#secret #password

app kubepassgen

Passwordstore.org to k8s secrets

5 releases

0.2.1 Jun 12, 2022
0.2.0 Jun 11, 2022
0.1.2 May 26, 2022
0.1.1 May 21, 2022
0.1.0 May 16, 2022

#179 in #secret

MIT license

16KB
302 lines

kubepassgen

A tool for converting passwordstore.org passwords to kubernetes secrets

Usage

Run kubepassgen secrets and it will read the kubepassgen.toml file in the current directory, emitting the secrets to stdout. Theis could be written to a file with kubepassgen > mysecrets.yaml though this is not default behaviour just in case (these are secrets you know)

Run kubepassgen --help for various flags.

Motivation

This was a way of easily extracting the secrets to be used with kubernetes. Password store allows you to use git and gpg to keep your secrets shared, but managed without any third party services. By combining the too, you don't need extra providers and can use the simple and proven pass cli.

A key part of the motivation of this tool is the sample script for usage with kustomize. This is a bit of a wrapper, but can be used to build deploys, with secrets in passwordstore. Password store can be even added as a git subrepo, which would allow precise tracking of the secrets in the deploy git repo. You would need to set some environment variables to use this

Contributing

This project is hosted on sourcehut, and will accept patches via the ~btrepp/public-inbox@lists.sr.ht mailing list. If reporting a bug or adding extra functionality, they must come with an associated cli test (see tests).

The CLI tests will generate gpg keys and password store configurations. So they should be self-contained.

Configuration file

The kubepassgen.toml file is where all the configuration happens this can store multiple secrets, and will ultimately lead to multiple secrets being generated.

This is in toml as it is very easy to read and parse. It also helps visually seperate that this tool isn't part of k8s.

Opaque

[opaque.namespace.secret]
KEY="pass/path"

This will generate

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: name
  namespace: namespace
data:
  KEY: ...

Note: if the namespace is omitted such as [opaque.secret] it won't be written out. This is useful if you don't care for the namespace

Dockerconfigjson

Intent is to write this, though it isn't done yet.

Kustomize

The below shell is an example of using with kustomize It creates a new kustomization directory, and adds in the secret.

This then patches the base with your password store secrets, and prints to std out

#!/bin/sh
WORK=$(mktemp -d)
trap 'rm -rf -- "$WORK"' EXIT
BASE=$(realpath --relative-to=$WORK $PWD)

cat << EOF > $WORK/kustomization.yaml
resources:
- $BASE

patchesStrategicMerge:
- secret.yaml
EOF

kubepassgen > $WORK/secret.yaml
kustomize build $WORK

This is also implemented as kubepassgen kustomize. Which behaves like the above shell script for convenience

Dependencies

~6–15MB
~222K SLoC