Merge pull request #40 from caos/list-secrets

List secrets

cmd/nodeagent/main.go

@@ -25,7 +25,7 @@ import (
 
 var gitCommit string
 var version string
-
+ 
 func getEnv(key, fallback string) string {
 	if value, ok := os.LookupEnv(key); ok {
 		return value

cmd/orbctl/readsecret.go

@@ -13,8 +13,9 @@ func readSecretCommand(rv rootValues) *cobra.Command {
 
 	return &cobra.Command{
 		Use:     "readsecret [path]",
-		Short:   "Decrypt and print to stdout",
-		Args:    cobra.ExactArgs(1),
+		Short:   "Print a secrets decrypted value to stdout",
+		Long:    "Print a secrets decrypted value to stdout.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
+		Args:    cobra.MaximumNArgs(1),
 		Example: `orbctl readsecret k8s.kubeconfig > ~/.kube/config`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 
@@ -23,14 +24,19 @@ func readSecretCommand(rv rootValues) *cobra.Command {
 				return errFunc(cmd)
 			}
 
+			path := ""
+			if len(args) > 0 {
+				path = args[0]
+			}
+
 			value, err := orbiter.ReadSecret(
 				gitClient,
 				orb.AdaptFunc(logger,
 					orbconfig,
 					gitCommit,
 					false,
 					false),
-				args[0])
+				path)
 			if err != nil {
 				panic(err)
 			}

cmd/orbctl/writesecret.go

@@ -17,19 +17,20 @@ func writeSecretCommand(rv rootValues) *cobra.Command {
 		file  string
 		stdin bool
 		cmd   = &cobra.Command{
-			Use:   "writesecret [name]",
-			Short: "Encrypt and push",
-			Args:  cobra.ExactArgs(1),
+			Use:   "writesecret [path]",
+			Short: "Encrypt a secret and push it to the repository",
+			Long:  "Encrypt a secret and push it to the repository.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
+			Args:  cobra.MaximumNArgs(1),
 			Example: `orbctl writesecret mystaticprovider.bootstrapkey --file ~/.ssh/my-orb-bootstrap
 orbctl writesecret mystaticprovider.bootstrapkey_pub --file ~/.ssh/my-orb-bootstrap.pub
 orbctl writesecret mygceprovider.google_application_credentials_value --value "$(cat $GOOGLE_APPLICATION_CREDENTIALS)" `,
 		}
 	)
 
 	flags := cmd.Flags()
-	flags.StringVar(&value, "value", "", "Secret phrase value used for encrypting and decrypting secrets")
-	flags.StringVarP(&file, "file", "s", "", "Secret phrase file used for encrypting and decrypting secrets")
-	flags.BoolVar(&stdin, "stdin", false, "Read Secret phrase used for encrypting and decrypting secrets from standard input")
+	flags.StringVar(&value, "value", "", "Secret value to encrypt")
+	flags.StringVarP(&file, "file", "s", "", "File containing the value to encrypt")
+	flags.BoolVar(&stdin, "stdin", false, "Value to encrypt is read from standard input")
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
 
@@ -43,14 +44,19 @@ orbctl writesecret mygceprovider.google_application_credentials_value --value "$
 			return errFunc(cmd)
 		}
 
+		path := ""
+		if len(args) > 0 {
+			path = args[0]
+		}
+
 		if err := orbiter.WriteSecret(
 			gitClient,
 			orb.AdaptFunc(logger,
 				orbconfig,
 				gitCommit,
 				false,
 				false),
-			args[0],
+			path,
 			s); err != nil {
 			panic(err)
 		}

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/go-logr/logr v0.1.0
 	github.com/goombaio/dag v0.0.0-20181006234417-a8874b1f72ff
 	github.com/imdario/mergo v0.3.8 // indirect
+	github.com/manifoldco/promptui v0.7.0
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/pkg/errors v0.8.1
 	github.com/robfig/cron v1.2.0

go.sum

@@ -43,6 +43,10 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5/go.mod h1:/iP1qXHoty45bqomnu2LM+VVyAEdWN+vtSHGlQgyxbw=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
@@ -174,6 +178,8 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
@@ -193,13 +199,21 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a h1:weJVJJRzAJBFRlAiJQROKQs8oC9vOxvm4rZmBBk0ONw=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/manifoldco/promptui v0.7.0 h1:3l11YT8tm9MnwGFQ4kETwkzpAwY2Jt9lCrumCUW4+z4=
+github.com/manifoldco/promptui v0.7.0/go.mod h1:n4zTdgP0vr0S3w7/O/g98U+e0gwLScEXGwov2nIKuGQ=
+github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -341,6 +355,7 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

internal/operator/orbiter/adapt.go

@@ -6,7 +6,7 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-type AdaptFunc func(desired *Tree, secrets *Tree, current *Tree) (EnsureFunc, DestroyFunc, ReadSecretFunc, WriteSecretFunc, error)
+type AdaptFunc func(desired *Tree, secrets *Tree, current *Tree) (EnsureFunc, DestroyFunc, map[string]*Secret, error)
 
 func parse(gitClient *git.Client) (desired *Tree, secrets *Tree, err error) {
 

internal/operator/orbiter/destroy.go

@@ -15,7 +15,7 @@ func Destroy(gitClient *git.Client, adapt AdaptFunc) error {
 	}
 
 	treeCurrent := &Tree{}
-	_, destroy, _, _, err := adapt(treeDesired, treeSecrets, treeCurrent)
+	_, destroy, _, err := adapt(treeDesired, treeSecrets, treeCurrent)
 	if err != nil {
 		return err
 	}

internal/operator/orbiter/kinds/clusters/kubernetes/adapt.go

@@ -17,24 +17,28 @@ func AdaptFunc(
 	deployOrbiterAndBoom bool,
 	ensureProviders func(psf orbiter.PushSecretsFunc, nodeAgentsCurrent map[string]*common.NodeAgentCurrent, nodeAgentsDesired map[string]*common.NodeAgentSpec) (map[string]interface{}, error),
 	destroyProviders func() (map[string]interface{}, error)) orbiter.AdaptFunc {
-	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, readSecretFunc orbiter.ReadSecretFunc, writeSecretFunc orbiter.WriteSecretFunc, err error) {
+	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, secrets map[string]*orbiter.Secret, err error) {
 		defer func() {
 			err = errors.Wrapf(err, "building %s failed", desiredTree.Common.Kind)
 		}()
 
 		desiredKind := &DesiredV0{Common: *desiredTree.Common}
 		if err := desiredTree.Original.Decode(desiredKind); err != nil {
-			return nil, nil, nil, nil, errors.Wrap(err, "parsing desired state failed")
+			return nil, nil, nil, errors.Wrap(err, "parsing desired state failed")
 		}
 		desiredKind.Common.Version = "v0"
 		desiredTree.Parsed = desiredKind
 
+		if desiredKind.Spec.Verbose && !logger.IsVerbose() {
+			logger = logger.Verbose()
+		}
+
 		secretsKind := &SecretsV0{
 			Common:  *secretsTree.Common,
 			Secrets: Secrets{Kubeconfig: &orbiter.Secret{Masterkey: orb.Masterkey}},
 		}
 		if err := secretsTree.Original.Decode(secretsKind); err != nil {
-			return nil, nil, nil, nil, errors.Wrap(err, "parsing secrets failed")
+			return nil, nil, nil, errors.Wrap(err, "parsing secrets failed")
 		}
 		secretsKind.Common.Version = "v0"
 		secretsTree.Parsed = secretsKind
@@ -45,7 +49,7 @@ func AdaptFunc(
 
 		if deployOrbiterAndBoom && secretsKind.Secrets.Kubeconfig.Value != "" {
 			if err := ensureArtifacts(logger, secretsKind.Secrets.Kubeconfig, orb, takeoff, desiredKind.Spec.Versions.Orbiter, desiredKind.Spec.Versions.Boom); err != nil {
-				return nil, nil, nil, nil, err
+				return nil, nil, nil, err
 			}
 		}
 
@@ -58,10 +62,6 @@ func AdaptFunc(
 			Current: *current,
 		}
 
-		secretsMap := map[string]*orbiter.Secret{
-			"kubeconfig": secretsKind.Secrets.Kubeconfig,
-		}
-
 		return func(psf orbiter.PushSecretsFunc, nodeAgentsCurrent map[string]*common.NodeAgentCurrent, nodeAgentsDesired map[string]*common.NodeAgentSpec) (err error) {
 				defer func() {
 					err = errors.Wrapf(err, "ensuring %s failed", desiredKind.Common.Kind)
@@ -95,10 +95,8 @@ func AdaptFunc(
 				}
 
 				return destroy(providers, secretsKind.Secrets.Kubeconfig)
-			}, func(path []string) (string, error) {
-				return orbiter.AdaptReadSecret(path, nil, secretsMap)
-			}, func(path []string, value string) error {
-				return orbiter.AdaptWriteSecret(path, value, nil, secretsMap)
+			}, map[string]*orbiter.Secret{
+				"kubeconfig": secretsKind.Secrets.Kubeconfig,
 			}, nil
 	}
 }

internal/operator/orbiter/kinds/clusters/kubernetes/desired.go

@@ -6,7 +6,6 @@ import (
 
 type DesiredV0 struct {
 	Common orbiter.Common `yaml:",inline"`
-	Deps   map[string]*orbiter.Tree
 	Spec   struct {
 		Verbose  bool
 		Versions struct {

internal/operator/orbiter/kinds/clusters/kubernetes/secrets.go

@@ -7,7 +7,6 @@ import (
 type SecretsV0 struct {
 	Common  orbiter.Common `yaml:",inline"`
 	Secrets Secrets
-	Deps    map[string]*orbiter.Tree
 }
 
 type Secrets struct {

internal/operator/orbiter/kinds/loadbalancers/dynamic/adapt.go

@@ -14,16 +14,16 @@ import (
 )
 
 func AdaptFunc(remoteUser string) orbiter.AdaptFunc {
-	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, readSecretFunc orbiter.ReadSecretFunc, writeSecretFunc orbiter.WriteSecretFunc, err error) {
+	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, secrets map[string]*orbiter.Secret, err error) {
 		defer func() {
 			err = errors.Wrapf(err, "building %s failed", desiredTree.Common.Kind)
 		}()
 		desiredKind := &DesiredV0{Common: desiredTree.Common}
 		if err := desiredTree.Original.Decode(desiredKind); err != nil {
-			return nil, nil, nil, nil, errors.Wrapf(err, "unmarshaling desired state for kind %s failed", desiredTree.Common.Kind)
+			return nil, nil, nil, errors.Wrapf(err, "unmarshaling desired state for kind %s failed", desiredTree.Common.Kind)
 		}
 		if err := desiredKind.Validate(); err != nil {
-			return nil, nil, nil, nil, err
+			return nil, nil, nil, err
 		}
 		desiredKind.Common.Version = "v0"
 		desiredTree.Parsed = desiredKind
@@ -253,7 +253,7 @@ http {
 			}
 			return nil
 		}
-		return nil, nil, nil, nil, nil
+		return nil, nil, nil, nil
 	}
 }
 

internal/operator/orbiter/kinds/orb/adapt.go

@@ -16,30 +16,34 @@ func AdaptFunc(
 	orbiterCommit string,
 	oneoff bool,
 	deployOrbiterAndBoom bool) orbiter.AdaptFunc {
-	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, readSecretFunc orbiter.ReadSecretFunc, writeSecretFunc orbiter.WriteSecretFunc, err error) {
+	return func(desiredTree *orbiter.Tree, secretsTree *orbiter.Tree, currentTree *orbiter.Tree) (ensureFunc orbiter.EnsureFunc, destroyFunc orbiter.DestroyFunc, secrets map[string]*orbiter.Secret, err error) {
 		defer func() {
 			err = errors.Wrapf(err, "building %s failed", desiredTree.Common.Kind)
 		}()
 
 		desiredKind := &DesiredV0{Common: desiredTree.Common}
 		if err := desiredTree.Original.Decode(desiredKind); err != nil {
-			return nil, nil, nil, nil, errors.Wrap(err, "parsing desired state failed")
+			return nil, nil, nil, errors.Wrap(err, "parsing desired state failed")
 		}
 		desiredKind.Common.Version = "v0"
 		desiredTree.Parsed = desiredKind
 
+		if desiredKind.Spec.Verbose && !logger.IsVerbose() {
+			logger = logger.Verbose()
+		}
+
 		secretsKind := &SecretsV0{Common: secretsTree.Common}
 		if err := secretsTree.Original.Decode(secretsKind); err != nil {
-			return nil, nil, nil, nil, errors.Wrap(err, "parsing secrets failed")
+			return nil, nil, nil, errors.Wrap(err, "parsing secrets failed")
 		}
 		secretsKind.Common.Version = "v0"
 		secretsTree.Parsed = secretsKind
 
 		providerCurrents := make(map[string]*orbiter.Tree)
 		providerEnsurers := make([]orbiter.EnsureFunc, 0)
 		providerDestroyers := make([]orbiter.DestroyFunc, 0)
-		depSecretReaders := make(map[string]orbiter.ReadSecretFunc)
-		depSecretWriters := make(map[string]orbiter.WriteSecretFunc)
+		secrets = make(map[string]*orbiter.Secret)
+
 		for provID, providerTree := range desiredKind.Deps.Providers {
 
 			providerCurrent := &orbiter.Tree{}
@@ -80,17 +84,17 @@ func AdaptFunc(
 				//					updatesDisabled = append(updatesDisabled, desiredKind.Spec.ControlPlane.Pool)
 				//				}
 
-				providerEnsurer, providerDestroyer, providerSecretReader, providerSecretWriter, err := static.AdaptFunc(logger, orb.Masterkey, provID)(providerTree, providerSecretsTree, providerCurrent)
+				providerEnsurer, providerDestroyer, providerSecrets, err := static.AdaptFunc(logger, orb.Masterkey, provID)(providerTree, providerSecretsTree, providerCurrent)
 				if err != nil {
-					return nil, nil, nil, nil, err
+					return nil, nil, nil, err
 				}
 				providerEnsurers = append(providerEnsurers, providerEnsurer)
 				providerDestroyers = append(providerDestroyers, providerDestroyer)
-				depSecretReaders[provID] = providerSecretReader
-				depSecretWriters[provID] = providerSecretWriter
-				//				subassemblers[provIdx] = static.New(providerPath, generalOverwriteSpec, staticadapter.New(providerlogger, providerID, "/healthz", updatesDisabled, cfg.NodeAgent))
+				for path, secret := range providerSecrets {
+					secrets[orbiter.JoinPath(provID, path)] = secret
+				}
 			default:
-				return nil, nil, nil, nil, errors.Errorf("unknown provider kind %s", providerTree.Common.Kind)
+				return nil, nil, nil, errors.Errorf("unknown provider kind %s", providerTree.Common.Kind)
 			}
 		}
 
@@ -141,23 +145,24 @@ func AdaptFunc(
 
 			clusterSecretsTree, ok := secretsKind.Deps.Clusters[clusterID]
 			if !ok {
-				return nil, nil, nil, nil, errors.Errorf("no secrets found for cluster %s", clusterID)
+				return nil, nil, nil, errors.Errorf("no secrets found for cluster %s", clusterID)
 			}
 
 			switch clusterTree.Common.Kind {
 			case "orbiter.caos.ch/KubernetesCluster":
-				clusterEnsurer, clusterDestroyer, clusterSecretReader, clusterSecretWriter, err := kubernetes.AdaptFunc(logger, orb, orbiterCommit, clusterID, oneoff, deployOrbiterAndBoom, ensureProviders, destroyProviders)(clusterTree, clusterSecretsTree, clusterCurrent)
+				clusterEnsurer, clusterDestroyer, clusterSecrets, err := kubernetes.AdaptFunc(logger, orb, orbiterCommit, clusterID, oneoff, deployOrbiterAndBoom, ensureProviders, destroyProviders)(clusterTree, clusterSecretsTree, clusterCurrent)
 				if err != nil {
-					return nil, nil, nil, nil, err
+					return nil, nil, nil, err
 				}
 				clusterEnsurers = append(clusterEnsurers, clusterEnsurer)
 				clusterDestroyers = append(clusterDestroyers, clusterDestroyer)
-				depSecretReaders[clusterID] = clusterSecretReader
-				depSecretWriters[clusterID] = clusterSecretWriter
+				for path, secret := range clusterSecrets {
+					secrets[orbiter.JoinPath(clusterID, path)] = secret
+				}
 
 				//				subassemblers[provIdx] = static.New(providerPath, generalOverwriteSpec, staticadapter.New(providerlogger, providerID, "/healthz", updatesDisabled, cfg.NodeAgent))
 			default:
-				return nil, nil, nil, nil, errors.Errorf("unknown cluster kind %s", clusterTree.Common.Kind)
+				return nil, nil, nil, errors.Errorf("unknown cluster kind %s", clusterTree.Common.Kind)
 			}
 		}
 
@@ -194,10 +199,6 @@ func AdaptFunc(
 					}
 				}
 				return nil
-			}, func(path []string) (string, error) {
-				return orbiter.AdaptReadSecret(path, depSecretReaders, nil)
-			}, func(path []string, value string) error {
-				return orbiter.AdaptWriteSecret(path, value, depSecretWriters, nil)
-			}, nil
+			}, secrets, nil
 	}
 }

internal/operator/orbiter/kinds/orb/model.go

@@ -9,7 +9,10 @@ type Deps struct {
 
 type DesiredV0 struct {
 	Common *orbiter.Common `yaml:",inline"`
-	Deps   Deps
+	Spec   struct {
+		Verbose bool
+	}
+	Deps Deps
 }
 
 type SecretsV0 struct {