DEV Community

Cover image for Editing Kubernetes Secrets Inline
Austin Vance for Focused

Posted on • Updated on • Originally published at focusedlabs.io

Editing Kubernetes Secrets Inline

We work a lot with Kubernetes and when you're working with Secrets it can be a total pain to edit them. A standard workflow can be something like.

# Grab the existing secret
kubectl get secret some-secret -o yaml > some-secret.yaml

# Grab the existing secret
kubectl get secret some-secret \
  -o jsonpath='{ .data.secret }' \
  | base64 -D > thesecert.txt

# Edit the secret
vim thesecret.txt

# Grab the new secret and put it into the secret file
# and apply it to the cluster
cat thesecret.txt | base64 | pbcopy
vim some-secret.yaml # paste in your b64 encoded secret
kubectl apply -f some-secret.yaml
Enter fullscreen mode Exit fullscreen mode

That's not a great user experience and what if you wanted to use kubectl edit?

There's a bit of vim foo you can use to edit the secret in line.

kubectl edit secret some-secret

# navigate to the base64 encoded secret
# place your cursor on the space between the ":"
# and the first character of the secret
# hit `r <enter>` this replaces the space
# with a new line

# move your cursor down one line to the secret
# in the command prompt `:. ! base64 -D`

# Edit your secret

# in the command prompt `:. ! base64`
# if your secret is multiline you can 
# use `:<startline>,<endline> ! base64`
# or you can highlight the lines in visual
# mode and use `:! base64`

# Join the lines by moving back up the secret key
# and hitting `J`

# Then write quit `:wq`
# you should see this as output
# `secret/some-secret edited`
Enter fullscreen mode Exit fullscreen mode

Editing a secret inline

And if you want to edit a multiline secret say one that was created from a file. Rather than base64 encoding the current line using :. you can use a range of line numbers :13,84 ! base64 and you will encode all those lines together inclusive of line 84.

edit: added info about multiline secrets

Update

I wanted to add one more tip here - pesky new lines.

If you're editing a secret and you use . ! base64 you will end up with a newline character at the end of your secret. If that's ok... cool if not you can use tr to clean it out

. ! tr -d '\n' | base64
Enter fullscreen mode Exit fullscreen mode

Top comments (15)

Collapse
 
amourycodes profile image
Amoury

Great tip. Didn't know about this 👍🏼

Collapse
 
austinbv profile image
Austin Vance

Thanks! Helpful in the CKA(D) too

Collapse
 
amourycodes profile image
Amoury

Yeah totally. I am just on my journey preparing for CKAD

Thread Thread
 
austinbv profile image
Austin Vance

Good luck we are studying for it as a team right now

Thread Thread
 
qainsights profile image
NaveenKumar Namachivayam ⚡

I am also preparing for CKAD. Please add me in :)

Collapse
 
jrop profile image
Jonathan Apodaca

Tip: I have a base64 Vim plugin installed that makes this even easier! Just kubectl edit... and then encode/decode from within Vim. No other commands needed.

Collapse
 
austinbv profile image
Austin Vance

The plugin does this under the hood if you checkout the auto load file.

Personally like to avoid plugins if it’s easy enough to learn so I can edit in any environment or on a server without feeling hamstrung

Collapse
 
pbnj profile image
Peter Benjamin (they/them) • Edited

Nice tip.

For a bit more convenience (so you don't have to edit or move the text to a new line):

: ! echo <cWORD> | base64 | tr -d '\n' | pbcopy

:help <cword> and :help <cWORD> for more information

demo 1

For even more convenience, this can be converted into a reusable function:

function! B64ify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"
  redraw!
endfunction

Now, you can call it with :call B64ify()

demo 2

Lastly, you can map this function to a command and/or keybinding for maximum convenience:

command! B64ify :call B64ify()
nnoremap <silent> <Leader>B :B64ify<CR>

This can also be reversed very easily by copying the function and replacing base64 with base64 -d.

Here is a final demo:

demo 3

The final config:

function! B64ify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"
  redraw!
endfunction
command! B64ify :call B64ify()
nnoremap <silent><Leader>B :B64ify<CR>

function! B64decodify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 -d | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"
  redraw!
endfunction
command! B64decodify :call B64decodify()
nnoremap <silent><Leader>b :B64decodify<CR>
Collapse
 
austinbv profile image
Austin Vance

Nice tip - I love the <cWORD> approach to a lot of things. One limitation is <cWORD> uses vi's word selection. If my secret is a multiline certificate, the contents of a yaml file, or has special characters this won't work.

Collapse
 
pbnj profile image
Peter Benjamin (they/them) • Edited

That's true.

If you want to visually select the text to pass to an external program, by default vim passes whole lines (e.g. :'<,'> ! base64) , but vis.vim plugin might help (e.g. :'<,'>B ! base64).

Collapse
 
vanica profile image
vanica

Can you please tell me about this interactive presentation display you used for showing commands?

Collapse
 
austinbv profile image
Austin Vance

Hey, I have been using Terminalizer github.com/faressoft/terminalizer. I also have used asciinema.org/ which does web players rather than gifs.

Collapse
 
vanica profile image
vanica

Thank you!!!

Collapse
 
shehata profile image
Solly

Thats very useful! Thanks for sharing ♥️

Collapse
 
austinbv profile image
Austin Vance

Of course thanks for reading