Skip to content

davidschrooten/secret-wrapper-k8s

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
cmd/swk
cmd/swk
 
 
internal
internal
 
 
.envrc
.envrc
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

secret-wrapper-k8s (swk)

Go Version Go Report Card Tests Coverage

A CLI tool that makes editing Kubernetes Secrets easier by automatically decoding and encoding base64 values.

The Problem

When editing Kubernetes Secrets with kubectl edit secret, all values in the data section are base64-encoded, making them difficult to read and edit. You typically have to:

  1. Decode base64 values manually
  2. Edit the plaintext
  3. Re-encode to base64
  4. Paste back into the YAML

This is tedious and error-prone.

The Solution

swk (secret-wrapper-k8s) acts as an editor wrapper that:

  1. Receives the Secret YAML from kubectl
  2. Automatically decodes all base64 values in the data section
  3. Opens your preferred editor with the decoded values
  4. After you save and exit, re-encodes the values to base64
  5. Returns the encoded YAML to kubectl

Installation

From Source

# Clone the repository
git clone https://github.com/davidschrooten/secret-wrapper-k8s.git
cd secret-wrapper-k8s

# Enable nix flake (or install go)
direnv allow

# Build and install
sudo make install

# Or specify a custom installation path
make install INSTALL_PATH=$HOME/.local/bin

Manual Build

go build -o swk ./cmd/swk

Usage

With kubectl edit

Set swk as your editor when using kubectl edit:

# Use swk with your preferred editor (vim in this example)
EDITOR="swk --editor vim" kubectl edit secret my-secret

# Or using the short flag
EDITOR="swk -e nano" kubectl edit secret my-secret

Editor Selection

swk determines which editor to use with the following priority:

  1. --editor or -e flag (highest priority)
  2. $EDITOR environment variable
  3. $VISUAL environment variable
  4. vi (default fallback)

Examples

# Use vim
EDITOR="swk -e vim" kubectl edit secret database-credentials

# Use nano
EDITOR="swk -e nano" kubectl edit secret api-keys

# Use emacs
EDITOR="swk --editor emacs" kubectl edit secret tls-cert

# Use your default $EDITOR
EDITOR=swk kubectl edit secret my-secret

Setting a Default

You can set swk as your default Kubernetes editor:

# In your ~/.bashrc or ~/.zshrc
export KUBE_EDITOR="swk -e vim"

# Now you can edit ANY resource type:
kubectl edit secret my-secret         # Decodes base64 automatically
kubectl edit deployment my-app        # Pass-through (no transformation)
kubectl edit ingress my-ingress       # Pass-through (no transformation)
kubectl edit configmap my-config      # Pass-through (no transformation)

How It Works

swk intelligently detects whether you're editing a Secret or any other Kubernetes resource:

For Secrets:

  1. kubectl calls swk with a temporary YAML file path
  2. swk reads the file and detects it's a Kubernetes Secret
  3. All values in the data section are decoded from base64 to plaintext
  4. The decoded YAML is written to a new temporary file
  5. Your chosen editor opens the temporary file
  6. You edit the plaintext values and save
  7. swk reads the edited file and encodes all data values back to base64
  8. The encoded YAML is written back to kubectl's original temp file
  9. kubectl applies the changes

For Other Resources (Deployments, Ingress, ConfigMaps, etc.):

  1. swk detects it's not a Secret
  2. It passes the file directly to your editor without any transformation
  3. You edit normally and save
  4. kubectl applies the changes

Note:

  • swk only processes the data section of Secrets. The stringData section (if present) is left as-is, since it's already plaintext.
  • You can safely set export KUBE_EDITOR="swk -e vim" and use it for editing any Kubernetes resource, not just Secrets!

Development

Requirements

  • Go 1.25.5 or later
  • make (optional, but recommended)

Building

make build

Testing

# Run all tests
make test

# Generate coverage report
make coverage

Linting

# Run linter (requires golangci-lint)
make lint

# Or just run go vet
make vet

Project Structure

.
├── cmd/swk/              # Main application entry point
│   ├── main.go          # CLI orchestration
│   └── main_test.go     # Integration tests
├── internal/
│   ├── editor/          # Editor selection and launching
│   │   ├── editor.go
│   │   └── editor_test.go
│   └── secret/          # YAML transformation (base64 encode/decode)
│       ├── transformer.go
│       └── transformer_test.go
├── Makefile             # Build automation
└── README.md            # This file

Examples

Before (manual process)

$ kubectl get secret my-secret -o yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: cGFzc3dvcmQxMjM=    # What does this mean?
  username: YWRtaW4=            # Have to decode manually

After (with swk)

$ EDITOR="swk -e vim" kubectl edit secret my-secret

# Your editor opens with:
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: password123          # Easy to read!
  username: admin                # Easy to edit!

# Edit the values directly, save, and exit
# swk automatically encodes them back to base64

License

MIT

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Author

David Schrooten

About

A CLI tool that makes editing Kubernetes Secrets easier by automatically decoding and encoding base64 values.

Topics

kubernetes cli devops sre kubectl

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 2

v1.0.1 Latest
Feb 3, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages