K
Q

Decoding Kubernetes secret

7/5/2019

I inherited a Kubernetes/Docker setup, and I accidentally crashed the pod by changing something relating to the DB password.

I am trying to troubleshoot this.

I don't have much Kubernetes or Docker experience, so I'm still learning how to do things.

The value is contained inside the db-user-pass credential I believe, which is an Opaque type secret.

I'm describing it:

kubectl describe secrets/db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  16 bytes
username:  13 bytes

but I have no clue how to get any data from this secret. The example on the Kubernetes site seems to assume I'll have a base64 encoded string, but I can't even seem to get that. How do I get the value for this?

-- Cecil Rodriguez
docker
kubernetes

Similar Questions

Security Group for EKS master nodes - using worker IP range instead of SG
k8s securityContext.runAsUser vs Dockerfile USER instruction
AKS External Load Balancer is not Communicating with PODS
How to troubleshoot a deployment that keeps crashing
kubernetes LoadBalancer service target port set as random in GCP instead of as configured
ArgoCD with Terraform to delete all applications when deleting the namespace argocd
kubectl - How to restart a deployment (or all deployment)

6 Answers

7/5/2019

You can use kubectl get secrets/db-user-pass -o yaml or -o json where you'll see the base64-encoded username and password. You can then copy the value and decode it with something like echo <ENCODED_VALUE> | base64 -D.

A more compact one-liner for this:

$ kubectl get secrets/db-user-pass --template={{.data.password}} | base64 -D

and likewise for the username:

$ kubectl get secrets/db-user-pass --template={{.data.username}} | base64 -D
-- Amit Kumar Gupta
Source: StackOverflow
9/26/2019

I would suggest using this handy command. It utilizes a power of go-templates. It iterates over all values, decodes them, and prints them along with the key. It also handles not set values.

kubectl get secret name-of-secret -o go-template='
{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'

## In your case it would output
# password: decoded_password
# username: doceded_username

If you don't like go-templates you can use different output formats e.g. yaml or json, but that will output secrets encoded by base64.

-- Břetislav Hájek
Source: StackOverflow
2/11/2020

If you have jq (json query) this works:

kubectl get secret db-user-pass -o json | jq '.data | map_values(@base64d)'
-- Charles Thayer
Source: StackOverflow
7/5/2019

This is the link you might be looking for.

Kubernetes secrets need the secrets to be given in base64 encoded format, which can be created using base64 binary in case of linux distributions.

Example:

echo "hello" | base64
aGVsbG8K

Kubernetes decodes the base64 encoding when we pass the secret key as environment variable or mounted as volume.

-- Malathi
Source: StackOverflow
7/6/2019

First, get the secret from the etcd by querying the api server using kubectl.

kubectl get secret db-user-pass -o yaml

This will give you the base64 encoded secret in yaml format.

Once you have the yaml file decode them using

"base64 --decode"

Final command will look like this: Don't forget the -n flag in echo command

echo -n "jdddjdkkdkdmdl" | base64 --decode

-- Vaibhav Jain
Source: StackOverflow
11/20/2019

For easier decoding you can use a tool like ksd that will do the base64 decoding for you

kubectl get secrets/db-user-pass -o yaml | ksd
-- csanchez
Source: StackOverflow