From c37d0d9b9eaaad85853049be4b931769fbc9f7fd Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sun, 9 Feb 2025 20:24:13 -0500 Subject: [PATCH] Add decrypt k8s secret script. --- nix/configuration/roles/kubernetes/default.nix | 16 ++++++++++++++++ .../kubernetes/files/decrypt_k8s_secret.bash | 7 +++++++ 2 files changed, 23 insertions(+) create mode 100644 nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash diff --git a/nix/configuration/roles/kubernetes/default.nix b/nix/configuration/roles/kubernetes/default.nix index 711f41e..e19b660 100644 --- a/nix/configuration/roles/kubernetes/default.nix +++ b/nix/configuration/roles/kubernetes/default.nix @@ -28,6 +28,21 @@ let alias_klog = pkgs.writeShellScriptBin "klog" '' exec ${pkgs.kubectl}/bin/kubectl logs --all-containers "$@" ''; + decrypt_k8s_secret = + (pkgs.writeScriptBin "decrypt_k8s_secret" (builtins.readFile ./files/decrypt_k8s_secret.bash)) + .overrideAttrs + (old: { + buildCommand = "${old.buildCommand}\n patchShebangs $out"; + buildInputs = [ pkgs.makeWrapper ]; + postBuild = '' + wrapProgram $out/bin/decrypt_k8s_secret --prefix PATH : ${ + lib.makeBinPath [ + pkgs.kubectl + pkgs.jq + ] + } + ''; + }); in { imports = [ ]; @@ -55,6 +70,7 @@ in alias_kdel alias_kd alias_klog + decrypt_k8s_secret ]; environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { diff --git a/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash b/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash new file mode 100644 index 0000000..6f4ee87 --- /dev/null +++ b/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +kubectl get secret -o json "${@}" | jq '.data[] |= @base64d | .data'