kubekrypt 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 114a7edec9762b20e94f800e58ebdf5125bee18d04faca1d0559d9193e0e1252
+  data.tar.gz: c3a2d0f518f96d98d182374ee0f9dbd90fd129a24e4d243dac2817bf4d4b2239
+SHA512:
+  metadata.gz: c52d274ebc704a7df81b653f6325642671991d294619754977f0ee9caa8d0e448e48540a8399819147b150cfb5c2867b9bf49eb8186f10b14ad6b5ca5f073ac5
+  data.tar.gz: e911f8d383b62cf17cea7d9137aa080877e166d894fafd4b04a92d314097a9636dab1f4b99fe051344f4817a48b43d494e4c15307c7db38befbb6cfae01494a6

data/.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: Ruby CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  ci_tests_ruby:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: [3.4]
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+    - name: Run tests
+      run: bundle exec rake ci

data/.gitignore

@@ -0,0 +1,17 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.tmp
+
+# rspec failure tracking
+.rspec_status
+
+# Cached rubocop config files
+.rubocop-http*
+
+*.yaml

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,22 @@
+# Changelog
+
+## [2.0.0] - 2025-03-18
+
+### Added
+- Core encryption functionality using KMS for securing Kubernetes Secret manifests
+- Command-line interface with encrypt and decrypt commands
+- Support for reading YAML Secret manifests from files
+- Automatic detection of already encrypted files
+- Metadata tagging to track encryption details within manifests
+- Version command to display current KubeKrypt version
+
+### Features
+- **Encrypt Command**: Securely encrypts Kubernetes Secret manifests using specified KMS key
+- **Decrypt Command**: Decrypts previously encrypted manifests using embedded metadata
+- **YAML Output**: All commands output properly formatted YAML to stdout for easy redirection
+
+### Implementation Details
+- Uses Thor for CLI command parsing
+- Preserves original manifest structure while securing sensitive data
+- Adds `kubekrypt` metadata section to encrypted manifests for tracking
+- Basic error handling for common failure scenarios

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'bundler'
+gem 'irb'
+gem 'pry'
+gem 'rake'
+gem 'rspec'
+gem 'rubocop'
+gem 'rubocop-rake'
+gem 'rubocop-rspec'

data/Gemfile.lock

@@ -0,0 +1,184 @@
+PATH
+  remote: .
+  specs:
+    kubekrypt (2.0.0)
+      google-cloud-kms
+      thor (~> 1.0)
+      yaml
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.9)
+    coderay (1.1.3)
+    date (3.4.1)
+    diff-lcs (1.6.0)
+    faraday (2.12.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
+    faraday-retry (2.2.1)
+      faraday (~> 2.0)
+    gapic-common (0.25.0)
+      faraday (>= 1.9, < 3.a)
+      faraday-retry (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.2)
+      google-logging-utils (~> 0.1)
+      google-protobuf (>= 3.25, < 5.a)
+      googleapis-common-protos (~> 1.6)
+      googleapis-common-protos-types (~> 1.15)
+      googleauth (~> 1.12)
+      grpc (~> 1.66)
+    google-cloud-core (1.8.0)
+      google-cloud-env (>= 1.0, < 3.a)
+      google-cloud-errors (~> 1.0)
+    google-cloud-env (2.2.2)
+      base64 (~> 0.2)
+      faraday (>= 1.0, < 3.a)
+    google-cloud-errors (1.5.0)
+    google-cloud-kms (2.9.0)
+      google-cloud-core (~> 1.6)
+      google-cloud-kms-v1 (>= 0.26, < 2.a)
+    google-cloud-kms-v1 (1.5.0)
+      gapic-common (>= 0.25.0, < 2.a)
+      google-cloud-errors (~> 1.0)
+      google-cloud-location (>= 0.7, < 2.a)
+      google-iam-v1 (>= 0.7, < 2.a)
+    google-cloud-location (0.10.0)
+      gapic-common (>= 0.25.0, < 2.a)
+      google-cloud-errors (~> 1.0)
+    google-iam-v1 (1.3.0)
+      gapic-common (>= 0.25.0, < 2.a)
+      google-cloud-errors (~> 1.0)
+      grpc-google-iam-v1 (~> 1.1)
+    google-logging-utils (0.1.0)
+    google-protobuf (4.30.1)
+      bigdecimal
+      rake (>= 13)
+    googleapis-common-protos (1.6.0)
+      google-protobuf (>= 3.18, < 5.a)
+      googleapis-common-protos-types (~> 1.7)
+      grpc (~> 1.41)
+    googleapis-common-protos-types (1.18.0)
+      google-protobuf (>= 3.18, < 5.a)
+    googleauth (1.14.0)
+      faraday (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.2)
+      google-logging-utils (~> 0.1)
+      jwt (>= 1.4, < 3.0)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (>= 0.16, < 2.a)
+    grpc (1.71.0)
+      google-protobuf (>= 3.25, < 5.0)
+      googleapis-common-protos-types (~> 1.0)
+    grpc-google-iam-v1 (1.9.0)
+      google-protobuf (>= 3.18, < 5.a)
+      googleapis-common-protos (~> 1.4)
+      grpc (~> 1.41)
+    io-console (0.8.0)
+    irb (1.15.1)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.10.2)
+    jwt (2.10.1)
+      base64
+    language_server-protocol (3.17.0.4)
+    lint_roller (1.1.0)
+    logger (1.6.6)
+    method_source (1.1.0)
+    multi_json (1.15.0)
+    net-http (0.6.0)
+      uri
+    os (1.1.4)
+    parallel (1.26.3)
+    parser (3.3.7.1)
+      ast (~> 2.4.1)
+      racc
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
+    pry (0.15.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    psych (5.2.3)
+      date
+      stringio
+    public_suffix (6.0.1)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.2.1)
+    rdoc (6.12.0)
+      psych (>= 4.0.0)
+    regexp_parser (2.10.0)
+    reline (0.6.0)
+      io-console (~> 0.5)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.3)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
+    rubocop (1.74.0)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.39.0)
+      parser (>= 3.3.1.0)
+    rubocop-rake (0.7.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1)
+    rubocop-rspec (3.5.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    ruby-progressbar (1.13.0)
+    signet (0.19.0)
+      addressable (~> 2.8)
+      faraday (>= 0.17.5, < 3.a)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
+    stringio (3.1.5)
+    thor (1.3.2)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    uri (1.0.3)
+    yaml (0.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  irb
+  kubekrypt!
+  pry
+  rake
+  rspec
+  rubocop
+  rubocop-rake
+  rubocop-rspec
+
+BUNDLED WITH
+   2.6.3

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Krzysztof Knapik
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,86 @@
+[![Gem Version](https://badge.fury.io/rb/kubekrypt.svg)](https://rubygems.org/gems/kubekrypt)
+
+# KubeKrypt
+
+A command-line tool for securely encrypting and decrypting Kubernetes Secret manifests using KMS encryption keys.
+
+## Overview
+
+KubeKrypt provides a simple and secure way to manage sensitive information in Kubernetes Secret manifests. It allows you to encrypt Secret manifests before they're stored in version control systems, and decrypt them when they need to be applied to a cluster.
+
+## Features
+
+- **Secure Encryption**: Uses KMS to encrypt sensitive data in Kubernetes Secret manifests
+- **Simple Interface**: Easy-to-use CLI commands for encryption and decryption
+- **Metadata Tracking**: Embeds metadata in encrypted files for tracking and verification
+- **Stdout Integration**: Outputs to standard out for easy piping and redirection
+- **Base64 Processing**: Automatically handles base64 encoding/decoding under the hood, maintaining compatibility with Kubernetes Secret format
+
+## Installation
+
+`kubecrypt` uses `google-cloud-kms` and it requires an [environment variable](https://cloud.google.com/ruby/docs/reference/google-cloud-kms/latest/AUTHENTICATION) to be set in order to authenticate and work properly.
+You need one of:
+
+- `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
+- `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
+
+## Usage
+
+### Encrypting a Secret
+
+```bash
+kubekrypt encrypt secret.yaml -k projects/your-project/locations/global/keyRings/your-keyring/cryptoKeys/your-key > secret.enc.yaml
+```
+
+### Decrypting a Secret
+
+```bash
+kubekrypt decrypt secret.enc.yaml > secret.yaml
+```
+
+### Piping to kubectl
+
+```bash
+kubekrypt decrypt --base64 secret.enc.yaml | kubectl apply -f -
+```
+
+### Checking Version
+
+```bash
+kubekrypt version
+```
+
+## How It Works
+
+1. KubeKrypt reads your Kubernetes Secret YAML file
+2. For encryption, it:
+   - Validates that it's a proper Kubernetes Secret
+   - Ensures it's not already encrypted
+   - Decodes base64 values to get raw data
+   - Uses KMS to encrypt sensitive data
+   - Re-encodes with base64 as needed
+   - Adds metadata about the encryption
+   - Outputs the encrypted YAML
+
+3. For decryption, it:
+   - Verifies the file contains KubeKrypt encryption metadata
+   - Uses the embedded information to decrypt the data
+   - Handles all necessary base64 encoding/decoding
+   - Outputs the original Secret YAML
+
+## Security
+
+KubeKrypt never stores encryption keys locally. All encryption and decryption operations are performed using KMS, ensuring that key material is never exposed.
+
+## Requirements
+
+- Ruby 3.4+
+- Access to a KMS key with appropriate permissions
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+## License
+
+This project is licensed under the MIT License - see the LICENSE file for details.

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task ci: %i[spec rubocop]
+task default: %i[spec rubocop:autocorrect_all]

data/exe/kubekrypt

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require 'kubekrypt'
+
+KubeKrypt::CLI.start

data/kubekrypt.gemspec

@@ -0,0 +1,32 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'kubekrypt/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'kubekrypt'
+  spec.version = KubeKrypt::VERSION
+  spec.authors = ['Krzysztof Knapik']
+  spec.email = ['knapo@knapo.net']
+
+  spec.summary = 'KubeKrypt provides seamless encryption and decryption of secrets in YAML files using Google KMS'
+  spec.homepage = 'https://github.com/knapo/kubekrypt'
+  spec.license = 'MIT'
+
+  spec.metadata['homepage_uri'] = 'https://github.com/knapo/kubekrypt'
+  spec.metadata['source_code_uri'] = 'https://github.com/knapo/kubekrypt'
+  spec.metadata['changelog_uri'] = 'https://github.com/knapo/kubekrypt/blob/main/CHANGELOG.md'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.4.0')
+
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(bin/|spec/|\.rub)}) }
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'google-cloud-kms'
+  spec.add_dependency 'thor', '~> 1.0'
+  spec.add_dependency 'yaml'
+end

data/lib/kubekrypt/cli.rb

@@ -0,0 +1,35 @@
+module KubeKrypt
+  class CLI < Thor
+    include Thor::Shell
+    def self.exit_on_failure?
+      true
+    end
+
+    desc 'version', 'Displays the current version of KubeKrypt'
+    def version
+      puts KubeKrypt::VERSION
+    end
+
+    method_option KMS_KEY, aliases: '-k', desc: 'Google KMS encryption key id to use', required: true
+    desc 'encrypt FILE', 'Encrypts Kubernetes secrets manifest using the specified KMS key'
+    def encrypt(file_path)
+      yaml_content = File.read(file_path)
+      content = YAML.safe_load(yaml_content)
+      key_name = options.fetch(KMS_KEY)
+      raise AlreadyEncrytpedError, file_path if content['kubekrypt']
+
+      result = KubeKrypt::Encryptor.call(content:, key_name:)
+      puts result
+    end
+
+    method_option :base64, desc: 'Base64 encoded values', type: :boolean, required: false
+    desc 'decrypt FILE', 'Decrypts Kubernetes secrets manifest using embedded kubekrypt metadata'
+    def decrypt(file_path)
+      yaml_content = File.read(file_path)
+      content = YAML.safe_load(yaml_content)
+      base64 = options.fetch(:base64, false)
+      result = KubeKrypt::Decryptor.call(content:, base64:)
+      puts result
+    end
+  end
+end

data/lib/kubekrypt/decryptor.rb

@@ -0,0 +1,32 @@
+module KubeKrypt
+  class Decryptor
+    attr_reader :client, :key_name
+
+    def initialize(key_name)
+      @client = Google::Cloud::Kms.key_management_service
+      @key_name = key_name
+    end
+
+    def call(encodedtext, base64: false)
+      ciphertext = Base64.strict_decode64(encodedtext.sub("#{ENC_PREFIX}:", ''))
+
+      result = client.decrypt(name: key_name, ciphertext:).plaintext
+
+      if base64
+        Base64.strict_encode64(result)
+      else
+        result
+      end
+    end
+
+    def self.call(content:, base64:)
+      return content unless content['data']
+
+      key_name = content.fetch(METADATA_KEY).fetch(KMS_KEY.to_s)
+      decryptor = new(key_name)
+      content['data'].transform_values! { |encodedtext| decryptor.call(encodedtext, base64:) }
+      content.delete(METADATA_KEY)
+      content.to_yaml
+    end
+  end
+end

data/lib/kubekrypt/encryptor.rb

@@ -0,0 +1,32 @@
+module KubeKrypt
+  class Encryptor
+    attr_reader :client, :key_name
+
+    def initialize(key_name)
+      @client = Google::Cloud::Kms.key_management_service
+      @key_name = key_name
+    end
+
+    def call(plaintext)
+      ciphertext = client.encrypt(name: key_name, plaintext:).ciphertext
+
+      "#{ENC_PREFIX}:#{Base64.strict_encode64(ciphertext)}"
+    end
+
+    def self.call(content:, key_name:)
+      return content unless content['data']
+
+      encryptor = new(key_name)
+
+      content['data'].transform_values! { |plaintext| encryptor.call(plaintext) }
+
+      content[METADATA_KEY] = {
+        KMS_KEY.to_s => key_name,
+        'version' => VERSION,
+        'modified_at' => Time.now.utc.iso8601
+      }
+
+      content.to_yaml
+    end
+  end
+end

data/lib/kubekrypt/version.rb

@@ -0,0 +1,3 @@
+module KubeKrypt
+  VERSION = '2.0.0'.freeze
+end

data/lib/kubekrypt.rb

@@ -0,0 +1,18 @@
+require 'base64'
+require 'google/cloud/kms'
+require 'optparse'
+require 'thor'
+require 'yaml'
+
+module KubeKrypt
+  AlreadyEncrytpedError = Class.new(StandardError)
+  KMS_KEY = :kms_key
+  ENCRYPTION_METHOD = 'aes-256-gcm'.freeze
+  METADATA_KEY = 'kubekrypt'.freeze
+  ENC_PREFIX = 'enc'.freeze
+end
+
+require 'kubekrypt/version'
+require 'kubekrypt/cli'
+require 'kubekrypt/encryptor'
+require 'kubekrypt/decryptor'

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: kubekrypt
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+platform: ruby
+authors:
+- Krzysztof Knapik
+bindir: exe
+cert_chain: []
+date: 2025-03-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: google-cloud-kms
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+email:
+- knapo@knapo.net
+executables:
+- kubekrypt
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- exe/kubekrypt
+- kubekrypt.gemspec
+- lib/kubekrypt.rb
+- lib/kubekrypt/cli.rb
+- lib/kubekrypt/decryptor.rb
+- lib/kubekrypt/encryptor.rb
+- lib/kubekrypt/version.rb
+homepage: https://github.com/knapo/kubekrypt
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/knapo/kubekrypt
+  source_code_uri: https://github.com/knapo/kubekrypt
+  changelog_uri: https://github.com/knapo/kubekrypt/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.5
+specification_version: 4
+summary: KubeKrypt provides seamless encryption and decryption of secrets in YAML
+  files using Google KMS
+test_files: []