Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Decoding Kubernetes secret

I inherited a Kubernetes/Docker setup, and I accidentally crashed the pod by changing something relating to the DB password.

I am trying to troubleshoot this.

I don't have much Kubernetes or Docker experience, so I'm still learning how to do things.

The value is contained inside the db-user-pass credential I believe, which is an Opaque type secret.

I'm describing it:

kubectl describe secrets/db-user-pass Name:         db-user-pass Namespace:    default Labels:       <none> Annotations:  <none>  Type:  Opaque  Data ==== password:  16 bytes username:  13 bytes 

but I have no clue how to get any data from this secret. The example on the Kubernetes site seems to assume I'll have a base64 encoded string, but I can't even seem to get that. How do I get the value for this?

like image 291
Steven Matthews Avatar asked Jul 05 '19 20:07

Steven Matthews


People also ask

How do I get Kubernetes secret value?

If you want to access data from a Secret in a Pod, one way to do that is to have Kubernetes make the value of that Secret be available as a file inside the filesystem of one or more of the Pod's containers. To configure that, you: Create a secret or use an existing one. Multiple Pods can reference the same secret.

Are Kubernetes secrets encoded?

Kubernetes encodes the Secret data in base64 format. When you need to reveal a Secret text, you must base64-decode it. To enable containers to access Secrets, you have the option to mount the Secret as a volume.

Are Kubernetes secrets base64 encoded?

Kubernetes stores secrets as base64 encoded strings and encrypts the data on disk. In order to save a secret in Kubernetes it must be converted to a base64 string.


1 Answers

You can use kubectl get secrets/db-user-pass -o yaml or -o json where you'll see the base64-encoded username and password. You can then copy the value and decode it with something like echo <ENCODED_VALUE> | base64 -D (Mac OS X).

A more compact one-liner for this:

kubectl get secrets/db-user-pass --template={{.data.password}} | base64 -D 

and likewise for the username:

kubectl get secrets/db-user-pass --template={{.data.username}} | base64 -D 

Note: on GNU/Linux, the base64 flag is -d, not -D.

like image 58
Amit Kumar Gupta Avatar answered Oct 02 '22 17:10

Amit Kumar Gupta