From aa82a16879a0837e7f03511e977eb1957ac656fc Mon Sep 17 00:00:00 2001 From: Maxim Likhachev Date: Mon, 14 Sep 2020 18:22:21 +0300 Subject: [PATCH] kubectl-secret: decode k8s' secrets safely --- kubectl-secret | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ kubectl-secrets | 1 + 2 files changed, 86 insertions(+) create mode 100755 kubectl-secret create mode 120000 kubectl-secrets diff --git a/kubectl-secret b/kubectl-secret new file mode 100755 index 0000000..a454cef --- /dev/null +++ b/kubectl-secret @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# Copyright (C) 2020, Maxim Lihachev, +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the Free +# Software Foundation, version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +usage() { + echo -e "$(basename "$0") is a wrapper for \`kubectl get secret' to decoding secrets automatically.\n" + echo -e "USAGE: $(basename "$0" | tr '-' ' ') [-h|-d|-s] [standard kubectl selectors]\n" + + echo -e "Command line arguments:" + echo -e " -h --help show this help" + echo -e " -s --simple show only secrets" + echo -e " -d --decode show decoded data as plain text" + echo -e " (by default it shows under the link)\n" + + exit "${1:-0}" +} + +KUBECTL_ARGS=() + +while [[ $# -gt 0 ]]; do + key="$1" + + case $key in + -h|--help) usage 0;; + -d|--decode) DECODE=true; shift;; + -s|--simple) SIMPLE=true; shift;; + *) KUBECTL_ARGS+=("$1"); shift;; + esac +done + +set -- "${KUBECTL_ARGS[@]}" + +#------------------------------------------------------------------------------- + +MANIFEST=$(kubectl get secret "${KUBECTL_ARGS[@]}" -o yaml) + +#------------------------------------------------------------------------------- + +if grep -E -q '^kind: List' <<<"$MANIFEST"; then + DELIMITER=" " +else + DELIMITER=" " +fi + +IFS=$'\n' + +REGEX_DATA="^${DELIMITER/ /}data:" +REGEX_SECRET="^${DELIMITER}[[:print:]]+:[[:space:]]+.*$" + +while read -r line; do + if [[ "$line" =~ $REGEX_DATA ]]; then + DATA=1 + elif [[ "$DATA" -eq 1 ]] && [[ "$line" =~ $REGEX_SECRET ]]; then + secret=${line//[[:space:]]/} + key=${secret/:*} + value=${secret/*:} + + if [ "$DECODE" == "true" ]; then + echo -e "${DELIMITER}${key}: $(base64 -d <<<"$value")" + else + echo -e "${DELIMITER}${key}: \e]8;;$(base64 -d <<<"$value")\e\\\\${value}\e]8;;\e\\" + fi + + continue + else + DATA=0 + fi + + [ "$SIMPLE" != "true" ] && echo "$line" +done <<<"$MANIFEST" + diff --git a/kubectl-secrets b/kubectl-secrets new file mode 120000 index 0000000..a5be89c --- /dev/null +++ b/kubectl-secrets @@ -0,0 +1 @@ +kubectl-secret \ No newline at end of file