地方エンジニアの学習日記

興味ある技術の雑なメモだったりを書いてくブログ。たまに日記とガジェット紹介。

【k8s】kubesecでsecretsの暗号化

secrestの管理する際に使えるツールkubesecを使ってみた記事

github.com

概要/インストール

secrestの管理する際に使えるツールkubesecを使ってみた記事

brew install shyiko/kubesec/kubesec
brew install shyiko/kubesec/kubesec --with-short-name # install as "ksec"

使ってみる

元データを生成。helloとpasswordをbase64エンコードしてsecretsのmanifestを生成しておく。

echo -n "hello" | base64
aGVsbG8=

 ❯ echo -n "password" | base64
cGFzc3dvcmQ=

LANG=C gpg --gen-key
gpg (GnuPG) 2.2.26; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: wat
Name must be at least 5 characters long
Real name: watanabe
Email address: ryucrosskey@gmail.com
You selected this USER-ID:
    "watanabe <ryucrosskey@gmail.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /Users/ryuichi/.gnupg/trustdb.gpg: trustdb created
gpg: key 03C1DC1D02CE3215 marked as ultimately trusted
gpg: directory '/Users/ryuichi/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/ryuichi/.gnupg/openpgp-revocs.d/A438A25678C3CD138A95E82A03C1DC1D02CE3215.rev'
public and secret key created and signed.

pub   rsa3072 2021-01-02 [SC] [expires: 2023-01-02]
      A438A25678C3CD138A95E82A03C1DC1D02CE3215
uid                      watanabe <ryucrosskey@gmail.com>
sub   rsa3072 2021-01-02 [E] [expires: 2023-01-02]

暗号化

apiVersion: v1
data:
  password: il/3cLrKjpIlvorFLoDFGoVea+qZDf2qt/baerrAwCNDF7gX7vEtbbMShGPOj4ED.xGeuyVHG0jCBZYP/.EeFQnNb4HZYC3c9OXlizuA==
  username: kVuw9IOqqDIg/mOQJyCJG2zkvfu9GI6YfgSQirBOA10M+273km7dL1Hxd5dztgEq.R7mn4AGup5onLW6U.cwKeSC7llCbgRHz7+Y9BVg==
kind: Secret
metadata:
  name: mysecret
type: Opaque
# kubesec:v:3
# kubesec:pgp:A438A25678C3CD138A95E82A03C1DC1D02CE3215:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpoUUdNQTdwWDJEd2FGWmc3QVF2K0wvRDJrL2QzdDAzW(省略)=
# kubesec:mac:3mQIkIUj3aXVrPRn.StJvMN8WO0TPo/nD+n5Rdw==