Cover image for Editing Kubernetes Secrets Inline
Focused Labs

Editing Kubernetes Secrets Inline

austinbv profile image Austin Vance Updated on ・2 min read

We work a lot with Kubernetes and when you're working with Secrets it can be a total pain to edit them. A standard workflow can be something like.

# Grab the existing secret
kubectl get secret some-secret -o yaml > some-secret.yaml

# Grab the existing secret
kubectl get secret some-secret \
  -o jsonpath='{ .data.secret }' \
  | base64 -D > thesecert.txt

# Edit the secret
vim thesecret.txt

# Grab the new secret and put it into the secret file
# and apply it to the cluster
cat thesecret.txt | base64 | pbcopy
vim some-secret.yaml # paste in your b64 encoded secret
kubectl apply -f some-secret.yaml

That's not a great user experience and what if you wanted to use kubectl edit?

There's a bit of vim foo you can use to edit the secret in line.

kubectl edit secret some-secret

# navigate to the base64 encoded secret
# place your cursor on the space between the ":"
# and the first character of the secret
# hit `r <enter>` this replaces the space
# with a new line

# move your cursor down one line to the secret
# in the command prompt `:. ! base64 -D`

# Edit your secret

# in the command prompt `:. ! base64`
# if your secret is multiline you can 
# use `:<startline>,<endline> ! base64`
# or you can highlight the lines in visual
# mode and use `:! base64`

# Join the lines by moving back up the secret key
# and hitting `J`

# Then write quit `:wq`
# you should see this as output
# `secret/some-secret edited`

Editing a secret inline

And if you want to edit a multiline secret say one that was created from a file. Rather than base64 encoding the current line using :. you can use a range of line numbers :13,84 ! base64 and you will encode all those lines together inclusive of line 84.

edit: added info about multiline secrets


I wanted to add one more tip here - pesky new lines.

If you're editing a secret and you use . ! base64 you will end up with a newline character at the end of your secret. If that's ok... cool if not you can use tr to clean it out

. ! tr -d '\n' | base64

Focused Labs

Engineering teams are at their best when they trust one another and collaborate to solve tough problems. Our values are grounded in first-hand experience, working on a multitude of projects, across various industries, with diverse people.


Editor guide

Great tip. Didn't know about this 👍🏼


Thanks! Helpful in the CKA(D) too


Yeah totally. I am just on my journey preparing for CKAD

Good luck we are studying for it as a team right now

I am also preparing for CKAD. Please add me in :)


Tip: I have a base64 Vim plugin installed that makes this even easier! Just kubectl edit... and then encode/decode from within Vim. No other commands needed.


The plugin does this under the hood if you checkout the auto load file.

Personally like to avoid plugins if it’s easy enough to learn so I can edit in any environment or on a server without feeling hamstrung


Nice tip.

For a bit more convenience (so you don't have to edit or move the text to a new line):

: ! echo <cWORD> | base64 | tr -d '\n' | pbcopy

:help <cword> and :help <cWORD> for more information

demo 1

For even more convenience, this can be converted into a reusable function:

function! B64ify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"

Now, you can call it with :call B64ify()

demo 2

Lastly, you can map this function to a command and/or keybinding for maximum convenience:

command! B64ify :call B64ify()
nnoremap <silent> <Leader>B :B64ify<CR>

This can also be reversed very easily by copying the function and replacing base64 with base64 -d.

Here is a final demo:

demo 3

The final config:

function! B64ify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"
command! B64ify :call B64ify()
nnoremap <silent><Leader>B :B64ify<CR>

function! B64decodify() abort
  silent ! clear
  silent ! echo <cWORD> | base64 -d | tr -d '\n' | pbcopy
  execute "normal! ciW\<ESC>\"*p"
command! B64decodify :call B64decodify()
nnoremap <silent><Leader>b :B64decodify<CR>

Nice tip - I love the <cWORD> approach to a lot of things. One limitation is <cWORD> uses vi's word selection. If my secret is a multiline certificate, the contents of a yaml file, or has special characters this won't work.


That's true.

If you want to visually select the text to pass to an external program, by default vim passes whole lines (e.g. :'<,'> ! base64) , but vis.vim plugin might help (e.g. :'<,'>B ! base64).


Can you please tell me about this interactive presentation display you used for showing commands?


Hey, I have been using Terminalizer github.com/faressoft/terminalizer. I also have used asciinema.org/ which does web players rather than gifs.


Thats very useful! Thanks for sharing ♥️


Of course thanks for reading