-
Notifications
You must be signed in to change notification settings - Fork 4
/
k8_encrypt_secret.sh
34 lines (27 loc) · 1.31 KB
/
k8_encrypt_secret.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/bin/bash
# Script that encodes k8s secrets with base64.
# Might have many bugs!!!
# Unencoded file to read secrets from
IN_FILE=${1:-k8_secret.yaml}
if [ ! -f $IN_FILE ]; then
echo "File $IN_FILE not found"
fi
# File to write output to
OUT_FILE=${2:-k8_secret_encrypted.yaml}
if [ ! -f $OUT_FILE ]; then
echo "File $OUT_FILE not found"
fi
# Do not split with spaces in for loop
IFS=$'\n'
# Copy input file to output, so that we can start replacing it in-place.
cp "$IN_FILE" "$OUT_FILE"
# Use awk to get the secrets out of k8_secret, found under the "data" section in the yaml.
for i in $(awk '/^[^ ]/{ f=/^data:/; next } f{ if (match($0, /^\s+[a-zA-Z0-9_]+\s*:.+/)) { print $0 }}' $OUT_FILE); do
# For each line containing a secret, encode its value in the OUT_FILE in place.
# Set base64's wrap to zero to have it all in one line.
# Use commas in the sed regexp, as we may have '/' in the values (e.g. CMSWEB_FRONTEND_PROXY_URL).
# Leading spaces are not preserved in the replacement string, so we're adding them manually.
i_escaped=$(echo $i | awk '{ gsub(/\\/, "\\\\"); gsub(/\^/, "\\^"); gsub(/\(/, "\\("); gsub(/\//, "\\/"); printf $0 }')
sed_expr="s,^$i_escaped$, $(echo $i | awk '{print $1}') $(echo $i | awk '{printf $2}' | base64 --wrap 0),g"
sed -E "$sed_expr" -i "$OUT_FILE"
done