Transparent editing of Base64-encoded Kubernetes secrets 29 May 2024 on Krystian's Keep

I’ve been using Kubernetes a lot at work recently. One of the many frustrating things about it is that the contents of secrets are viewed and edited in Base64 encoding. To add insult to injury, a lot of third-party software for Kubernetes store configuration as secrets. Viewing them is not so painful. You can just pipe them to the base64 program, and you’re set. But if you want to edit them, prepare for a decode-edit-encode dance every time.

One time I broke and spent a few hours working on a tool that just lets me edit secrets in my favorite editor. Today I’d like to show you my Base64 Kubernetes secret editor: keditb64 (mirrored on SourceHut and on Codeberg). It retrieves and decodes any secret you point it at. It then opens $EDITOR or vim and lets you edit it. When you close the editor it encodes and writes contents back to the secret. It also supports gzipped secrets with flag -z, because I needed that for debugging Prometheus configuration at some point.

Let’s assume you have a secret defined by the following manifest:

apiVersion: v1
kind: Secret
metadata:
  namespace: mynamespace
  name: mysecret
data:
  mykey: bXlzZWNyZXRjb250ZW50cw==

You can then call keditb64 to edit the value of mysecretkey like this:

keditb64 -n mynamespace mysecret mykey

Before that, I did this: kubectl get secret mysecret -n mynamespace -o jsonpath='{.data.mykey}' | base64 -d, copy, vim, paste, edit, copy, base64 -w0, paste, Ctrl+d, copy, kubectl edit secret mysecret -n mynamespace, paste, save, close.

This process could probably be optimized without resorting to writing a new tool, but I figured, I’d just write one that does exactly what I want and how I want. Below are some real-world usage examples:

# Editing configuration of Alertmanager used with Prometheus Operator
keditb64 -n monitoring alertmanager-main alertmanager.yaml

# Viewing Prometheus configuration
keditb64 -p -z -n monitoring prometheus-k8s prometheus.yaml.gz

# Editing HTTP Basic Auth credentials
keditb64 -n apps auth-admin-docs users

# Editing TLS certificates
keditb64 -n monitoring blackbox-exporter-tls tls.crt

Although the tool already does everything I wanted it to, as always, contributions are welcome. If it proved useful to you, and you want to improve it, please send patches to my public inbox (address below) or submit them on Codeberg. See you next time!

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~krystianch/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read

The European NGI fund must be renewed

In 2022, SourceHut was selected for funding from the European Union’s NGI fund. This fund has been used to provide small grants to many free software projects since 2020, and the impact of these grants has been enormous. In SourceHut’s case, the grant is dir…

via Blogs on Sourcehut July 18, 2024

So you want to compete with or replace open source

We are living through an interesting moment in source-available software.1 The open source movement has always had, and continues to have, a solid grounding in grassroots programmers building tools for themselves and forming communities around them. Some loo…

via Drew DeVault's blog July 16, 2024

Status update, July 2024

Hi! This month wlroots 0.18.0 has been released! This new version includes a fair share of niceties: ICC profiles, GPU reset recovery, less black screens when plugging in a monitor on Intel, a whole bunch of new protocol implementations, and much more. Thanks…

via emersion July 16, 2024

Generated by openring