chrisns / kubectl-passman Goto Github PK

View Code? Open in Web Editor NEW

94.0 5.0 6.0 1.35 MB

kubectl plugin that provides the missing link/glue between common password managers and kubectl

License: MIT License

Go 100.00%

kubectl-plugin kubectl-plugins password-manager 1password 1password-cli keychain osx-keychain golang go kubernetes

kubectl-passman's Introduction

kubectl user password manager glue

❗ An easy way to store your kubernetes credentials in a keychain or password manager

Does your `~/.kube/config` look like this:

apiVersion: v1
kind: Config
users:
- name: my-prod-user
  user:
    token: <REAL TOKEN!>
- name: docker-desktop
  user:
    client-certificate-data: <REAL CERT!>
    client-key-data: <REAL PRIVATE KEY!>

😱 😱 😱 😱

Do you scold your parents 👨‍🏫/👩‍🏫 for maintaining a `passwords.doc` on their desktop?

Then you need kubectl-passman!

Works with (more coming)

Provider	Supports	Example command
keychain	Mac OS Keychain GNOME Keyring Windows Credential Manager	`kubectl passman keychain [item] [token]`
1password	1password requires 1password cli	`kubectl passman 1password [item] [token]`
gopass	gopass	`kubectl passman gopass [item] [token]`

Installation

# with krew (recommended)
kubectl krew install passman

# get a binary from https://github.com/chrisns/kubectl-passman/releases/latest
# place it in PATH and make sure it's called kubectl-passman

# use go to get the most recent
go install github.com/chrisns/kubectl-passman

Usage

You need to JSON encode the credentials so that should look something like:

{"token":"00000000-0000-0000-0000-000000000000"}

or for a key pair:

{
  "clientCertificateData":"-----BEGIN REAL CERTIFICATE-----\nMIIC9DCCA.......-----END CERTIFICATE-----",
  "clientKeyData":"-----BEGIN REAL RSA PRIVATE KEY-----\nMIIE......-----END REAL RSA PRIVATE KEY-----"
}

or for a key pair from your kube config:

{
  "client-certificate-data":"LS0tLS1CRU...LS0tCg==",
  "client-key-data":"LS0tLS1CRU...LS0tLS0K"
}

If they are already in your kube config, you could retrieve them with something like:

kubectl config view --raw -o json | jq '.users[] | select(.name=="kubectl-prod-user") | .user' -c

Write it to the password manager

kubectl passman keychain kubectl-prod-user '[token]'
# or
kubectl passman 1password kubectl-prod-user '[token]'

## so should look like:
kubectl passman 1password kubectl-prod-user '{"token":"00000000-0000-0000-0000-000000000000"}'
# or
kubectl passman 1password kubectl-prod-user '{"client-certificate-data":"...BASE64_ENCODE...","client-key-data":"...BASE64_ENCODE..."}'

Then add it to the ~/.kube/config:

kubectl config set-credentials \
  kubectl-prod-user \
 --exec-api-version=client.authentication.k8s.io/v1beta1 \
 --exec-command=kubectl-passman \
 --exec-arg=keychain \ # or 1password
 --exec-arg=kubectl-prod-user # name of [item-name] you used when you wrote to the password manager

Build

go build

Note: kubectl-passman will build slightly differently on Darwin (Mac OS) to other operation systems because it uses the go-keychain library that needs libraries that only exist on a mac so that it can natively talk to the keychain. When compiling for other operating systems you'll get go-keyring instead but I've abstracted to make the interactions the same.

Contributing

I ❤️ contributions, it'd be great if you could add support for your favourite password manager, work on something from the TODO or any open issues as a priority, but anything else that takes your fancy too is great, though best to raise an issue to discuss before investing time into it.

kubectl-passman's People

Contributors

Stargazers

Watchers

Forkers

vovapi sergelogvinov clix-dev-llc spread0x pi-xel xphyr

kubectl-passman's Issues

provide usage docs via cli

Is there a way to support DEX OIDC

I took a quick look at the code, and I'm probably not grokking something, because I don't see why you need to parse anything at all ;)

Anyway the typical dex oidc looks like

    auth-provider:
      config:
        client-id: k8s-dex-app
        client-secret: (redacted)
        id-token: (redacted)
        idp-issuer-url: https://k8s-central-pp-sf.otenv.com/dex
        refresh-token: (redacted)
      name: oidc

Support bitwarden

Hi,

I guess the same pattern than for 1password may be implemented. Using the CLI : https://bitwarden.com/help/article/cli/ and not querying the API directly.

Regards,

cli interface for creating secrets

cli interface for abstracting creating new credentials in your password manager e.g. kubectl passman keychain create [item name] --token=[my token]

Your .dependabot/config.yml contained invalid details

Dependabot encountered the following error when parsing your .dependabot/config.yml:

Automerging is not enabled for this account. You can enable it from the [account settings](https://app.dependabot.com/accounts/chrisns/settings) screen in your Dependabot dashboard.

Please update the config file to conform with Dependabot's specification using our docs and online validator.

kubectl-passman doesnt work with latest release of 1password cli

Thanks for this awesome tool. I am a user of 1password and tried the 1password support and found that it does not appear to work with the latest release of 1password. I am working on a PR on my fork (github.com/xphyr/kubectl-passman) and hope to create a PR for this soon. I wanted to mention it here in case other people run into this same problem.

It appears that the 1password storage template has changed, so I am making updates to fit within this new structure.

[krew] Distribute with license

👋 Hello, maintainer of the kubectl plugin manager krew here.

Thank you for your commitment to open source by making this plugin available via krew!

Krew wants to give credit where credit is due by installing the proper license file for the plugins it distributes. However, your plugin was found to not contain any license file. We wanted to remind you that if you're using a license such as Apache 2.0, you should be bundling your LICENSE file with your plugin’s distributions.

What do you have to do?

Please ensure your GitHub repository has a license file.
Make sure your archive file (.tar.gz or .zip) contains the license file.
Please submit a pull-request to krew-index and update the files: section to copy the file to the installation directory. Have a look at this PR for an example: https://github.com/kubernetes-sigs/krew-index/pull/314/files

If you need further assistance, don't hesitate to ask for help.

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

go: github.com/urfave/[email protected]: go.mod has post-v1 module path "github.com/urfave/cli/v2" at revision v1.22.5

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

am I doing something wrong or am I just stupid?