shyiko / kubesec Goto Github PK
View Code? Open in Web Editor NEWSecure Secret management for Kubernetes (with gpg, Google Cloud KMS and AWS KMS backends)
License: Apache License 2.0
Secure Secret management for Kubernetes (with gpg, Google Cloud KMS and AWS KMS backends)
License: Apache License 2.0
I use kubesec to encrypt kubernetes secrets. I update the secrets using
kubesec encrypt --in-place --key=... --key... --key...
.
I expect kubesec to encrypt to the specified keys only. Otherwise I would use the +
option.
What really happens is that kubesec does not remove the keys that are not specified.
I'm trying to use kubesec on windows (version 0.9.2), and getting the following error:
`gpg` wasn't found (make sure it's available on the PATH)
However the gpg
is already on path and gpg
command works fine.
After some (laborious) investigation, I conclude I can't use this very good plugin with a tool like kustomize because the standard generator doesn't allow to add some extra "comments" required by kubesec
.
I can choose to not use the secret-generator
from kustomize, but I lose auto rolling of deployment attached to a secret and the capacity to have immutable secrets in K8S.
Do you think an integration inside kustomize
with an extension of the current secretGenerator
(https://github.com/kubernetes-sigs/kustomize/tree/master/plugin/builtin/secretgenerator) or something else is possible? Would be great to have access to this ๐.
Thanks
/cc @Neonox31
Like kubectl, helm etc
Hello. I have several gcloud
instances for different purposes and I would like to avoid application-default
login and use a local gcloud instance (which is supposed to be logged in) with kubesec
. Is is possible somehow?
It would be great to have support for IBM Cloud Key Protect. Thx
Key Protect - IBM Cloud : https://cloud.ibm.com/catalog/services/key-protect
Hi,
I'm trying to create a secret on my Mac but i always get this error even though i've created my GPG key:
Primary PGP key wasn't found
Thanks.
This is a question for better understanding:
When adding multiple PGP keys to a secret, it seems as if you can only decrypt the secret when also having the pubkey of the person who added your key:
I added a colleague key, however he wasnt able to decrypt until he imported my pubkey to his keyring.
This is the debug output
kubesec patch foobar.yaml --debug
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Attempting to decrypt DEK with PGP key _HIS_KEY_ID_
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 -d --status-fd 3 -o /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590E /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590"
gpg: encrypted with 4096-Bit RSA key, ID _HIS_KEY_ID_ ,..
gpg: Signature made Thu Nov ..
gpg: using RSA key _MY_KEY_ID
gpg: signature verification failed: No public key
Unable to decrypt DEK with PGP key _HIS_KEY_ID_ (Signature is invalid or missing)
Unable to decrypt Data Encryption Key (DEK)
This behavior is rather unfavorable as every decrypter needs to retrieve and import all other pubkeys.
While I know that this is debatable, I have some scenarios where I would not like the file to physically change every time I encrypt it.
As example, if I run kubesec encrypt myfile
, twice the output is not the same and I would like to have it to be the same.
The use case for this is something similar as git-crypt, where the encryption is deterministic (which is required so git can distinguish when a file has and hasn't changed).
Thanks
Hi,
I'm trying kubesec on my Macbook, and I got this error :
`gpg` wasn't found (make sure it's available on the PATH)
But, it's strange, because gpg
command work fine :
15:05:18 โบ which gpg
/usr/local/bin/gpg
15:05:20 โบ gpg
gpg: Go ahead and type your message ...
^C
gpg: Interrupt caught ... exiting
Thanks a lot, this tool look awesome.
Hi,
It could be simpler to use to be able to run kubesec
commands on multi "stream" yaml, even if doesn't contain only secrets.
For example, the file all.yaml
:
apiVersion: v1
data:
application.yaml: |2
podcastserver:
rootfolder: /podcasts
concurrent-download: 40
max-update-parallels: 256
number-of-day-to-download: 30
number-of-day-to-save-cover: 30
spring:
datasource.url: jdbc:h2:tcp://database:1521/podcast-server
jpa.hibernate.ddl-auto: none
kind: ConfigMap
metadata:
name: podcast-server-d989t5tgb4
namespace: podcast-server
---
apiVersion: v1
data:
api.youtube: ofajoeaijeoijeaoaeijeofiajaef
kind: Secret
metadata:
name: podcast-server-b5cddm29mt
namespace: podcast-server
type: Opaque
I would like to be able to run something like this :
$ cat all.yaml | kubesec -d - | kubectl apply -f -
But, right now, I have the following result:
I'd be nice if to support a .kubesec.yaml
settings file where you can specify default keys that are to be used for new secret file just like https://github.com/mozilla/sops.
If there is/are space(s) just before a line feed in file, encrypted data will be messed.
When you open the encrypted file with kubesec edit
, you will see encoded line feeds like \n
.
I'm using 0.9.2
with Google Cloud KMS.
e.g. gcloud auth application-default login
or GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json might be needed in case of Google Cloud KMS backend.
Hi,
I'm working to use this great tools from within GItlab CI with GPG Key. I follow the documentation link in the readme about GitHub Help - Generating a new GPG key.
But, if I follow it correctly, I have the following results:
gpg --list-secret-key
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2019-08-13 [SC]
ABE7E706C03B05B9E65AB3C9BCFF30F7C2D1589E
uid [ultimate] gitlab-ci <[email protected]>
ssb rsa4096 2019-08-13 [E]
If I try to use kubesec
, I have the following result:
kubesec encrypt secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)
Following your comment in the issue #20 (link), I think the Github documentation isn't enough.
Could you provide a simple example to generate both keys, please?
I use the latest version of kubesec but see this message when decrypting a secret that I encrypted previously on another machine:
kubesec decrypt secret-oxidixed-id-rsa.pub.yml
It appears that Secret was encrypted with newer version of kubesec.
Visit https://github.com/shyiko/kubesec for upgrade instructions.
I'm using the latest version though:
kubesec --version
0.9.2
I'm using AWS KMS. Any idea how to troubleshoot this?
Minor bug, ksec --version
doesnt display any version for me.
0.9.2
is installed
Trying to run kubesec
in alpine linux results in:
bash-4.4# ./kubesec
bash: ./kubesec: No such file or directory
$ docker build -t kubesec_bug https://gist.githubusercontent.com/neerfri/08b3f87a6ad9f5bdb9bf771616175407/raw/e8b8d578122f499bfbb63a8c49811d25b159e64b/Dockerfile
$ docker run --rm -it kubesec_bug /bin/sh -c '/root/kubesec'
$ docker run --rm -it kubesec_bug /bin/sh -c 'ldd /root/kubesec'
I believe the reason is that it's dynamically linked against libraries (glibc) that don't exist in alpine (by default).
You can see a similar example and suggestions for solutions in:
gliderlabs/docker-alpine#78
and https://github.com/blang/golang-alpine-docker
Sometime around 1.6, I believe, the .stringData
field was added to the Secret spec, allowing non-b64-encoded data to be supplied to the apiserver. This is quite handy for managing updates with secrets without having to go through the whole decoding/encoding cycle.
Kubeseal already supports decoding base64 secrets, but outputs the raw strings to .data
, which makes for invalid secrets; outputting that to .stringData
would retain validity.
The README suggests that it would create a new file and encrypt it on save. However the command fails with
kubesec edit -if new-secret.yaml
Failed to base64-decode _
It would be great to have support for Azure Key Vault. Thx
@shyiko
how can I resolve it ?
$ kubesec
fatal error: runtime: bsdthread_register error
runtime stack:
runtime.throw(0x156bf2a, 0x21)
/home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/panic.go:605 +0x95 fp=0x7ff7bfeff110 sp=0x7ff7bfeff0f0 pc=0x1029ad5
runtime.goenvs()
/home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/os_darwin.go:108 +0x83 fp=0x7ff7bfeff140 sp=0x7ff7bfeff110 pc=0x1027373
runtime.schedinit()
/home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/proc.go:482 +0xa1 fp=0x7ff7bfeff180 sp=0x7ff7bfeff140 pc=0x102c481
runtime.rt0_go(0x7ff7bfeff1b0, 0x1, 0x7ff7bfeff1b0, 0x1000000, 0x1, 0x7ff7bfeff3c8, 0x0, 0x7ff7bfeff3d0, 0x7ff7bfeff3e2, 0x7ff7bfeff3f6, ...)
/home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/asm_amd64.s:175 +0x1eb fp=0x7ff7bfeff188 sp=0x7ff7bfeff180 pc=0x1053d4b
Connected issue #14
Passing --batch --no-pinentry --passphrase="something"
(or prompt without) to gpg is useful when you are doing testing and validation locally and don't want to mess with your default keyring.
I'd like a --no-pinentry flag that or a --gpg-flags flag to pass things on to gpg under the hood
Could you please include a copy of the MIT license along with the source code for this project? It would make the lives of people packaging and distributing it much easier.
It would be great to have support for GCP Service Account.
There is another program with different purpose but same name. Very unfortunate for me who want to use both. :(
Check this. kubesec.io
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.