hacky-secret-checking.sh

#! /bin/bash
set -eou pipefail

if [[ -z ${1+x} || ${1} == "all" ]]; then
  echo "Checking all namespaces"
  namespaces=$(kubectl get namespaces -o json | jq -r '.items[].metadata.name')
else
  namespaces=${1}
fi

IGNORE_NAMESPACES=(
  "kube-system"
)

FILENAME="secrets.csv"
rm -f $FILENAME
printf '%s\n' "namespace" "secret" | paste -sd ',' >> ${FILENAME}


for namespace in $namespaces; do
  if [[ "${IGNORE_NAMESPACES[*]}" =~ ${namespace} ]]; then
    echo "Ignoring namespace: ${namespace}"
    continue
  fi
  echo "Checking namespace: ${namespace}"
  STS=$(kubectl get statefulset -n "${namespace}" -o json)
  DEPLOYMENT=$(kubectl get deployment -n "${namespace}" -o json)
  CRONJOB=$(kubectl get cronjob -n "${namespace}" -o json)

  SECRETS=()

  SECRETS+=$(echo "${STS}" | jq -r '.items[].spec.template.spec.volumes[]?.secret?.secretName? | . // empty')
  SECRETS+=$(echo "${STS}" | jq -r '.items[].spec.template.spec.containers[].env[]?.valueFrom?.secretKeyRef?.name | . // empty')

  SECRETS+=$(echo "${DEPLOYMENT}" | jq -r '.items[].spec.template.spec.volumes[]?.secret?.secretName? | . // empty')
  SECRETS+=$(echo "${DEPLOYMENT}" | jq -r '.items[].spec.template.spec.containers[].env[]?.valueFrom?.secretKeyRef?.name | . // empty')

  SECRETS+=$(echo "${CRONJOB}" | jq -r '.items[].spec.jobTemplate.spec.template.spec.containers[].env[]?.valueFrom?.secretKeyRef?.name | . // empty')
  SECRETS+=$(echo "${CRONJOB}" | jq -r '.items[].spec.jobTemplate.spec.template.spec.volumes[]?.secret?.secretName? | . // empty')

  UNIQUE=$(printf "%s\n" "${SECRETS[@]}" | sort -u)

  VAULTSECRETS=$(kubectl get vaultsecrets -n "${namespace}" -o json | jq -r '.items[].metadata.name')
  for secret in $UNIQUE; do
    if [[ ! "${VAULTSECRETS[*]}" =~ ${secret} ]]; then
      echo "Vaultsecret not found for: Namespace: ${namespace} secret: ${secret}"
      printf '%s\n' "${namespace}" "${secret}" | paste -sd ',' >> ${FILENAME}
    fi
  done
done