dtan4 / k8sec Goto Github PK

View Code? Open in Web Editor NEW

257.0 7.0 24.0 462 KB

CLI tool to manage Kubernetes Secrets easily

License: MIT License

Makefile 2.02% Go 97.37% Dockerfile 0.61%

kubernetes kubernetes-secrets

k8sec's Introduction

k8sec

CLI tool to manage Kubernetes Secrets easily

Requirements

Kubernetes 1.18 or above

Installation

Using Homebrew (OS X only)

Formula is available at dtan4/homebrew-dtan4.

brew tap dtan4/tools
brew install k8sec

Precompiled binary

Precompiled binaries for Windows, OS X, Linux are available at Releases.

From source

go get -d github.com/dtan4/k8sec
cd $GOPATH/src/github.com/dtan4/k8sec
make install

Docker image

Docker image is no longer provided officially. If you'd like to run k8sec in Docker image, see Dockerfile and build image by yourself.

docker build -t k8sec .

Usage

Global options

Option	Description	Default
`--context=CONTEXT`	Kubernetes context
`--kubeconfig=KUBECONFIG`	Path of kubeconfig	`~/.kube/config`
`-n`, `--namespace=NAMESPACE`	Kubernetes namespace	`default`
`-h`, `-help`	Print command line usage

`k8sec list`

List secrets

$ k8sec list [--base64] [NAME]

# Example
$ k8sec list rails
NAME    TYPE    KEY             VALUE
rails   Opaque  database-url    "postgres://example.com:5432/dbname"

# Show values as base64-encoded string
$ k8sec list --base64 rails
NAME    TYPE    KEY             VALUE
rails   Opaque  database-url    cG9zdGdyZXM6Ly9leGFtcGxlLmNvbTo1NDMyL2RibmFtZQ==

`k8sec set`

Set secrets

$ k8sec set [--base64] NAME KEY1=VALUE1 [KEY2=VALUE2 ...]

$ k8sec set rails rails-env=production
rails

# Set base64-encoded value
$ echo -n dtan4 | base64
ZHRhbjQ=
$ k8sec set --base64 rails foo=ZHRhbjQ=
rails

# Result
$ k8sec list rails
NAME    TYPE    KEY             VALUE
rails   Opaque  database-url    "postgres://example.com:5432/dbname"
rails   Opaque  foo             "dtan4"

`k8sec unset`

Unset secrets

$ k8sec unset NAME KEY1 KEY2...

# Example
$ k8sec unset rails rails-env

`k8sec load`

Load secrets from dotenv (key=value) format text

$ k8sec load [-f FILENAME] NAME

# Example
$ cat .env
database-url="postgres://example.com:5432/dbname"
$ k8sec load -f .env rails

# Load from stdin
$ cat .env | k8sec load rails

`k8sec dump`

Dump secrets as dotenv (key=value) format

$ k8sec dump [-f FILENAME] [--noquotes] [NAME]

# Example
$ k8sec dump rails
database-url="postgres://example.com:5432/dbname"

# Save as .env
$ k8sec dump -f .env rails
$ cat .env
database-url="postgres://example.com:5432/dbname"

# Save as .env without qoutes
$ k8sec dump -f .env --noquotes rails
$ cat .env
database-url=postgres://example.com:5432/dbname

Contribution

Fork (https://github.com/dtan4/k8sec/fork)
Create a feature branch
Commit your changes
Rebase your local changes against the master branch
Run test suite with the go test ./... command and confirm that it passes
Run gofmt -s
Create a new Pull Request

Author

dtan4

License

k8sec's People

Contributors

Stargazers

Watchers

k8sec's Issues

I/O timeout when using k8sec

Occasionally I am getting timeout exception on any k8sec command:

read udp <IP>:<PORT> ->8.8.8.8:53: i/o timeout

Error while using k8sec without any other kubectl command before

Hello,

I'm using k8sec on my CD server to update my kubernetes secrets before deploying. I encounter an issue with k8sec, when no other kubectl command has run before.

When I do this command
$ k8sec set --base64 MY_SECRET KEY=$VAL

I get the following error:

Failed to get current secret. name=MY_SECRET KEY: Get https://kube.master.ip/api/v1/namespaces/default/secrets: error executing access token command "/google-cloud-sdk/bin/gcloud ": exit status 2

If I run a kubectl command before (like kubectl get secrets), my k8sec set command succeed.
Note that I also get this error sometimes on my local machine.

Thanks for your tool!

Doesn't work with EKS via `heptio-authenticator-aws`

Summary

I'm running on EKS using the heptio-authentiator-aws tool for authorization and it seems k8sec doesn't engage with that.

Details

I'm using EKS and have this in my .kube/config:

users:
- name: aws
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: heptio-authenticator-aws
      args:
        - "token"
        - "-i"
        - "<cluster_name>"

I can use kubectl get secrets and create secret generic from the command line, but when I use k8sec, I get:

Failed to retrieve secrets.: secrets "test-secret" is forbidden: User "system:anonymous" cannot get secrets in the namespace "default"

Not using env KUBECONFIG

k8sec tries to use the default ~/.kube/config. It does not use the exported KUBECONFIG env variable to get the kubeconfig file path.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): update codecov/codecov-action action to v4

Detected dependencies

github-actions

.github/workflows/release.yaml

actions/checkout v4

actions/setup-go v5

goreleaser/goreleaser-action v5

.github/workflows/test.yaml

actions/checkout v4

actions/setup-go v5

codecov/codecov-action v3

aquasecurity/trivy-action 0.19.0

gomod

go.mod

github.com/pkg/errors v0.9.1

github.com/spf13/cobra v1.8.0

k8s.io/api v0.29.4

k8s.io/apimachinery v0.29.4

k8s.io/client-go v0.29.4

Check this box to trigger a request for Renovate to run again on this repository

bash/zsh completions

It would be really handy to have zsh completions. Would be really nice not to type secret name, but just start typing and press tab.

Something on pair with kubectl completion zsh or helm completion zsh, kops completion zsh etc.

Version is incorrectly reported in CLI

The version reported by k8sec version does not correspond to the version that was released. Release 0.7.0 reports itself to be version 0.5.1.

Background: I am the author of a tool called vk, which can install and update single-binary CLI tools, such as k8sec, which are on Github. It depends on the tools themselves reporting a version number, which corresponds to the release tag used in Github. As such, it means that every time vk update is run, it will see that k8sec is version 0.5.1 and download the latest release from Github, which is actually the one already installed.

Other than that, thank you for a great Kubernetes tool, that I use almost daily! :)

Error when trying to run `brew tap`

Getting the following when running

brew tap dtan4/tools

Error: Invalid formula: /opt/homebrew/Library/Taps/dtan4/homebrew-tools/Formula/ghrls.rb
ghrls: Calling bottle :unneeded is disabled! There is no replacement.
Please report this issue to the dtan4/tools tap (not Homebrew/brew or Homebrew/core):
  /opt/homebrew/Library/Taps/dtan4/homebrew-tools/Formula/ghrls.rb:9

Error: Invalid formula: /opt/homebrew/Library/Taps/dtan4/homebrew-tools/Formula/s3url.rb
s3url: Calling bottle :unneeded is disabled! There is no replacement.
Please report this issue to the dtan4/tools tap (not Homebrew/brew or Homebrew/core):
  /opt/homebrew/Library/Taps/dtan4/homebrew-tools/Formula/s3url.rb:6

Error: Cannot tap dtan4/tools: invalid syntax in tap!

Running version

Homebrew 3.4.0
Homebrew/homebrew-core (git revision d731ada6fb4; last commit 2022-03-04)
Homebrew/homebrew-cask (git revision fe09f6227a; last commit 2022-03-04)

gcloud 270.0.0 version problem

Google cloud sdk version:

Google Cloud SDK 270.0.0
beta 2019.05.17
bq 2.0.49
core 2019.11.04
gsutil 4.46```

k8sec list
Failed to retrieve secrets.: Get https://HOST/api/v1/namespaces/default/secrets: error executing access token command "/usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gcloud ": exit status 2