Kubernetes Secrets Without the Pain: Meet kcpwd

kcpwd is a cross-platform password manager that syncs to Kubernetes secrets with zero infrastructure. No Vault servers, no operators, no complexity—just kcpwd k8s sync.

---

The Problem: Secret Management is Too Complicated

You know the drill. You're deploying to Kubernetes and need to manage secrets. Your options?

Option 1: Hardcode them ❌

# deployment.yaml (please don't do this)
env:
  - name: DB_PASSWORD
    value: "super_secret_123"  # 😱 In git!

Option 2: Setup Vault ⚠️

• Install Consul or etcd
• Deploy 3+ Vault servers
• Configure unsealing
• Setup RBAC
• Write policies
• Time spent: 2-4 hours minimum

Option 3: Use External Secrets Operator ⚠️

• Deploy operator
• Configure cloud provider
• Manage IAM roles
• Time spent: 1-2 hours

There has to be a better way for the 90% of teams who just need secure secret management without enterprise complexity.

---

Enter kcpwd: The Simple Solution

kcpwd is a cross-platform password manager that works as both a CLI and Python library—with native Kubernetes integration. It's designed for developers who want security without complexity.

Installation (30 seconds)

pip install kcpwd

That's it. No servers, no operators, no configuration files.

Basic Usage (5 minutes to production)

Step 1: Store your secrets locally

# Store passwords (uses your OS keyring)
kcpwd set prod_db_password "my_secure_password"
kcpwd set api_key "sk-1234567890"
kcpwd set redis_password "redis_secret"

Step 2: Sync to Kubernetes

# Sync single secret
kcpwd k8s sync prod_db_password --namespace production

# Or sync all at once
kcpwd k8s sync-all --namespace production

Step 3: Use in your deployments

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: production
spec:
  template:
    spec:
      containers:
      - name: app
        image: myapp:latest
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: prod-db-password  # Created by kcpwd
              key: password
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: api-key
              key: password

That's it. You're now managing Kubernetes secrets securely.

---

Why kcpwd?

✅ Zero Infrastructure

No servers to maintain. No databases to backup. kcpwd uses your native OS keyring:

• macOS: Keychain
• Linux: Secret Service (gnome-keyring, KWallet)
• Windows: Credential Locker
• CI/CD: Encrypted file storage (AES-256-GCM)

✅ Works Everywhere

# On your Mac
kcpwd set db_password "secret123"

# In GitHub Actions
pip install kcpwd
kcpwd set db_password "${{ secrets.DB_PASSWORD }}"
kcpwd k8s sync-all --namespace production

# In Docker/CI/CD
# No keyring? No problem! Auto-fallback to encrypted storage

✅ Developer Experience

Python Integration:

from kcpwd import require_password

@require_password('database_password')
def connect_to_db(password=None):
    return psycopg2.connect(
        host="postgres.example.com",
        password=password
    )

# Password auto-injected from keyring
connect_to_db()  

CLI Power:

# Generate strong passwords
kcpwd generate -l 32 -s api_key

# List all secrets
kcpwd list

# Check what's in Kubernetes
kcpwd k8s list --namespace production

---

Real-World Use Cases

1. CI/CD Pipeline (GitHub Actions)

name: Deploy to Kubernetes
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup and sync secrets
        run: |
          pip install kcpwd

          # Import from GitHub Secrets
          kcpwd set db_password "${{ secrets.DB_PASSWORD }}"
          kcpwd set api_key "${{ secrets.API_KEY }}"

          # Sync to Kubernetes
          kcpwd k8s sync-all --namespace production

      - name: Deploy
        run: kubectl apply -f k8s/

Time to setup: ~5 minutes

2. Multi-Environment Management

#!/bin/bash
# deploy.sh

ENVIRONMENT=$1  # dev, staging, production

# Sync environment-specific secrets
kcpwd k8s sync-all \
  --namespace $ENVIRONMENT \
  --prefix ${ENVIRONMENT}_ \
  --label environment=$ENVIRONMENT \
  --label managed-by=kcpwd

echo "✓ Secrets synced to $ENVIRONMENT"

# Deploy to staging
./deploy.sh staging

# Deploy to production
./deploy.sh production

3. Helm Integration

kcpwd works seamlessly with Helm charts:

# values.yaml
database:
  host: postgres.example.com
  password: "{{ kcpwd('db_password') }}"

api:
  endpoint: https://api.example.com
  key: "{{ kcpwd('api_key') }}"

# Master-protected for production secrets
production:
  secret: "{{ kcpwd('prod_secret', master=true) }}"

# Process and deploy
kcpwd helm template values.yaml -o values-processed.yaml
helm install myapp ./chart -f values-processed.yaml

4. GitOps with ArgoCD

# argocd-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/myorg/myapp
    targetRevision: HEAD
    path: k8s
  destination:
    namespace: production
  hooks:
  - name: sync-secrets
    hookType: PreSync
    script: |
      pip install kcpwd
      kcpwd k8s sync-all --namespace production

No secrets in Git. kcpwd syncs them before ArgoCD deploys.

5. Watch Mode (Auto-Sync)

# Keep Kubernetes secrets in sync automatically
kcpwd k8s watch \
  --namespace production \
  --interval 60 \
  --prefix prod_

# Updates K8s secrets every 60 seconds
# Perfect for long-running deployments

---

Advanced Features

🔐 Master Password Protection

For production secrets, add an extra layer:

# Store with master password
kcpwd set-master prod_db_password "super_secret"
# Enter master password: ********

# Sync to K8s (will prompt for master password)
kcpwd k8s sync prod_db_password --namespace production

🔄 Bi-directional Sync

Import existing Kubernetes secrets into kcpwd:

# Import existing secret
kcpwd k8s import database-credentials \
  --namespace production \
  --key imported_db_password

# Now it's in kcpwd too!
kcpwd get imported_db_password

🏷️ Label Management

Organize secrets with Kubernetes labels:

kcpwd k8s sync api_key \
  --namespace production \
  --label app=myapp \
  --label team=backend \
  --label managed-by=kcpwd

🔁 Secret Rotation

Automate password rotation:

# rotate_secrets.py
from kcpwd import set_password, generate_password
from kcpwd.k8s import sync_to_k8s
import subprocess

def rotate_secret(key, namespace):
    # Generate new password
    new_password = generate_password(length=32)

    # Update in kcpwd
    set_password(key, new_password)

    # Sync to K8s
    sync_to_k8s(key, namespace=namespace)

    # Restart deployment
    subprocess.run([
        "kubectl", "rollout", "restart",
        f"deployment/{key}-app", "-n", namespace
    ])

# Use with cron or K8s CronJob
rotate_secret("api_key", "production")

---

Comparison: kcpwd vs. Alternatives

Feature	kcpwd	Vault	Sealed Secrets	External Secrets
Setup Time	0 minutes	2-4 hours	30+ minutes	1+ hour
Infrastructure	None	3+ servers	Controller	Operator + Cloud
Learning Curve	Minimal	Steep	Moderate	Moderate
Local Dev	✅ Perfect	⚠️ Complex	❌ No	⚠️ Limited
CI/CD	✅ Simple	✅ Yes	✅ Yes	✅ Yes
GitOps	✅ Yes	✅ Yes	✅ Yes	✅ Yes
Master Password	✅ Yes	❌ No	❌ No	❌ No
Python Library	✅ Yes	⚠️ Complex	❌ No	❌ No
Cost	Free	Free/$$$	Free	Free

---

Security Features

• ✅ AES-256-GCM encryption (NIST-approved)
• ✅ PBKDF2-SHA256 key derivation (600,000 iterations)
• ✅ Native OS keyrings (hardware-backed on supported devices)
• ✅ Optional master password (extra protection layer)
• ✅ No network communication (except kubectl)
• ✅ Kubernetes RBAC integration
• ✅ Open source (MIT license)

---

Platform Support

macOS ✅

Native Keychain integration, full feature support

Linux ✅

Auto-detects system keyring, fallback to encrypted storage

Windows ✅

Native Credential Locker integration

CI/CD ✅

Encrypted file storage, zero dependencies

Docker/Containers ✅

Works in any environment

---

Getting Started

Installation

# Basic installation
pip install kcpwd

# With Web UI (bonus feature!)
pip install 'kcpwd[ui]'

Quick Start

# 1. Check platform support
kcpwd info

# 2. Store a secret
kcpwd set my_password "secret123"

# 3. Sync to Kubernetes
kcpwd k8s sync my_password --namespace default

# 4. Verify
kubectl get secret my-password -o yaml

Documentation

• 📖 GitHub Repository
• 📚 Complete K8s Guide
• 💬 Discussions

---

Web UI Bonus 🎨

kcpwd also includes a beautiful web interface:

kcpwd ui
# Open http://localhost:8765

Features:

• Modern dark theme
• Password generator
• Strength checker
• Temporary password sharing
• Session management

---

What's Next?

We're actively developing kcpwd and would love your feedback! Upcoming features:

• [ ] Password history tracking
• [ ] Terraform provider
• [ ] Browser extensions
• [ ] 2FA/OTP support
• [ ] Kubernetes operator
• [ ] Cloud sync options

---

Try It Today

# Install
pip install kcpwd

# Your first secret in K8s
kcpwd set test_secret "hello_kubernetes"
kcpwd k8s sync test_secret --namespace default

# That's it!
kubectl get secret test-secret

Star us on GitHub ⭐ if you find kcpwd useful!

---

Why I Built kcpwd

As a data engineer, I was tired of:

• Fighting with Vault setup in dev environments
• Committing .env files by accident
• Managing secrets across local, CI/CD, and K8s
• Complex workflows that slow down development

kcpwd is my answer: developer-first secret management that just works.

---

Community

• 🐛 Found a bug? Open an issue
• 💡 Feature request? Start a discussion
• 🤝 Want to contribute? Check our contributing guide
• ⭐ Star the repo to show support!

---

kcpwd - Because secret management shouldn't require a PhD in DevOps.

pip install kcpwd

---

Made with ❤️ by osmanuygar