If you haven't come across Kubernetes, I suggest just looking at some of the many resources available online for it, but if you do and have dealt with secrets, then you'll have come across a niggling issue when defining configurations.

Kubernetes Secrets are configured with the secret data being base64 encoded. Its important to point out if you didn't already know, that base64 does not encrypt your data, but merely encodes the date (its history is in sending 8-bit files through 7-bit email systems, those were they days!).

This is a bit of a hassle, one way to encode the objects is using a command line tool base64, and piping in the secret, eg;

echo -n "super-secret-sauce" | base64  

Now, I know you are asking what the -n is for, if you try it on the command line you'll see that it just means no new line, and the reason for putting this in is that base64 will also encode the newline, and unless you've started putting CR or LF's into your secrets, you don't want it there. I've seen a few issues online as well as my own simply caused by encoding the newline. Its easy to do.

So this has 2 issues, first is as mentioned above, the newline is encoded too, but also, unless you kill your terminal history, your secret is stored there too. I'm sure your history file is goto place for a hacker.

To solve these issues I wrote kube_secrets_encode. This works with YAML kubernetes config files and when it finds a secret it will either encode or decode the values based on the options eg:

kube_secrets_encode --decode --file=my-kube-config.yaml  

This will print the resulting decode to screen, if you want to persist the change then add --yes,

kube_secrets_encode --decode --file=my-kube-config.yaml --yes  

And now the file is saved decoded which you can now edit your secrets. To encode again, simply run without the decode flag.

kube_secrets_encode --file=my-kube-config.yaml --yes  

And the file is encoded again.


If you've got any commented out yaml, it will remove it. Github Issue