GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → sebidude → kubecrypt

sebidude / kubecrypt

Licence: MIT license
Helper for dealing with secrets in kubernetes.

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

kubernetesclientcryptopipelinesecretsci-cd

Projects that are alternatives of or similar to kubecrypt

Keywhiz
A system for distributing and managing secrets
Stars: ✭ 2,452 (+10560.87%)
Mutual labels:  crypto, secrets
Pipeline
Pipeline is a package to build multi-staged concurrent workflows with a centralized logging output.
Stars: ✭ 433 (+1782.61%)
Mutual labels:  pipeline, ci-cd
Drone Vault
Drone plugin for integrating with the Vault secrets manager
Stars: ✭ 36 (+56.52%)
Mutual labels:  secrets, ci-cd
Git Push Deploy
Simple Automated CI/CD Pipeline for GitHub and GitLab Projects
Stars: ✭ 21 (-8.7%)
Mutual labels:  pipeline, ci-cd
Pypyr
pypyr task-runner cli & api for automation pipelines. Automate anything by combining commands, different scripts in different languages & applications into one pipeline process.
Stars: ✭ 173 (+652.17%)
Mutual labels:  pipeline, ci-cd
Jenkins Pipeline Library
wcm.io Jenkins Pipeline Library for CI/CD
Stars: ✭ 134 (+482.61%)
Mutual labels:  pipeline, ci-cd
Argo Cd
Declarative continuous deployment for Kubernetes.
Stars: ✭ 7,887 (+34191.3%)
Mutual labels:  pipeline, ci-cd
Whispers
Identify hardcoded secrets and dangerous behaviours
Stars: ✭ 66 (+186.96%)
Mutual labels:  pipeline, secrets
flow-platform-x
Continuous Integration Platform
Stars: ✭ 21 (-8.7%)
Mutual labels:  pipeline, ci-cd
simple-sha256
Generate SHA-256 hashes (in Node and the Browser)
Stars: ✭ 42 (+82.61%)
Mutual labels:  crypto
cryptowallet-cli
CW is a crypto wallet generator CLI tool for a lot of blockchains: Bitcoin, Ethereum, Binance Smart Chain and many others
Stars: ✭ 45 (+95.65%)
Mutual labels:  crypto
RavenCoin-Wallet-With-Miners
RavenCoin Wallet including CPU and GPU miners! programs are directly from Ravencoin and official miner sources
Stars: ✭ 75 (+226.09%)
Mutual labels:  crypto
release-downloader
Github action to download release assets from private or public repositories
Stars: ✭ 33 (+43.48%)
Mutual labels:  ci-cd
reactive-trader
In the coming weeks this plans to become a Gekko plugin that reacts to market changes, finding and running only the most profitable strategies.
Stars: ✭ 91 (+295.65%)
Mutual labels:  crypto
github-did
Decentralized Identity with Github
Stars: ✭ 108 (+369.57%)
Mutual labels:  crypto
MKT
Exchange Price Service , Stocks , Cryptocurrency,Stock prediction and more
Stars: ✭ 27 (+17.39%)
Mutual labels:  crypto
banana split
Shamir's Secret Sharing for people with friends
Stars: ✭ 106 (+360.87%)
Mutual labels:  crypto
compatip
A simple tool to ensure compatibility between microservices
Stars: ✭ 13 (-43.48%)
Mutual labels:  ci-cd
netascode
This repo contains an example of the virtual network of a fictitious company which you can use to play and to learn network automation. Public repository for Network as Code. NaC model.
Stars: ✭ 36 (+56.52%)
Mutual labels:  ci-cd
tradeview
A platform for trading crypto currency pairs on crypto exchanges and running crypto currency pair strategies.
Stars: ✭ 69 (+200%)
Mutual labels:  crypto
View All Similar Projects ➔

kubecrypt

kubecrypt wants to help you to solve a bunch of problems when it comes to secrets.
This project was inspired by Bitnami Labs sealed-secrets and the fact that I needed to solve some problems around storing secret data and use them in pipelining.

Contributions are welcome. The code is working and tested manually. As this is a kubernetes client, I recommend to build the tool and deploy it with some docker image if you need to use it in your pipelines.

It can do the following things:

  • list secrets for a namespace
  • print values from a secret
  • encrypt /decrypt data using a tls secret from the cluster
  • encrypt / decrypt all values for a map in a yaml file
  • convert a yaml map with encrypted values to a plain kubernetes secret
  • remove keys from a secret
  • update keys of a secret

Install

go get github.com/sebidude/kubecrypt/...
go install github.com/sebidude/kubecrypt/cmd/kubecrypt

Usage

You can always use the --help flag. Beside handling your secrets you can also use kubecrypt to quickly encrypt some text and share it with your co-workers via chat in a secure way.

kubecrypt will lookup the KUBECONFIG environment variable to find the configuration for the kubernetes client. If the variable is empty it will lookup the default path $HOME/.kube/config. If a kubeconfig resides there, it will use this one. You have to set the environment variable KUBECONFIG if you want to use a config which is not located at the default path.
If KUBECONFIG is not set and no configuration is found at the default path, kubecrypt will act as an in-cluster client and will use the token from the service-account of the context it is running in.

Init the kubecrypt secret with kubecrypt

By default kubecrypt will use a secret of type tls named kubecrypt in namespace kubecrypt. So first create the namespace kubecrypt and then run init

kubectl create namespace kubecrypt
kubecrypt init

If you want to use a different namespace and secretname, you can tell kubecrypt with -t

kubecrypt -t testing/secretencryption init

This will create a tls secret with name secretencryption in namespace testing. As kubecrypt has no config file you have to pass the -t option everytime if you don't use the default kubecrypt/kubecrypt with the -tflag.

Init the kubecrypt secret manually.

In case you don't want to use certs and key generated with kubecrypt, you can use openssl: Generate a key and a self-signed cert for kubecrypt

openssl genrsa -out tls.key 4096
openssl req -key tls.key -x509 -days 365 -out tls.crt -subj "/C=XX/ST=Coruscant/L=Temple/O=Force/OU=Temple Admins/CN=Jedis"

Add the cert and key to the cluster

kubectl create namespace kubecrypt
kubectl create secret tls kubecrypt -n kubecrypt --cert=tls.crt --key=tls.key

Store the key in a secret place!

Encrypt and Decrypt data

You can encrypt data using a tls secret from the cluster. The encrypted output is always base64 raw url encoded.

# encrypt to stdout
echo This is some data | kubecrypt enc

# encrypt to a file
echo This is some data | kubecrypt enc -o encrypted.txt

Decrypt data this way

# decrypt from file
kubecrypt dec -i encrypted.txt

# decrypt from stdin
cat encrypted.txt | kubecrypt dec

# or
echo This is some data | kubecrypt enc | kubecrypt dec

Encrypt and decrypt values from a yaml map

If you have an input file in yaml format, you can encrypt or decrypt all members of a map with a given key. Note the this will only work with string values.

Example yaml file unsafe.yaml:

data:
  password: f0oB4r
  key: mykey
app:
  values:
    port: "8080"
    path: "/home"
  secrets:
    dbpass: dbpassword
    apikey: some-super-secret-key

Now encrypt all values for the keys in the map data:

# from stdin
cat unsafe.yaml | kubecrypt yaml -e -k data

# from file
kubecrypt yaml -e -k data -i unsafe.yaml

# from file to output file
kubecrypt yaml -e -k data -i unsafe.yaml -o safe.yaml

# descend deeper into some map
kubecrypt yaml -i unsafe.yaml -e -k app.secrets -o safe.yaml

If you skip the -e flag, the input will be decrypted

kubecrypt yaml -i safe.yaml -k data

Convert the values from a encrypted yaml map to a kubernetes secret

kubecrypt convert mysecret -i safe.yaml -k data -o mysecret.yaml

Create an encrypted yaml map from a kubernetes secret

with --dry-run and --from-file=-

kubectl create secret generic --dry-run foobar --from-file=somefile.json -o yaml | kubecrypt convert -e -k mykey foobar --from-file=-

or

kubectl create secret generic --dry-run foobar --from-file=somefile.json -o yaml > mysecret.yaml
kubecrypt convert -e -k mykey foobar --from-file=mysecret.yaml
kubecrypt convert -e -k mykey foobar -f mysecret.yaml

Update and remove keys from kubernetes secrets in cluster

Update a key of an existing secret, if the key doesn't exist it will be added to the secret

kubecrypt update -k foo=bar -k token=updatedToken mysecret

Remove a key from secret

kubecrypt update -r foo mysecret

Backup the cert and key for kubecrypt

To create a backup of the key and cert simply load them from the cluster:

# backup to textfile
kubecrypt get -n kubecrypt kubecrypt > kubecrypt.backup.txt

# backup to yamlfile
kubecrypt convert kubecrypt -e -n kubecrypt -k secret | kubecrypt yaml -k secret > kubecrypt.yaml

# backup to kubernetes secret
kubectl get secret -n kubecrypt kubecrypt -o yaml > kubecrypt.secret.yaml

# backup to key and cert file
kubecrypt get -n kubecrypt kubecrypt -k tls.key > kubecrypt.key
kubecrypt get -n kubecrypt kubecrypt -k tls.crt > kubecrypt.crt
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].