Transparent editing of Base64-encoded Kubernetes secrets 29 May 2024 on Krystian's Keep

I’ve been using Kubernetes a lot at work recently. One of the many frustrating things about it is that the contents of secrets are viewed and edited in Base64 encoding. To add insult to injury, a lot of third-party software for Kubernetes store configuration as secrets. Viewing them is not so painful. You can just pipe them to the base64 program, and you’re set. But if you want to edit them, prepare for a decode-edit-encode dance every time.

One time I broke and spent a few hours working on a tool that just lets me edit secrets in my favorite editor. Today I’d like to show you my Base64 Kubernetes secret editor: keditb64 (mirrored on SourceHut and on Codeberg). It retrieves and decodes any secret you point it at. It then opens $EDITOR or vim and lets you edit it. When you close the editor it encodes and writes contents back to the secret. It also supports gzipped secrets with flag -z, because I needed that for debugging Prometheus configuration at some point.

Let’s assume you have a secret defined by the following manifest:

apiVersion: v1
kind: Secret
metadata:
  namespace: mynamespace
  name: mysecret
data:
  mykey: bXlzZWNyZXRjb250ZW50cw==

You can then call keditb64 to edit the value of mysecretkey like this:

keditb64 -n mynamespace mysecret mykey

Before that, I did this: kubectl get secret mysecret -n mynamespace -o jsonpath='{.data.mykey}' | base64 -d, copy, vim, paste, edit, copy, base64 -w0, paste, Ctrl+d, copy, kubectl edit secret mysecret -n mynamespace, paste, save, close.

This process could probably be optimized without resorting to writing a new tool, but I figured, I’d just write one that does exactly what I want and how I want. Below are some real-world usage examples:

# Editing configuration of Alertmanager used with Prometheus Operator
keditb64 -n monitoring alertmanager-main alertmanager.yaml

# Viewing Prometheus configuration
keditb64 -p -z -n monitoring prometheus-k8s prometheus.yaml.gz

# Editing HTTP Basic Auth credentials
keditb64 -n apps auth-admin-docs users

# Editing TLS certificates
keditb64 -n monitoring blackbox-exporter-tls tls.crt

Although the tool already does everything I wanted it to, as always, contributions are welcome. If it proved useful to you, and you want to improve it, please send patches to my public inbox (address below) or submit them on Codeberg. See you next time!

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~krystianch/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read

Announcing vali, a C library for Varlink

In the past months I’ve been working on vali, a C library for Varlink. Today I’m publishing the first vali release! I’d like to explain how to use it for readers who aren’t especially familiar with Varlink, and describe some interesting API design decisions. …

via emersion October 4, 2025

Cloudflare bankrolls fascists

US politics has been pretty fascist lately. The state is filling up concentration camps, engaging in mass state violence against people on the basis of racialized traits, deporting them to random countries without any respect for habeas corpus, exerting stat…

via Drew DeVault's blog September 24, 2025

What's cooking on SourceHut? Q3 2025

Hello everyone! It’s time for another quarterly update on what we’re up to at SourceHut. There’s a lot of great stuff going on since you last heard from us! Let’s get started. Drew’s update We finally rolled out the billing overhaul! God, that was so much work…

via Blogs on Sourcehut September 1, 2025

Generated by openring