/kubectl-passman

kubectl plugin that provides the missing link/glue between common password managers and kubectl

Primary LanguageGoMIT LicenseMIT

kubectl user password manager glue

CI status badge LICENSE GitHub watchers GitHub stars GitHub forks GitHub issues GitHub closed issues GitHub pull requests GitHub closed pull requests GitHub repo size GitHub contributors GitHub last commit Go Report Card

An easy way to store your kubernetes credentials in a keychain or password manager

Does your ~/.kube/config look like this:

apiVersion: v1
kind: Config
users:
- name: my-prod-user
  user:
    token: <REAL TOKEN!>
- name: docker-desktop
  user:
    client-certificate-data: <REAL CERT!>
    client-key-data: <REAL PRIVATE KEY!>

😱 😱 😱 😱

Do you scold your parents 👨‍🏫/👩‍🏫 for maintaining a passwords.doc on their desktop?

Then you need kubectl-passman!

Works with (more coming)

Provider Supports Example command
keychain Mac OS Keychain
GNOME Keyring
Windows Credential Manager
kubectl passman keychain [item] [token]
1password 1password
requires 1password cli
kubectl passman 1password [item] [token]
gopass gopass kubectl passman gopass [item] [token]

Installation

# with krew (recommended)
kubectl krew install passman

# get a binary from https://github.com/chrisns/kubectl-passman/releases/latest
# place it in PATH and make sure it's called kubectl-passman

# use go to get the most recent
go install github.com/chrisns/kubectl-passman

Usage

You need to JSON encode the credentials so that should look something like:

{"token":"00000000-0000-0000-0000-000000000000"}

or for a key pair:

{
  "clientCertificateData":"-----BEGIN REAL CERTIFICATE-----\nMIIC9DCCA.......-----END CERTIFICATE-----",
  "clientKeyData":"-----BEGIN REAL RSA PRIVATE KEY-----\nMIIE......-----END REAL RSA PRIVATE KEY-----"
}

or for a key pair from your kube config:

{
  "client-certificate-data":"LS0tLS1CRU...LS0tCg==",
  "client-key-data":"LS0tLS1CRU...LS0tLS0K"
}

If they are already in your kube config, you could retrieve them with something like:

kubectl config view --raw -o json | jq '.users[] | select(.name=="kubectl-prod-user") | .user' -c

Write it to the password manager

kubectl passman keychain kubectl-prod-user '[token]'
# or
kubectl passman 1password kubectl-prod-user '[token]'

## so should look like:
kubectl passman 1password kubectl-prod-user '{"token":"00000000-0000-0000-0000-000000000000"}'
# or
kubectl passman 1password kubectl-prod-user '{"client-certificate-data":"...BASE64_ENCODE...","client-key-data":"...BASE64_ENCODE..."}'

Then add it to the ~/.kube/config:

kubectl config set-credentials \
  kubectl-prod-user \
 --exec-api-version=client.authentication.k8s.io/v1beta1 \
 --exec-command=kubectl-passman \
 --exec-arg=keychain \ # or 1password
 --exec-arg=kubectl-prod-user # name of [item-name] you used when you wrote to the password manager

Build

go build

Note: kubectl-passman will build slightly differently on Darwin (Mac OS) to other operation systems because it uses the go-keychain library that needs libraries that only exist on a mac so that it can natively talk to the keychain. When compiling for other operating systems you'll get go-keyring instead but I've abstracted to make the interactions the same.

Contributing

I ❤️ contributions, it'd be great if you could add support for your favourite password manager, work on something from the TODO or any open issues as a priority, but anything else that takes your fancy too is great, though best to raise an issue to discuss before investing time into it.