Transparent editing of Base64-encoded Kubernetes secrets 29 May 2024 on Krystian's Keep

I’ve been using Kubernetes a lot at work recently. One of the many frustrating things about it is that the contents of secrets are viewed and edited in Base64 encoding. To add insult to injury, a lot of third-party software for Kubernetes store configuration as secrets. Viewing them is not so painful. You can just pipe them to the base64 program, and you’re set. But if you want to edit them, prepare for a decode-edit-encode dance every time.

One time I broke and spent a few hours working on a tool that just lets me edit secrets in my favorite editor. Today I’d like to show you my Base64 Kubernetes secret editor: keditb64 (mirrored on SourceHut and on Codeberg). It retrieves and decodes any secret you point it at. It then opens $EDITOR or vim and lets you edit it. When you close the editor it encodes and writes contents back to the secret. It also supports gzipped secrets with flag -z, because I needed that for debugging Prometheus configuration at some point.

Let’s assume you have a secret defined by the following manifest:

apiVersion: v1
kind: Secret
metadata:
  namespace: mynamespace
  name: mysecret
data:
  mykey: bXlzZWNyZXRjb250ZW50cw==

You can then call keditb64 to edit the value of mysecretkey like this:

keditb64 -n mynamespace mysecret mykey

Before that, I did this: kubectl get secret mysecret -n mynamespace -o jsonpath='{.data.mykey}' | base64 -d, copy, vim, paste, edit, copy, base64 -w0, paste, Ctrl+d, copy, kubectl edit secret mysecret -n mynamespace, paste, save, close.

This process could probably be optimized without resorting to writing a new tool, but I figured, I’d just write one that does exactly what I want and how I want. Below are some real-world usage examples:

# Editing configuration of Alertmanager used with Prometheus Operator
keditb64 -n monitoring alertmanager-main alertmanager.yaml

# Viewing Prometheus configuration
keditb64 -p -z -n monitoring prometheus-k8s prometheus.yaml.gz

# Editing HTTP Basic Auth credentials
keditb64 -n apps auth-admin-docs users

# Editing TLS certificates
keditb64 -n monitoring blackbox-exporter-tls tls.crt

Although the tool already does everything I wanted it to, as always, contributions are welcome. If it proved useful to you, and you want to improve it, please send patches to my public inbox (address below) or submit them on Codeberg. See you next time!

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~krystianch/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read

FOSS tools for infrastructure testing

updated on 2025-04-04: added SPFToolbox Running even a single server connected to the internet can be a challenge these days. There are many technologies involved - some are arcane (DNS), some are constantly evolving (TLS), and some look simple but are amazi…

via blogfehler! April 4, 2025

A Firefox addon for putting prices into perspective

I had a fun idea for a small project this weekend, and so I quickly put it together over the couple of days. The result is Price Perspective. Humor me: have you ever bought something, considered the price, and wondered how that price would look to someone el…

via Drew DeVault's blog April 4, 2025

Announcing docs.sourcehut.org

Today, I’d like to show off our new documentation site dedicated to SourceHut’s (and hence sr.ht’s) GraphQL APIs: docs.sourcehut.org. Our work to move from the legacy REST API to a GraphQL API is still ongoing, and certain features we are aiming for (such as…

via Blogs on Sourcehut March 27, 2025

Generated by openring