Connected issue #14

I use the latest version of kubesec but see this message when decrypting a secret that I encrypted previously on another machine:

kubesec decrypt secret-oxidixed-id-rsa.pub.yml
It appears that Secret was encrypted with newer version of kubesec.
Visit https://github.com/shyiko/kubesec for upgrade instructions.

I'm using the latest version though:

kubesec --version
0.9.2

I'm using AWS KMS. Any idea how to troubleshoot this?

Hi,

I'm trying kubesec on my Macbook, and I got this error :

`gpg` wasn't found (make sure it's available on the PATH)

But, it's strange, because gpg command work fine :

15:05:18 › which gpg
/usr/local/bin/gpg

15:05:20 › gpg
gpg: Go ahead and type your message ...
^C
gpg: Interrupt caught ... exiting

Thanks a lot, this tool look awesome.

I'd be nice if to support a .kubesec.yaml settings file where you can specify default keys that are to be used for new secret file just like https://github.com/mozilla/sops.

This is a question for better understanding:

When adding multiple PGP keys to a secret, it seems as if you can only decrypt the secret when also having the pubkey of the person who added your key:

I added a colleague key, however he wasnt able to decrypt until he imported my pubkey to his keyring.

This is the debug output

 kubesec patch foobar.yaml --debug
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint" 
Attempting to decrypt DEK with PGP key _HIS_KEY_ID_ 
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 -d --status-fd 3 -o /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590E /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590" 
gpg: encrypted with 4096-Bit RSA key, ID  _HIS_KEY_ID_ ,..
gpg: Signature made Thu Nov ..
gpg: using RSA key _MY_KEY_ID
gpg: signature verification failed: No public key
Unable to decrypt DEK with PGP key _HIS_KEY_ID_  (Signature is invalid or missing) 
Unable to decrypt Data Encryption Key (DEK) 

This behavior is rather unfavorable as every decrypter needs to retrieve and import all other pubkeys.

Hi,

I'm trying to create a secret on my Mac but i always get this error even though i've created my GPG key:

Primary PGP key wasn't found

Thanks.

@shyiko
how can I resolve it ?

$  kubesec
fatal error: runtime: bsdthread_register error
runtime stack:
runtime.throw(0x156bf2a, 0x21)
        /home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/panic.go:605 +0x95 fp=0x7ff7bfeff110 sp=0x7ff7bfeff0f0 pc=0x1029ad5
runtime.goenvs()
        /home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/os_darwin.go:108 +0x83 fp=0x7ff7bfeff140 sp=0x7ff7bfeff110 pc=0x1027373
runtime.schedinit()
        /home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/proc.go:482 +0xa1 fp=0x7ff7bfeff180 sp=0x7ff7bfeff140 pc=0x102c481
runtime.rt0_go(0x7ff7bfeff1b0, 0x1, 0x7ff7bfeff1b0, 0x1000000, 0x1, 0x7ff7bfeff3c8, 0x0, 0x7ff7bfeff3d0, 0x7ff7bfeff3e2, 0x7ff7bfeff3f6, ...)
        /home/shyiko/Development/golang/go1.9.1.linux-amd64/src/runtime/asm_amd64.s:175 +0x1eb fp=0x7ff7bfeff188 sp=0x7ff7bfeff180 pc=0x1053d4b

Sometime around 1.6, I believe, the .stringData field was added to the Secret spec, allowing non-b64-encoded data to be supplied to the apiserver. This is quite handy for managing updates with secrets without having to go through the whole decoding/encoding cycle.

Kubeseal already supports decoding base64 secrets, but outputs the raw strings to .data, which makes for invalid secrets; outputting that to .stringData would retain validity.

The README suggests that it would create a new file and encrypt it on save. However the command fails with

kubesec edit -if new-secret.yaml
Failed to base64-decode _

It would be great to have support for Azure Key Vault. Thx

If there is/are space(s) just before a line feed in file, encrypted data will be messed.
When you open the encrypted file with kubesec edit, you will see encoded line feeds like \n.
I'm using 0.9.2 with Google Cloud KMS.

Passing --batch --no-pinentry --passphrase="something" (or prompt without) to gpg is useful when you are doing testing and validation locally and don't want to mess with your default keyring.

I'd like a --no-pinentry flag that or a --gpg-flags flag to pass things on to gpg under the hood

Hi,

I'm working to use this great tools from within GItlab CI with GPG Key. I follow the documentation link in the readme about GitHub Help - Generating a new GPG key.

But, if I follow it correctly, I have the following results:

gpg --list-secret-key
/root/.gnupg/pubring.kbx
------------------------
sec   rsa4096 2019-08-13 [SC]
      ABE7E706C03B05B9E65AB3C9BCFF30F7C2D1589E
uid           [ultimate] gitlab-ci <[email protected]>
ssb   rsa4096 2019-08-13 [E]

If I try to use kubesec, I have the following result:

kubesec encrypt secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)

Following your comment in the issue #20 (link), I think the Github documentation isn't enough.

Could you provide a simple example to generate both keys, please?

Like kubectl, helm etc

I'm trying to use kubesec on windows (version 0.9.2), and getting the following error:

`gpg` wasn't found (make sure it's available on the PATH)

However the gpg is already on path and gpg command works fine.

Hi,

It could be simpler to use to be able to run kubesec commands on multi "stream" yaml, even if doesn't contain only secrets.

For example, the file all.yaml:

apiVersion: v1
data:
  application.yaml: |2

    podcastserver:
      rootfolder: /podcasts
      concurrent-download: 40
      max-update-parallels: 256
      number-of-day-to-download: 30
      number-of-day-to-save-cover: 30

    spring:
      datasource.url: jdbc:h2:tcp://database:1521/podcast-server
      jpa.hibernate.ddl-auto: none
kind: ConfigMap
metadata:
  name: podcast-server-d989t5tgb4
  namespace: podcast-server
---
apiVersion: v1
data:
  api.youtube: ofajoeaijeoijeaoaeijeofiajaef
kind: Secret
metadata:
  name: podcast-server-b5cddm29mt
  namespace: podcast-server
type: Opaque

I would like to be able to run something like this :

$ cat all.yaml | kubesec -d - | kubectl apply -f -

But, right now, I have the following result:

I use kubesec to encrypt kubernetes secrets. I update the secrets using
kubesec encrypt --in-place --key=... --key... --key....
I expect kubesec to encrypt to the specified keys only. Otherwise I would use the + option.
What really happens is that kubesec does not remove the keys that are not specified.

It would be great to have support for GCP Service Account.

After some (laborious) investigation, I conclude I can't use this very good plugin with a tool like kustomize because the standard generator doesn't allow to add some extra "comments" required by kubesec.

I can choose to not use the secret-generator from kustomize, but I lose auto rolling of deployment attached to a secret and the capacity to have immutable secrets in K8S.

Do you think an integration inside kustomize with an extension of the current secretGenerator (https://github.com/kubernetes-sigs/kustomize/tree/master/plugin/builtin/secretgenerator) or something else is possible? Would be great to have access to this 👍.

Thanks

/cc @Neonox31

Problem

Trying to run kubesec in alpine linux results in:

bash-4.4# ./kubesec
bash: ./kubesec: No such file or directory

How to reproduce

$ docker build -t kubesec_bug https://gist.githubusercontent.com/neerfri/08b3f87a6ad9f5bdb9bf771616175407/raw/e8b8d578122f499bfbb63a8c49811d25b159e64b/Dockerfile
$ docker run --rm -it kubesec_bug /bin/sh -c '/root/kubesec'
$ docker run --rm -it kubesec_bug /bin/sh -c 'ldd /root/kubesec'

Notes

I believe the reason is that it's dynamically linked against libraries (glibc) that don't exist in alpine (by default).
You can see a similar example and suggestions for solutions in:
gliderlabs/docker-alpine#78
and https://github.com/blang/golang-alpine-docker

Minor bug, ksec --version doesnt display any version for me.

0.9.2 is installed

While I know that this is debatable, I have some scenarios where I would not like the file to physically change every time I encrypt it.

As example, if I run kubesec encrypt myfile, twice the output is not the same and I would like to have it to be the same.

The use case for this is something similar as git-crypt, where the encryption is deterministic (which is required so git can distinguish when a file has and hasn't changed).

Thanks

There is another program with different purpose but same name. Very unfortunate for me who want to use both. :(
Check this. kubesec.io

It would be great to have support for IBM Cloud Key Protect. Thx

Key Protect - IBM Cloud : https://cloud.ibm.com/catalog/services/key-protect

Hello. I have several gcloud instances for different purposes and I would like to avoid application-default login and use a local gcloud instance (which is supposed to be logged in) with kubesec. Is is possible somehow?

e.g. gcloud auth application-default login or GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json might be needed in case of Google Cloud KMS backend.

Could you please include a copy of the MIT license along with the source code for this project? It would make the lives of people packaging and distributing it much easier.