Decoding Kubernetes secret
DockerKubernetesDocker Problem Overview
I inherited a Kubernetes/Docker setup, and I accidentally crashed the pod by changing something relating to the DB password.
I am trying to troubleshoot this.
I don't have much Kubernetes or Docker experience, so I'm still learning how to do things.
The value is contained inside the db-user-pass credential I believe, which is an Opaque type secret.
I'm describing it:
kubectl describe secrets/db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 16 bytes
username: 13 bytes
but I have no clue how to get any data from this secret. The example on the Kubernetes site seems to assume I'll have a base64 encoded string, but I can't even seem to get that. How do I get the value for this?
Docker Solutions
Solution 1 - Docker
You can use kubectl get secrets/db-user-pass -o yaml
or -o json
where you'll see the base64-encoded username
and password
. You can then copy the value and decode it with something like echo <ENCODED_VALUE> | base64 -D
(Mac OS X).
A more compact one-liner for this:
kubectl get secrets/db-user-pass --template={{.data.password}} | base64 -D
and likewise for the username:
kubectl get secrets/db-user-pass --template={{.data.username}} | base64 -D
Note: on GNU/Linux, the base64 flag is -d
, not -D
.
Solution 2 - Docker
I would suggest using this handy command. It utilizes a power of go-templates. It iterates over all values, decodes them, and prints them along with the key. It also handles not set values.
kubectl get secret name-of-secret -o go-template='
{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
## In your case it would output
# password: decoded_password
# username: decoded_username
If you don't like go-templates you can use different output formats e.g. yaml
or json
, but that will output secrets encoded by base64.
Solution 3 - Docker
If you have jq (json query) this works:
kubectl get secret db-user-pass -o json | jq '.data | map_values(@base64d)'
NOTE:
db-user-pass
is the name of the k8s secret.data
is the variable within that contains the secret value
Solution 4 - Docker
If your secret keys contain dash (-
) or dot (.
):
kubectl get secret db-user-pass -o=go-template='{{index .data "password"}}' | base64 -d
Solution 5 - Docker
This should work on all platforms, with kubectl 1.11+
kubectl get secrets/db-user-pass --template='{{.data.password | base64decode}}'
And if you want to get all keys, values
kubectl get secrets/db-user-pass --template='{{ range $key, $value := .data }}{{ printf "%s: %s\n" $key ($value | base64decode) }}{{ end }}'
Solution 6 - Docker
First, get the secret from the etcd by querying the api server using kubectl.
kubectl get secret db-user-pass -o yaml
This will give you the base64 encoded secret in yaml format.
Once you have the yaml file decode them using
> "base64 --decode"
Final command will look like this:
Don't forget the -n
flag in echo command
echo -n "jdddjdkkdkdmdl" | base64 --decode
Solution 7 - Docker
This is the link you might be looking for.
Kubernetes secrets need the secrets to be given in base64 encoded format, which can be created using base64 binary in case of linux distributions.
Example:
echo "hello" | base64
aGVsbG8K
Kubernetes decodes the base64 encoding when we pass the secret key as environment variable or mounted as volume.
Solution 8 - Docker
This jsonpath variation works for me on OSX.
kubectl get secrets/db-user-pass -o jsonpath="{.data.username}" | base64 -d
To get secret with dot in the name.
kubectl get secrets/tls -o jsonpath="{.data['tls\.crt']}" | base64 -d
Solution 9 - Docker
For easier decoding you can use a tool like ksd that will do the base64 decoding for you
kubectl get secrets/db-user-pass -o yaml | ksd
or using https://github.com/elsesiy/kubectl-view-secret
kubectl view-secret secrets/db-user-pass
Solution 10 - Docker
on ubuntu 18+
kubectl get secrets/db-user-pass --template={{.data.password}} | base64 -d
Solution 11 - Docker
Kubernetes 1.11+
kubectl get secrets/db-user-pass --template='{{.data.password | base64decode }}'
Solution 12 - Docker
This one liner is used to get an encoded kubeconfig file from a secret, and generate a file from it to be used dynamically on a ci job for example:
kubectl get secret YOUR_SECRET -o json | grep -oP '(?<=\"YOUR_SECRET_KEY\": \")[^\"]*' | base64 --decode > ./YOUR_KUBECONFIG_FILE_NAME
Solution 13 - Docker
Extending @Břetislav Hájek solution (thank you very much for that).
If you need to get it by a label, then you'll need to add an extra range
command to iterate over the returned items.
$ LABEL_FILTER="app.kubernetes.io/name=mysql-chart"
$ kubectl get secret -l "$LABEL_FILTER" -o go-template='
{{range $i := .items}}{{range $k,$v := $i.data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}{{end}}'
mysql_password: ...
mysql_root_password: ...
mysql_user: ...
Solution 14 - Docker
With bash. This is running ubuntu 18.04, and Kubernetes 1.18.5
kubectl -n metallb-system get secrets memberlist -o json | grep secretkey | grep -v f:s | awk -F '"' '{print$4}' |base64 --decode; echo
Solution 15 - Docker
Minimal nodejs CLI tool (github)
npm i -g kusd
kubectl get secret your-secret -o yaml | kusd
Solution 16 - Docker
This would help if you have yaml file for k8s secrets. You can use this intellij plugin to decode all base64 encoded values in a yaml file. https://plugins.jetbrains.com/plugin/19099-yaml-base64-decoder