Last active
April 30, 2024 09:52
-
-
Save andor-pierdelacabeza/56296aa5e62b0e89de91af625d838da3 to your computer and use it in GitHub Desktop.
Kubernetes: dump all keys in secret to files:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requirements: kubectl and yq | |
| # This will take every key/value in a secret, base64 decode the value, and dump the result to | |
| # a file named as the key name | |
| # It's like doing the inverse process of creating a secret from file like this: | |
| # | |
| # kubectl create secret generic db-user-pass \ | |
| # --from-file=./username.txt \ | |
| # --from-file=./password.txt | |
| # If you use JQ ( https://jqlang.github.io/jq/ ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o json | jq -r '.data | keys | .[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o json| jq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done | |
| # If you use Mike Farah's yq ( https://github.com/mikefarah/yq ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq '.data | keys | .[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml| yq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done | |
| # If you use Andrey Kislyuk's yq ( https://github.com/kislyuk/yq ) | |
| SECRET=credentials-staging NAMESPACE=staging | |
| for i in `kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data | keys[]'` | |
| do | |
| echo "Dumping ${i}" | |
| kubectl -n ${NAMESPACE} get secret ${SECRET} -o yaml | yq -r '.data."'${i}'"' | base64 -d > ${i} | |
| done |
Looks like it will be shorter..
kubectl get secrets --namespace <namespace> -o json
@iamjenechka Hi Jenechka! I think you might have confused the functionality of the script.
What it does is:
- Takes a secret
- Creates a file for each of its keys, using the key as file name
- Puts the value of each key, base64 decoded, inside the file
So, for example, if you have the typical tls secret that looks a bit like this:
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
data:
tls.crt: |
[BASE64DATA]
tls.key: |
[BASE64DATA] ...running the previous script would give you two files (tls.crt and tls.key) with the content decoded from base64.
It's like doing the inverse process of creating a secret from file like this:
kubectl create secret generic db-user-pass \
--from-file=./username.txt \
--from-file=./password.txt
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@andor-pierdelacabeza thank you for that. Indeed I am using Mike Farah's yq (didn't realize there are more). And the command also works without the
--export. Tried the updated script and does the trick. Cheers!