Kubernetes secrets

Kubernetes docs: Secrets

Secrets management tools

sealed-secrets

• github
• flux with sealed-secrets
• helm chart
• helm chart source
• example ca.crt to test local encryption
• Tutorial

• cli-tool: brew install kubeseal
• Sealed Secrets decrypts the secret server-side, like sops

sealed-secrets vs. sops:

• sealed-secrets doesn't bloat the encrypted file with metadata footer

Sops

see ~/docs/security/passwords/sops.md, also for different SOPS operators

helm-secrets

helm-secrets

• Helm-secrets decrypts the secret client-side Therefor no support for helm-secrets in flux
• Backends: Sops or Hashicorp Vault

Hashicorp Vault

• Vault
• No support for helm-secrets in flux
• vault-secrets-operator

Other tools

• kubernetes-external-secrets
• kubernetes-sigs/secrets-store-csi-driver
• Kamus: last commit 2022
• kapicorp/tesoro

Etc

Generate kubertetes secret manifest from stdin:

echo -n bar | kubectl create secret generic mysecret --dry-run=client \
  --from-file=foo=/dev/stdin -o yaml

Generate ssh-private-key secret from file:

kubectl create secret generic ssh-private-key --dry-run=client -o yaml \
  --from-file=id_ed25519=/home/varac/.ssh/deploy-keys/tym-flow

nginx/apache basic-auth

ingress-nginx docs: Basic auth

    export BA_USER=tym-flow BA_PW=$(gopass show --password basic-auth/tym-flow) \
      NAME=tym-flow-staging-basic-auth NAMESPACE=tym-flow

    htpasswd -b -n "$BA_USER" "$BA_PW" | head -1 | kubectl -n $NAMESPACE \
      create secret generic --dry-run=client --from-file=auth=/dev/stdin \
      -o yaml $NAME | yq eval 'del(.metadata.creationTimestamp)' - > ${NAME}.yaml

Optionally encrypt secret with sops:

    sops -e -i --encrypted-regex '^(data)$' ${NAME}.yaml

Decode secrets

Kubectl secret plugins

kubectl-modify-secret

• https://github.com/rajatjindal/kubectl-modify-secret
• Can only modify secrets stored in a cluster, not local files.

Install:

kubectl krew install modify-secret

• k9s plugin for kubectl-modify-secret

view-secret kubectl plugin

https://github.com/elsesiy/kubectl-view-secret

Works nicely !!

Decodes secrets. If there's only one key in the secret, it's printed. If there are multiple keys in the secret, it prints the keys and exits. In that case, specify the data key in the secret as another argument.

Install plugin:

kubectl krew install view-secret

View secrets:

kubectl view-secret foo
kubectl view-secret foo key.json

kubectl view-secret -n oas prometheus-settings values.yaml

Unmaintained: ksd / kubernetes-secret-decode

https://github.com/ashleyschuett/kubernetes-secret-decode

PR to include in krew plugin list was closed without being merged.

I can't get it to work :/

manually with kubectl and jq

If you have a recent jq (>= 1.6.0 is needed):

kc -n oas get secret oas-test-prometheus-promet-prometheus-scrape-confg \
  -o json | jq '.data | map_values(@base64d)'
kubectl -n oas get secret monitoring-settings -o json | \
  jq '.data | map_values(@base64d)' | jq -r '."values.yaml"'

or use alias:

kc -n oas get secret oas-test-prometheus-promet-prometheus-scrape-confg \
  -o json | decode_secrets

Using jsonpath:

kc -n oas get secret oas-test-prometheus-promet-prometheus-scrape-confg \
  -o jsonpath="{.data.additional-scrape-configs\.yaml}" | base64 -d

(but I can't get this to work with dashes or slashed in the name of a secret)