Skip to content

Instantly share code, notes, and snippets.

@andor-pierdelacabeza

andor-pierdelacabeza/secretdump.sh

Last active April 30, 2024 09:52
Show Gist options
  • Save andor-pierdelacabeza/56296aa5e62b0e89de91af625d838da3 to your computer and use it in GitHub Desktop.
Save andor-pierdelacabeza/56296aa5e62b0e89de91af625d838da3 to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes: dump all keys in secret to files:
Raw
secretdump.sh
# Requirements: kubectl and yq
# This will take every key/value in a secret, base64 decode the value, and dump the result to
# a file named as the key name
# It's like doing the inverse process of creating a secret from file like this:
#
# kubectl create secret generic db-user-pass \
# --from-file=./username.txt \
# --from-file=./password.txt
# If you use JQ ( https://jqlang.github.io/jq/ )
SECRET=credentials-staging NAMESPACE=staging
for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o json | jq -r '.data | keys | .[]'`
do
echo "Dumping ${i}"
kubectl -n ${NAMESPACE} get secret ${SECRET} -o json| jq -r '.data."'${i}'"' | base64 -d > ${i}
done
# If you use Mike Farah's yq ( https://github.com/mikefarah/yq )
SECRET=credentials-staging NAMESPACE=staging
for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq '.data | keys | .[]'`
do
echo "Dumping ${i}"
kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml| yq -r '.data."'${i}'"' | base64 -d > ${i}
done
# If you use Andrey Kislyuk's yq ( https://github.com/kislyuk/yq )
SECRET=credentials-staging NAMESPACE=staging
for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data | keys[]'`
do
echo "Dumping ${i}"
kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data."'${i}'"' | base64 -d > ${i}
done
@andor-pierdelacabeza
Copy link
Author

Hi @milosonator . Fortunately I was doing something like this just 5 minutes ago. I'm having lunch, but in an hour or so I'll update it :)

@andor-pierdelacabeza
Copy link
Author

@milosonator , from what I've seen, removing the --export parameter is enough for it to work. Also, I've added another version just in case you use Mike Farah's yq, as that's the version I use currently.

@milosonator
Copy link

@andor-pierdelacabeza thank you for that. Indeed I am using Mike Farah's yq (didn't realize there are more). And the command also works without the --export. Tried the updated script and does the trick. Cheers!

@iamjenechka
Copy link

Looks like it will be shorter..

kubectl get secrets --namespace <namespace> -o json

@andor-pierdelacabeza
Copy link
Author

@iamjenechka Hi Jenechka! I think you might have confused the functionality of the script.

What it does is:

  • Takes a secret
  • Creates a file for each of its keys, using the key as file name
  • Puts the value of each key, base64 decoded, inside the file

So, for example, if you have the typical tls secret that looks a bit like this:

apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  tls.crt: |
    [BASE64DATA]
  tls.key: |
    [BASE64DATA]

...running the previous script would give you two files (tls.crt and tls.key) with the content decoded from base64.

It's like doing the inverse process of creating a secret from file like this:

kubectl create secret generic db-user-pass \
    --from-file=./username.txt \
    --from-file=./password.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment