envwarden and kubernetes secrets

envwarden is a simple open-source script that lets you manage your server secrets with Bitwarden.

Read more about envwarden here

Here’s a simple way to update your Kubernetes secrets directly from envwraden, so they are always in-sync.

In this example, we would create a Bitwarden entry called production-secrets, and inside it, define our secrets as custom fields. Each custom fields holds a secret, e.g. MY_SECRET=shush, PASSWORD=I'm not telling.

We want to create a matching secret in Kubernetes, with the same name (production-secrets), that we want to import our secrets into. Note: Kubernetes refers to a “secret” as a collection of individual secrets. This is similar to how we manage a collection of secrets in one Bitwarden entry.

After our Bitwarden secrets are created, we save them into a .env file, using envwarden:

envwarden --search production-secrets --dotenv-docker > /path/to/.env

Then, we create a matching Kubernetes secret, and import our .env into it.

kubectl create secret generic production-secrets --from-env-file=/path/to/.env --dry-run -o yaml | kubectl apply -f -

Once the Kubernetes secret is created, whenever we want to update it, we can run the same commands to push any updates to Kubernetes:

# get our secrets into the .env file
envwarden --search production-secrets --dotenv-docker > /path/to/.env

# update our kubernetes secrets
kubectl create secret generic production-secrets --from-env-file=/path/to/.env --dry-run -o yaml | kubectl apply -f -

# optional, but probably recommended, we remove the .env from our system
rm /path/to/.env

And that’s it! :)

Leave a Reply

Your email address will not be published. Required fields are marked *