-
Notifications
You must be signed in to change notification settings - Fork 922
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kubectl create secret --from-base64-literal and --random-value-for-key #1654
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/assign maybe it is festiable by using stdin device, here is my workaround.
EDIT:
|
WDYT about thie feature? @eddiezane Do you want to implement this @ash2k ? If I may, once this feature is accepted, I'm happy to raise a PR to make it happen. |
Not anytime soon. I need the feature but don't have capacity to build it right now. |
Hi @ash2k / @xuzhenglun , if this feature is accepted, |
Hi @xuzhenglun / @ash2k, I have worked on this feature: |
@Bhargav-manepalli / @ak20102763 Don't worry, I'm fine if you want to take over it. But I'm not sure that such change will be accepted, You would be better to ensure this with approver of sig-cli. IMHO, flag likes
|
/transfer kubectl |
@xuzhenglun I understand your concern, I am using And here is more information about this flag: |
@xuzhenglun , I've implemented the |
That’s really awesome, thanks for your contribution. Feel free to raise a PR and link with this issue when you are ready. @Bhargav-manepalli /assign @Bhargav-manepalli |
Thanks @ak20102763 , @xuzhenglun |
I think this should be triaged by sig-cli first to move forward. Because adding new flag requires strong justification. |
There is a workaround as stated in #1654 (comment)
and this workaround is also a reasonable and looks not hacky. We usually would consider adding more flags, if there is no other way around and in that case there is. |
Hi @xuzhenglun , I raised a PR. Any comments on this ? |
@Bhargav-manepalli |
It's a good workaround, but it only works if you need a secret with a single key/value. |
@ash2k , It supports for multiple key:value 's as well. i mean multiple keys with encoded values. |
I was talking about the workaround :) |
@ash2k / @xuzhenglun , how about this workaround , this way we can have multiple key/value pairs in single secret
|
@ak20102763 Sure. But why make the user do this vs have flags that do what's necessary? I think working with secrets is quite important and default kubectl experience should be fool-proof as much as possible (mostly to avoid leaking secret data). So in my mind it makes sense to provide a clean UX for this. I think it's not about "possible to do" vs "impossible to do without the flag(s)". It's about helping the user to avoid leaking the secret data. This is way more important and should be prioritized. Most people will not know all these shell tricks (I didn't!), and they probably don't work on Windows either. Users will just put their secret data into a file(s), which is strictly less secure as it exposes it on disk. Again, we have those specialized Hence, I think both Does this make sense? WDYT? |
@ash2k I agree, we have |
@ash2k , The test Either to change the flag-name or add numeric support to the flag ? |
@Bhargav-manepalli I'm not on sig-cli, cannot make any decisions. But in my personal opinion numbers should be allowed in flag names, I don't see why that would be bad in general. Alternatively, what are the good names for the flag if not |
Any suggestions on this ? @xuzhenglun |
In my personal opinion, I think this new flag could bring user better experience indeed. But I'm new and not on charge, cannot make decision too. Would you please help us to triage this? @ardaguclu |
As I tried to state in here #1654 (comment), we are hesitant to add new flags and it is considered only for the cases where there is no workaround. Because usability of a flag may seem reasonable from one point of view but it may also lead to a bad user experience from another point of view (for example, numerous flags in one command, just like In that case there are workarounds for every possible case and I'd not prefer adding a new flag for an imperative command (i.e. |
I vote for |
What would you like to be added?
kubectl create secret --from-literal=key=secret-value
is very handy. I have a use case where I'm creating a secret that needs to be binary (an encryption key), be of a certain size, and use all of those bits for entropy. I'm taking randomness from/dev/urandom
but cannot use it as a literal value since it's binary.I could put the secret material into a file and use
kubectl create secret --from-file=./file
but:Ideally I'd use something like
kubectl create secret --from-base64-literal="key=$(head -c 64 /dev/urandom | base64)"
to generate a value of 64 bytes, base64 encode it, pass to kubectl. It would decode it, persist into the cluster.Yet another idea (can open a separate issue) is to have
--random-value-for-key=key=64
. It would generate a random value of length 64 and persist it into thekey
key. Even nicer and more secure (secret is not exposed on disk and via command line flags, where it can be seen by other processes) for bootstrapping a secret (from a script or console)./sig cli
Why is this needed?
Better scripting experience, more secure secret data handling.
The text was updated successfully, but these errors were encountered: