RubyGems - kubekrypt - Versions diffs - 2.1.0 → 2.2.0 - Mend

kubekrypt 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aafcb114c98241aef71fcd5bb8cc2da885720fe50ef89d6986595a86108e6066
-  data.tar.gz: 5b4acdd48ddbf46aad74fa089c7c5de1a1d219c924836a9edf4ab528d38c389d
+  metadata.gz: 0fc12e50c4083f740004c80424c20d28abbdf9254be9e2c81752fa53c5b2ee9d
+  data.tar.gz: 1c72fef635ece42c16605893d8580234ff0efb63e147bd99ab6e9d08ee6b52a7
 SHA512:
-  metadata.gz: 5b093a42bfaae3bf5dc63956c38c4ad454c87a5c91d56be298550a7c8bfc11ce9ff6403da1c8a6eddafcc415e1791a0889f8cb3c02c60faa7a76cf4dfdf936cd
-  data.tar.gz: 145e1b546e18b9540273025e809f70fac4051c0b21a2d7d7e9739dbec7fed9bfa434812e6cfc340e33f1aff7ce972f41796c8c8aceff5575817a376102b5364e
+  metadata.gz: a4cf83f02bda125ed63c86ef872b023aac37393b1523bda8c583e60eef46e48c0e9e85fecfc0b4625158746a5cc9e643544e2d1f8a176fa6adad28e4f122c9ec
+  data.tar.gz: 46ec255f4439a16e280f2cc666d16be278e463ea108cd8cfd3d8dedc7b1e73b0bc2917ba9f816d3d6ae64ab1dcf6e306fad6ca8686e7390a466293db424c0ffe

data/.github/dependabot.yml ADDED Viewed

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,21 @@
 # Changelog
+## [2.2.0] - 2026-03-24
+### Added
+- `--in-place` / `-i` flag for `encrypt` and `decrypt` to write output back to the source file
+- Directory support — pass a directory path to process all `*.yaml`/`*.yml` files recursively
+- `kind: Secret` validation — non-Secret manifests are rejected with a clear error
+- YAML parse error handling — invalid YAML prints a clean error instead of a backtrace
+- Dependabot configuration for automated dependency updates
+## [2.1.1] - 2026-03-24
+### Fixed
+- Typos in error class names (`AlreadyEncryptedError`, `NotEncryptedError`)
+- CLI now prints clean error messages instead of backtraces on failure
+- Use `METADATA_KEY` constant consistently in CLI
 ## [2.1.0] - 2026-03-24
 ### Changed

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kubekrypt (2.1.0)
+    kubekrypt (2.2.0)
       google-cloud-kms
       grpc (< 1.74.0)
       thor (>= 1.0)

data/README.md CHANGED Viewed

@@ -1,86 +1,136 @@
 [![Gem Version](https://badge.fury.io/rb/kubekrypt.svg)](https://rubygems.org/gems/kubekrypt)
+[![Ruby CI](https://github.com/knapo/kubekrypt/actions/workflows/ci.yml/badge.svg)](https://github.com/knapo/kubekrypt/actions/workflows/ci.yml)
 # KubeKrypt
-A command-line tool for securely encrypting and decrypting Kubernetes Secret manifests using Google Cloud KMS encryption keys.
+A command-line tool for encrypting and decrypting Kubernetes Secret manifests using Google Cloud KMS.
-## Overview
+Secret manifests can be safely committed to version control in their encrypted form and decrypted on demand — either to inspect values or to pipe directly into `kubectl`.
-KubeKrypt provides a simple and secure way to manage sensitive information in Kubernetes Secret manifests. It allows you to encrypt Secret manifests before they're stored in version control systems, and decrypt them when they need to be applied to a cluster.
+## Installation
-## Features
+```bash
+gem install kubekrypt
+```
-- **Secure Encryption**: Uses Google Cloud KMS to encrypt sensitive data in Kubernetes Secret manifests
-- **Simple Interface**: Easy-to-use CLI commands for encryption and decryption
-- **Metadata Tracking**: Embeds metadata in encrypted files for tracking and verification
-- **Stdout Integration**: Outputs to standard out for easy piping and redirection
-- **Base64 Processing**: Automatically handles base64 encoding/decoding under the hood, maintaining compatibility with Kubernetes Secret format
+Or add it to your `Gemfile`:
-## Installation
+```ruby
+gem "kubekrypt"
+```
+## Requirements
+- Ruby >= 3.4
+- A Google Cloud KMS key with `cloudkms.cryptoKeyVersions.useToEncrypt` / `useToDecrypt` permissions
+## Authentication
-`kubecrypt` uses `google-cloud-kms` and it requires an [environment variable](https://cloud.google.com/ruby/docs/reference/google-cloud-kms/latest/AUTHENTICATION) to be set in order to authenticate and work properly.
-You need one of:
+KubeKrypt delegates authentication to the `google-cloud-kms` gem. Set one of the following environment variables:
-- `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
-- `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
+| Variable | Description |
+|---|---|
+| `GOOGLE_APPLICATION_CREDENTIALS` | Path to a service account JSON key file |
+| `GOOGLE_CLOUD_CREDENTIALS` | Path to JSON file, or JSON contents inline |
+Application Default Credentials (e.g. `gcloud auth application-default login`) are also supported.
 ## Usage
-### Encrypting a Secret
+### Encrypt a Secret
+```bash
+kubekrypt encrypt secret.yaml \
+  -k projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key \
+  > secret.enc.yaml
+```
+Overwrite the file in place with `--in-place` / `-i`:
 ```bash
-kubekrypt encrypt secret.yaml -k projects/your-project/locations/global/keyRings/your-keyring/cryptoKeys/your-key > secret.enc.yaml
+kubekrypt encrypt -i secret.yaml -k projects/my-project/...
 ```
-### Decrypting a Secret
+Encrypt every Secret in a directory:
+```bash
+kubekrypt encrypt secrets/ -k projects/my-project/...
+```
+Each value under `data` is encrypted individually using KMS and prefixed with `enc:`. A `kubekrypt` metadata block is embedded in the output to record the KMS key used and the version:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+data:
+  token: enc:CiQAjMDkZ3...
+kubekrypt:
+  kms_key: projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key
+  version: 2.1.1
+  modified_at: "2026-03-24T10:00:00Z"
+```
+### Decrypt a Secret
 ```bash
 kubekrypt decrypt secret.enc.yaml > secret.yaml
 ```
-### Piping to kubectl
+Or in place:
+```bash
+kubekrypt decrypt -i secret.enc.yaml
+```
+Decrypt every Secret in a directory:
+```bash
+kubekrypt decrypt -i secrets/
+```
+The KMS key is read from the embedded `kubekrypt` metadata — no need to specify it again.
+### Decrypt and apply directly with kubectl
+Kubernetes Secret `data` values must be base64-encoded. Use `--base64` to have KubeKrypt re-encode the decrypted values before output:
 ```bash
 kubekrypt decrypt --base64 secret.enc.yaml | kubectl apply -f -
 ```
-### Checking Version
+### Check version
 ```bash
 kubekrypt version
 ```
-## How It Works
+## How it works
-1. KubeKrypt reads your Kubernetes Secret YAML file
-2. For encryption, it:
-   - Validates that it's a proper Kubernetes Secret
-   - Ensures it's not already encrypted
-   - Decodes base64 values to get raw data
-   - Uses Google Cloud KMS to encrypt sensitive data
-   - Re-encodes with base64 as needed
-   - Adds metadata about the encryption
-   - Outputs the encrypted YAML
+**Encryption:**
-3. For decryption, it:
-   - Verifies the file contains KubeKrypt encryption metadata
-   - Uses the embedded information to decrypt the data
-   - Handles all necessary base64 encoding/decoding
-   - Outputs the original Secret YAML
+1. Reads the YAML file and validates it is not already encrypted.
+2. Calls Google Cloud KMS to encrypt each value in the `data` map.
+3. Stores ciphertext as `enc:<base64>` in place of the original value.
+4. Appends a `kubekrypt` metadata block with the KMS key name, gem version, and timestamp.
+5. Prints the resulting YAML to stdout.
-## Security
+**Decryption:**
-KubeKrypt never stores encryption keys locally. All encryption and decryption operations are performed using Google Cloud KMS, ensuring that key material is never exposed.
+1. Reads the `kubekrypt` metadata block to determine which KMS key to use.
+2. Calls Google Cloud KMS to decrypt each `enc:<base64>` value.
+3. Strips the `kubekrypt` metadata block from the output.
+4. Prints the resulting YAML to stdout (optionally with base64-encoded values via `--base64`).
-## Requirements
+## Security
-- Ruby 3.4+
-- Access to a KMS key with appropriate permissions
+KubeKrypt never stores or logs key material. All cryptographic operations are performed by Google Cloud KMS — plaintext values exist only transiently in memory during a command invocation.
 ## Contributing
-Contributions are welcome! Please feel free to submit a Pull Request.
+Pull requests are welcome. Please make sure `bundle exec rake ci` passes before submitting.
 ## License
-This project is licensed under the MIT License - see the LICENSE file for details.
+MIT — see [LICENSE](LICENSE) for details.

data/lib/kubekrypt/cli.rb CHANGED Viewed

@@ -12,29 +12,85 @@ module KubeKrypt
     end
     method_option KMS_KEY, aliases: "-k", desc: "Google KMS encryption key id to use", required: true
-    desc "encrypt FILE", "Encrypts Kubernetes secrets manifest using the specified KMS key"
-    def encrypt(file_path)
-      yaml_content = File.read(file_path)
-      content = YAML.safe_load(yaml_content)
+    method_option :in_place, aliases: "-i", desc: "Write output back to the source file", type: :boolean, default: false
+    desc "encrypt FILE [FILE ...]", "Encrypts Kubernetes Secret manifests using the specified KMS key"
+    def encrypt(*paths)
       key_name = options.fetch(KMS_KEY)
+      in_place = options[:in_place]
-      raise AlreadyEncrytpedError, "#{file_path} is already encrypted" if content["kubekrypt"]
-      result = KubeKrypt::Encryptor.call(content:, key_name:)
-      puts result
+      expand(paths).each { |file_path| process_encrypt(file_path, key_name:, in_place:) }
     end
     method_option :base64, desc: "Base64 encoded values", type: :boolean, required: false
-    desc "decrypt FILE", "Decrypts Kubernetes secrets manifest using embedded kubekrypt metadata"
-    def decrypt(file_path)
-      yaml_content = File.read(file_path)
-      content = YAML.safe_load(yaml_content)
+    method_option :in_place, aliases: "-i", desc: "Write output back to the source file", type: :boolean, default: false
+    desc "decrypt FILE [FILE ...]", "Decrypts Kubernetes Secret manifests using embedded kubekrypt metadata"
+    def decrypt(*paths)
       base64 = options.fetch(:base64, false)
+      in_place = options[:in_place]
+      expand(paths).each { |file_path| process_decrypt(file_path, base64:, in_place:) }
+    end
+    private
+    def expand(paths)
+      paths.flat_map do |path|
+        if File.directory?(path)
+          Dir.glob(File.join(path, "**", "*.{yaml,yml}")).sort
+        else
+          [path]
+        end
+      end
+    end
+    def load_secret(file_path)
+      content = YAML.safe_load_file(file_path)
+      raise InvalidSecretError, "#{file_path} is not a Kubernetes Secret" unless content["kind"] == "Secret"
+      content
+    rescue Psych::Exception => e
+      raise InvalidSecretError, "#{file_path} is not valid YAML: #{e.message}"
+    end
+    def write_output(result, file_path:, in_place:)
+      if in_place
+        File.write(file_path, result)
+      else
+        puts result
+      end
+    end
+    def process_encrypt(file_path, key_name:, in_place:)
+      content = load_secret(file_path)
+      raise AlreadyEncryptedError, "#{file_path} is already encrypted" if content[METADATA_KEY]
+      result = KubeKrypt::Encryptor.call(content:, key_name:)
+      write_output(result, file_path:, in_place:)
+    rescue AlreadyEncryptedError, NotEncryptedError, InvalidSecretError => e
+      warn "Error: #{e.message}"
+      exit 1
+    rescue Errno::ENOENT
+      warn "Error: file not found: #{file_path}"
+      exit 1
+    rescue => e
+      warn "Error: #{e.message}"
+      exit 1
+    end
-      raise NotEncrytpedError, "#{file_path} is not encrypted" unless content["kubekrypt"]
+    def process_decrypt(file_path, base64:, in_place:)
+      content = load_secret(file_path)
+      raise NotEncryptedError, "#{file_path} is not encrypted" unless content[METADATA_KEY]
       result = KubeKrypt::Decryptor.call(content:, base64:)
-      puts result
+      write_output(result, file_path:, in_place:)
+    rescue AlreadyEncryptedError, NotEncryptedError, InvalidSecretError => e
+      warn "Error: #{e.message}"
+      exit 1
+    rescue Errno::ENOENT
+      warn "Error: file not found: #{file_path}"
+      exit 1
+    rescue => e
+      warn "Error: #{e.message}"
+      exit 1
     end
   end
 end

data/lib/kubekrypt/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KubeKrypt
-  VERSION = "2.1.0".freeze
+  VERSION = "2.2.0".freeze
 end

data/lib/kubekrypt.rb CHANGED Viewed

@@ -5,8 +5,9 @@ require "thor"
 require "yaml"
 module KubeKrypt
-  AlreadyEncrytpedError = Class.new(StandardError)
-  NotEncrytpedError = Class.new(StandardError)
+  AlreadyEncryptedError = Class.new(StandardError)
+  NotEncryptedError = Class.new(StandardError)
+  InvalidSecretError = Class.new(StandardError)
   KMS_KEY = :kms_key
   ENCRYPTION_METHOD = "aes-256-gcm".freeze
   METADATA_KEY = "kubekrypt".freeze

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kubekrypt
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Krzysztof Knapik
@@ -72,6 +72,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"