-
-
Save andor-pierdelacabeza/56296aa5e62b0e89de91af625d838da3 to your computer and use it in GitHub Desktop.
| # Requirements: kubectl and yq | |
| # This will take every key/value in a secret, base64 decode the value, and dump the result to | |
| # a file named as the key name | |
| # It's like doing the inverse process of creating a secret from file like this: | |
| # | |
| # kubectl create secret generic db-user-pass \ | |
| # --from-file=./username.txt \ | |
| # --from-file=./password.txt | |
| # If you use JQ ( https://jqlang.github.io/jq/ ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o json | jq -r '.data | keys | .[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o json| jq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done | |
| # If you use Mike Farah's yq ( https://github.com/mikefarah/yq ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq '.data | keys | .[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml| yq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done | |
| # If you use Andrey Kislyuk's yq ( https://github.com/kislyuk/yq ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data | keys[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done |
Hi @milosonator . Fortunately I was doing something like this just 5 minutes ago. I'm having lunch, but in an hour or so I'll update it :)
@milosonator , from what I've seen, removing the --export parameter is enough for it to work. Also, I've added another version just in case you use Mike Farah's yq, as that's the version I use currently.
@andor-pierdelacabeza thank you for that. Indeed I am using Mike Farah's yq (didn't realize there are more). And the command also works without the --export. Tried the updated script and does the trick. Cheers!
Looks like it will be shorter..
kubectl get secrets --namespace <namespace> -o json
@iamjenechka Hi Jenechka! I think you might have confused the functionality of the script.
What it does is:
- Takes a secret
- Creates a file for each of its keys, using the key as file name
- Puts the value of each key, base64 decoded, inside the file
So, for example, if you have the typical tls secret that looks a bit like this:
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
data:
tls.crt: |
[BASE64DATA]
tls.key: |
[BASE64DATA] ...running the previous script would give you two files (tls.crt and tls.key) with the content decoded from base64.
It's like doing the inverse process of creating a secret from file like this:
kubectl create secret generic db-user-pass \
--from-file=./username.txt \
--from-file=./password.txt
Unfortunately I receive the following error when trying this:
Error from server (BadRequest): the export parameter, deprecated since v1.14, is no longer supported