Transparent editing of Base64-encoded Kubernetes secrets 29 May 2024 on Krystian's Keep

I’ve been using Kubernetes a lot at work recently. One of the many frustrating things about it is that the contents of secrets are viewed and edited in Base64 encoding. To add insult to injury, a lot of third-party software for Kubernetes store configuration as secrets. Viewing them is not so painful. You can just pipe them to the base64 program, and you’re set. But if you want to edit them, prepare for a decode-edit-encode dance every time.

One time I broke and spent a few hours working on a tool that just lets me edit secrets in my favorite editor. Today I’d like to show you my Base64 Kubernetes secret editor: keditb64 (mirrored on SourceHut and on Codeberg). It retrieves and decodes any secret you point it at. It then opens $EDITOR or vim and lets you edit it. When you close the editor it encodes and writes contents back to the secret. It also supports gzipped secrets with flag -z, because I needed that for debugging Prometheus configuration at some point.

Let’s assume you have a secret defined by the following manifest:

apiVersion: v1
kind: Secret
metadata:
  namespace: mynamespace
  name: mysecret
data:
  mykey: bXlzZWNyZXRjb250ZW50cw==

You can then call keditb64 to edit the value of mysecretkey like this:

keditb64 -n mynamespace mysecret mykey

Before that, I did this: kubectl get secret mysecret -n mynamespace -o jsonpath='{.data.mykey}' | base64 -d, copy, vim, paste, edit, copy, base64 -w0, paste, Ctrl+d, copy, kubectl edit secret mysecret -n mynamespace, paste, save, close.

This process could probably be optimized without resorting to writing a new tool, but I figured, I’d just write one that does exactly what I want and how I want. Below are some real-world usage examples:

# Editing configuration of Alertmanager used with Prometheus Operator
keditb64 -n monitoring alertmanager-main alertmanager.yaml

# Viewing Prometheus configuration
keditb64 -p -z -n monitoring prometheus-k8s prometheus.yaml.gz

# Editing HTTP Basic Auth credentials
keditb64 -n apps auth-admin-docs users

# Editing TLS certificates
keditb64 -n monitoring blackbox-exporter-tls tls.crt

Although the tool already does everything I wanted it to, as always, contributions are welcome. If it proved useful to you, and you want to improve it, please send patches to my public inbox (address below) or submit them on Codeberg. See you next time!

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~krystianch/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read

What's cooking on SourceHut? Q4 2025

Hi everyone! We hope you’re reading today’s update under as many blankets as possible, ideally in front of a warm fireplace, as the cold of winter starts to set in. You may have read our last update in the third quarter – it’s time again to take a look at wh…

via Blogs on Sourcehut November 20, 2025

Status update, November 2025

Hi! This month a lot of new features have added to the Goguma mobile IRC client. Hubert Hirtz has implemented drafts so that unsent text gets saved and network disconnections don’t disrupt users typing a message. He also enabled replying to one’s own messages…

via emersion November 16, 2025

OpenAI employees… are you okay?

You might have seen an article making the rounds this week, about a young man who ended his life after ChatGPT encouraged him to do so. The chat logs are really upsetting. Someone two degrees removed from me took their life a few weeks ago. A close friend rel…

via Drew DeVault's blog November 8, 2025

Generated by openring