Decoding Kubernetes secret

docker kubernetes

I inherited a Kubernetes/Docker setup, and I accidentally crashed the pod by changing something relating to the DB password.

I am trying to troubleshoot this.

I don't have much Kubernetes or Docker experience, so I'm still learning how to do things.

The value is contained inside the db-user-pass credential I believe, which is an Opaque type secret.

I'm describing it:

kubectl describe secrets/db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  16 bytes
username:  13 bytes

but I have no clue how to get any data from this secret. The example on the Kubernetes site seems to assume I'll have a base64 encoded string, but I can't even seem to get that. How do I get the value for this?


Solution 1:

You can use kubectl get secrets/db-user-pass -o yaml or -o json where you'll see the base64-encoded username and password. You can then copy the value and decode it with something like echo <ENCODED_VALUE> | base64 -D (Mac OS X).

A more compact one-liner for this:

kubectl get secrets/db-user-pass --template={{.data.password}} | base64 -D

and likewise for the username:

kubectl get secrets/db-user-pass --template={{.data.username}} | base64 -D

Note: on GNU/Linux, the base64 flag is -d, not -D.

Solution 2:

I would suggest using this handy command. It utilizes a power of go-templates. It iterates over all values, decodes them, and prints them along with the key. It also handles not set values.

kubectl get secret name-of-secret -o go-template='
{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'

## In your case it would output
# password: decoded_password
# username: doceded_username

If you don't like go-templates you can use different output formats e.g. yaml or json, but that will output secrets encoded by base64.

Solution 3:

If you have jq (json query) this works:

kubectl get secret db-user-pass -o json | jq '.data | map_values(@base64d)'

NOTE:

  • db-user-pass is the name of the k8s secret
  • .data is the variable within that contains the secret value

Solution 4:

If your secret keys contain dash (-) or dot (.):

kubectl get secret db-user-pass -o=go-template='{{index .data "password"}}' | base64 -d

Solution 5:

First, get the secret from the etcd by querying the api server using kubectl.

kubectl get secret db-user-pass -o yaml

This will give you the base64 encoded secret in yaml format.

Once you have the yaml file decode them using

"base64 --decode"

Final command will look like this: Don't forget the -n flag in echo command

echo -n "jdddjdkkdkdmdl" | base64 --decode

Related

Possible cases for Javascript error: "Expected identifier, string or number"
Simplest way to detect a pinch
CSV with comma or semicolon?
looping through an NSMutableDictionary
javascript jquery radio button click
findViewById() returns null for custom component in layout XML, not for other components
How to delete cookies on an ASP.NET website
Thymeleaf: Concatenation - Could not parse as expression
Django modelform NOT required field
PHP mailer multiple address [duplicate]
How to get .apk and .ipa file from flutter?
Disable vertical sync for glxgears