Transparent editing of Base64-encoded Kubernetes secrets 29 May 2024 on Krystian's Keep

I’ve been using Kubernetes a lot at work recently. One of the many frustrating things about it is that the contents of secrets are viewed and edited in Base64 encoding. To add insult to injury, a lot of third-party software for Kubernetes store configuration as secrets. Viewing them is not so painful. You can just pipe them to the base64 program, and you’re set. But if you want to edit them, prepare for a decode-edit-encode dance every time.

One time I broke and spent a few hours working on a tool that just lets me edit secrets in my favorite editor. Today I’d like to show you my Base64 Kubernetes secret editor: keditb64 (mirrored on SourceHut and on Codeberg). It retrieves and decodes any secret you point it at. It then opens $EDITOR or vim and lets you edit it. When you close the editor it encodes and writes contents back to the secret. It also supports gzipped secrets with flag -z, because I needed that for debugging Prometheus configuration at some point.

Let’s assume you have a secret defined by the following manifest:

apiVersion: v1
kind: Secret
metadata:
  namespace: mynamespace
  name: mysecret
data:
  mykey: bXlzZWNyZXRjb250ZW50cw==

You can then call keditb64 to edit the value of mysecretkey like this:

keditb64 -n mynamespace mysecret mykey

Before that, I did this: kubectl get secret mysecret -n mynamespace -o jsonpath='{.data.mykey}' | base64 -d, copy, vim, paste, edit, copy, base64 -w0, paste, Ctrl+d, copy, kubectl edit secret mysecret -n mynamespace, paste, save, close.

This process could probably be optimized without resorting to writing a new tool, but I figured, I’d just write one that does exactly what I want and how I want. Below are some real-world usage examples:

# Editing configuration of Alertmanager used with Prometheus Operator
keditb64 -n monitoring alertmanager-main alertmanager.yaml

# Viewing Prometheus configuration
keditb64 -p -z -n monitoring prometheus-k8s prometheus.yaml.gz

# Editing HTTP Basic Auth credentials
keditb64 -n apps auth-admin-docs users

# Editing TLS certificates
keditb64 -n monitoring blackbox-exporter-tls tls.crt

Although the tool already does everything I wanted it to, as always, contributions are welcome. If it proved useful to you, and you want to improve it, please send patches to my public inbox (address below) or submit them on Codeberg. See you next time!

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~krystianch/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read

SourceHut is now accepting payments in Euro

I’m pleased to announce that, as part of our broader plans to migrate SourceHut to Europe, and after many months of hard work, SourceHut has begun to accept subscription payments in Euro today – one of our oldest and most highly demanded feature requests. Th…

via Blogs on Sourcehut July 10, 2025

Just speak the truth

Today, we’re looking at two case studies in how to respond when reactionaries appear in your free software community. Exhibit A It is a technical decision. The technical reason is that the security team does not have the bandwidth to provide lifecycle maintena…

via Drew DeVault's blog June 30, 2025

Status update, June 2025

Hi all! This month, two large patch series have been merged into wlroots! The first one is toplevel capture, which will allow tools such as grim and xdg-desktop-portal-wlr to capture the contents of a specific window. The wlroots side is super simple because …

via emersion June 21, 2025

Generated by openring