.local/bin/kubectl-secret


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

#!/usr/bin/env python3

# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.

import argparse
import base64
import sys

import ruamel.yaml
import ruamel.yaml.scalarstring

def main():
    argparser = argparse.ArgumentParser(description="Encode or decode Kubernetes Secrets.")
    argparser.add_argument("mode", help="Mode of operation, either encode or decode.", choices=["encode", "decode"])
    argparser.add_argument("path", help="Path to the file to operate on. If set to -, STDIN will be used instead.", default="-", nargs="?")

    args = argparser.parse_args()
    yaml = ruamel.yaml.YAML()

    # Deduce whether to read from STDIN or open a file handle to a given path
    if args.path == "-":
        buffer = sys.stdin
    else:
        buffer = open(args.path)

    # Load the manifest
    manifest = yaml.load(buffer.read())

    # Handle any known potential issues
    if not "kind" in manifest:
        print("No kind in manifest", file=sys.stderr)
        return 3

    if manifest["kind"] != "Secret":
        print("Not a secret", file=sys.stderr)
        return 4

    if not "data" in manifest:
        manifest["data"] = {}

    # Call appropriate function with the manifest
    manifest = globals()["secret_" + args.mode](manifest)

    # Write the processed manifest back as yaml
    yaml.dump(manifest, sys.stdout)

    return 0

def secret_decode(manifest):
    for key in manifest["data"].keys():
        # Decode the data
        manifest["data"][key] = base64.b64decode(manifest["data"][key]).decode("utf-8")

        # Turn this element into a block quoted string if there are newlines
        if "\n" in manifest["data"][key]:
            manifest["data"][key] = ruamel.yaml.scalarstring.LiteralScalarString(manifest["data"][key])

    return manifest

def secret_encode(manifest):
    for key in manifest["data"].keys():
        # Encode the data
        manifest["data"][key] = base64.b64encode(str(manifest["data"][key]).encode("utf-8")).decode("utf-8")

    return manifest

if __name__ == '__main__':
    sys.exit(main())