3

I'd like to edit my secrets. The only way I'm aware of is kubectl edit secret mysecret which gets me yaml blob to edit. However, all secrets are base64 encoded which isn't an easy way to edit them.

Can I mount secrets to local volume somehow? Can I extract secrets to my localhost and edit them there? And lastly, can I edit some way to get plaintext keys/values (or just one key) instead of base64 encoded values.

P.S. Can I see secret keys easily with kubectl? With edit I see them, but when I'm only interested in keys, not the values.

Improve this question

3 Answers 3

Reset to default
2

I would highly recommend on using k9s (not only for this purpose, but also as a lightweight k8s CLI management tool).

As you can see below (ignore all white placeholders), when your cluster's context is set on terminal you just type k9s and you will hit a nice terminal where you can inspect all cluster resources.

Just type ":" and enter the resource name (secrets in this case) which will appear in the middle of screen.

Then you can choose a secret with the up and down arrows and type e to edit it (green arrow):

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Unfortunately no, the problem you describe is something you just have to deal with "on the side" by decoding/encoding base64 content on your own.

There are ways to simplify this by using templating for resources (ie. via helm charts), but that involves storing the raw secret in some other way and just applying changes from "source" rather then do an edit.

Improve this answer

Comments

0

We use https://github.com/bq/k8s-secret-editor - it works great! It's a little behind but I've been using with Kubernetes 1.8 without issue.

Improve this answer

2 Comments

Pulling someone's docker image into my k8s cluster to edit secrets seems unwise
Agreed. I was not pulling the image but building my own. You can review the source of k8s-secret-editor - it's not very complicated. Having said that, I've moved away from this approach now. At untapt.com we keep the yaml files centrally in a secure area and use a bash script that wraps around kubectl create secret and deploys the whole .yml file (or multiple files if required). So we never "edit" secrets anymore, we delete and create using these files as the source.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.