kubectl-passman
kubectl plugin that provides the missing link/glue between common password managers and kubectl
MIT License
kubectl user password manager glue
❗ An easy way to store your kubernetes credentials in a keychain or password manager
Does your ~/.kube/config look like this:
apiVersion: v1
kind: Config
users:
- name: my-prod-user
user:
token: <REAL TOKEN!>
- name: docker-desktop
user:
client-certificate-data: <REAL CERT!>
client-key-data: <REAL PRIVATE KEY!>
😱 😱 😱 😱Do you scold your parents 👨🏫/👩🏫 for maintaining a passwords.doc on their desktop? Then you need kubectl-passman!
Works with (more coming)
| Provider | Supports | Example command |
|---|---|---|
| keychain | Mac OS Keychain GNOME Keyring Windows Credential Manager | kubectl passman keychain [item] [token] |
| 1password | 1password requires 1password cli | kubectl passman 1password [item] [token] |
| gopass | gopass | kubectl passman gopass [item] [token] |
Installation
# with krew (recommended)
kubectl krew install passman
# get a binary from https://github.com/chrisns/kubectl-passman/releases/latest
# place it in PATH and make sure it's called kubectl-passman
# use go to get the most recent
go install github.com/chrisns/kubectl-passman
Usage
You need to JSON encode the credentials so that should look something like:
{"token":"00000000-0000-0000-0000-000000000000"}
or for a key pair:
{
"clientCertificateData":"-----BEGIN REAL CERTIFICATE-----\nMIIC9DCCA.......-----END CERTIFICATE-----",
"clientKeyData":"-----BEGIN REAL RSA PRIVATE KEY-----\nMIIE......-----END REAL RSA PRIVATE KEY-----"
}
or for a key pair from your kube config:
{
"client-certificate-data":"LS0tLS1CRU...LS0tCg==",
"client-key-data":"LS0tLS1CRU...LS0tLS0K"
}
If they are already in your kube config, you could retrieve them with something like:
kubectl config view --raw -o json | jq '.users[] | select(.name=="kubectl-prod-user") | .user' -c
Write it to the password manager
kubectl passman keychain kubectl-prod-user '[token]'
# or
kubectl passman 1password kubectl-prod-user '[token]'
## so should look like:
kubectl passman 1password kubectl-prod-user '{"token":"00000000-0000-0000-0000-000000000000"}'
# or
kubectl passman 1password kubectl-prod-user '{"client-certificate-data":"...BASE64_ENCODE...","client-key-data":"...BASE64_ENCODE..."}'
Then add it to the ~/.kube/config:
kubectl config set-credentials \
kubectl-prod-user \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl-passman \
--exec-arg=keychain \ # or 1password
--exec-arg=kubectl-prod-user # name of [item-name] you used when you wrote to the password manager
Build
go build
Note: kubectl-passman will build slightly differently on Darwin (Mac OS) to other operation systems because it uses the go-keychain library that needs libraries that only exist on a mac so that it can natively talk to the keychain. When compiling for other operating systems you'll get go-keyring instead but I've abstracted to make the interactions the same.
Contributing
I ❤️ contributions, it'd be great if you could add support for your favourite password manager, work on something from the TODO or any open issues as a priority, but anything else that takes your fancy too is great, though best to raise an issue to discuss before investing time into it.