettier extends)
- Rewrite tsconfig.json (package name extend, add compilerOptions.types)
- Create vitest.config.mts and vitest.setup.ts (standard from polaris)
- Replace headlamp-plugin CLI scripts with direct tool invocation
- Rewrite .gitignore with standard baseline

Phase 3 — MCP & Claude settings:
- Create .mcp.json with github/kubernetes/flux/playwright servers
- Create .claude/settings.local.json
- Remove 7 specialized agents, keep 3 meta-orchestration agents

Phase 4 — Documentation:
- Rewrite CLAUDE.md (remove subdirectory refs, standard format)
- Add ArtifactHub badge, Architecture section, standardized install methods to README.md
- Create CONTRIBUTING.md and SECURITY.md
- Fix pre-existing test bugs in validators.test.ts (isValidNamespace returns boolean,
  not ValidationResult; error message string mismatches)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
DevContainer User
2026-03-03 21:31:12 +00:00
parent 604fe06f9c
commit af95c3795c
108 changed files with 704 additions and 14041 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/hooks/useSealedSecretEncryption.ts
+208
View File
@@ -0,0 +1,208 @@
/**
* Custom Hook for SealedSecret Encryption
*
* Encapsulates the business logic for encrypting secrets and creating SealedSecrets.
* Handles certificate fetching, validation, expiry warnings, encryption, and object creation.
*/
import { useSnackbar } from 'notistack';
import React from 'react';
import { fetchPublicCertificate, getPluginConfig } from '../lib/controller';
import {
encryptKeyValues,
isCertificateExpiringSoon,
parseCertificateInfo,
parsePublicKeyFromCert,
} from '../lib/crypto';
import { validateSecretKey, validateSecretName, validateSecretValue } from '../lib/validators';
import {
AsyncResult,
CertificateInfo,
Err,
Ok,
PlaintextValue,
SealedSecretScope,
} from '../types';
/**
* Request parameters for encryption
*/
export interface EncryptionRequest {
/** Name of the SealedSecret to create */
name: string;
/** Namespace to create the SealedSecret in */
namespace: string;
/** Encryption scope (strict, namespace-wide, cluster-wide) */
scope: SealedSecretScope;
/** Key-value pairs to encrypt */
keyValues: Array<{ key: string; value: string }>;
}
/**
* Result of successful encryption
*/
export interface EncryptionResult {
/** The complete SealedSecret object ready to apply */
sealedSecretData: any;
/** Information about the certificate used */
certificateInfo?: CertificateInfo;
}
/**
* Custom hook for SealedSecret encryption
*
* Provides encryption functionality with built-in validation, error handling,
* and user notifications.
*
* @returns Object with encrypt function and encrypting state
*
* @example
* const { encrypt, encrypting } = useSealedSecretEncryption();
*
* const result = await encrypt({
* name: 'my-secret',
* namespace: 'default',
* scope: 'strict',
* keyValues: [{ key: 'password', value: 'secret123' }]
* });
*
* if (result.ok) {
* // Use result.value.sealedSecretData
* }
*/
export function useSealedSecretEncryption() {
const [encrypting, setEncrypting] = React.useState(false);
const { enqueueSnackbar } = useSnackbar();
const encrypt = React.useCallback(
async (request: EncryptionRequest): AsyncResult<EncryptionResult, string> => {
setEncrypting(true);
try {
// Step 1: Validate inputs
const nameValidation = validateSecretName(request.name);
if (!nameValidation.valid) {
enqueueSnackbar(nameValidation.error, { variant: 'error' });
return Err(nameValidation.error || 'Invalid secret name');
}
// Validate all key-value pairs
for (const kv of request.keyValues) {
const keyValidation = validateSecretKey(kv.key);
if (!keyValidation.valid) {
const error = `Invalid key "${kv.key}": ${keyValidation.error}`;
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
const valueValidation = validateSecretValue(kv.value);
if (!valueValidation.valid) {
const error = `Invalid value for key "${kv.key}": ${valueValidation.error}`;
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
}
if (request.keyValues.length === 0) {
const error = 'At least one key-value pair is required';
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
// Step 2: Fetch the controller's public certificate
const config = getPluginConfig();
const certResult = await fetchPublicCertificate(config);
if (certResult.ok === false) {
const error = `Failed to fetch certificate: ${certResult.error}`;
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
// Step 3: Check certificate expiry and warn user
let certInfo: CertificateInfo | undefined;
const certInfoResult = parseCertificateInfo(certResult.value);
if (certInfoResult.ok) {
certInfo = certInfoResult.value;
if (certInfo.isExpired) {
enqueueSnackbar(
`Warning: Controller certificate expired on ${certInfo.validTo.toLocaleDateString()}. ` +
'Secrets may not be decryptable.',
{ variant: 'warning' }
);
} else if (isCertificateExpiringSoon(certInfo, 30)) {
enqueueSnackbar(
`Warning: Controller certificate expires in ${certInfo.daysUntilExpiry} days ` +
`(${certInfo.validTo.toLocaleDateString()}).`,
{ variant: 'warning' }
);
}
}
// Step 4: Parse the public key from certificate
const keyResult = parsePublicKeyFromCert(certResult.value);
if (keyResult.ok === false) {
const error = `Invalid certificate: ${keyResult.error}`;
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
// Step 5: Encrypt all values client-side
const encryptResult = encryptKeyValues(
keyResult.value,
request.keyValues.map(kv => ({ key: kv.key, value: PlaintextValue(kv.value) })),
request.namespace,
request.name,
request.scope
);
if (encryptResult.ok === false) {
const error = `Encryption failed: ${encryptResult.error}`;
enqueueSnackbar(error, { variant: 'error' });
return Err(error);
}
// Step 6: Construct the SealedSecret object
const sealedSecretData: any = {
apiVersion: 'bitnami.com/v1alpha1',
kind: 'SealedSecret',
metadata: {
name: request.name,
namespace: request.namespace,
annotations: {},
},
spec: {
encryptedData: encryptResult.value,
template: {
metadata: {},
},
},
};
// Add scope annotations
if (request.scope === 'namespace-wide') {
sealedSecretData.metadata.annotations['sealedsecrets.bitnami.com/namespace-wide'] =
'true';
} else if (request.scope === 'cluster-wide') {
sealedSecretData.metadata.annotations['sealedsecrets.bitnami.com/cluster-wide'] = 'true';
}
return Ok({
sealedSecretData,
certificateInfo: certInfo,
});
} catch (error: any) {
const errorMsg = error.message || 'Unknown encryption error';
enqueueSnackbar(errorMsg, { variant: 'error' });
return Err(errorMsg);
} finally {
setEncrypting(false);
}
},
[enqueueSnackbar]
);
return { encrypt, encrypting };
}