Skip to content

Instantly share code, notes, and snippets.

@ellieayla
Last active November 17, 2021 03:06
Show Gist options
  • Save ellieayla/76352313c4f5939db6d2268fb70b0d48 to your computer and use it in GitHub Desktop.
Save ellieayla/76352313c4f5939db6d2268fb70b0d48 to your computer and use it in GitHub Desktop.
patch-secret-known-hosts.sh
#!/usr/bin/env bash
# Ref https://github.com/fluxcd/source-controller/issues/490
# Ref https://github.blog/2021-09-01-improving-git-protocol-security-github/
function usage() {
echo "Usage: $0 context [list|diff|apply]"
}
if [ -z "$1" ]; then
usage
echo "Specify a context:" $(kubectl config get-contexts -o name)
exit 1
fi
context="$1"
if [ "$2" == "diff" ]; then
mode="diff"
elif [ "$2" == "apply" ]; then
mode="apply"
elif [ "$2" == "list" ]; then
mode="list"
else
usage
echo "Mode must be one of:"
echo " * list - show secrets to be patched"
echo " * diff - show proposed patch"
echo " * apply - apply the patch"
exit 1
fi
echo "Dependencies:"
which jq kubectl ssh-keyscan
known_hosts=$(ssh-keyscan github.com bitbucket.org)
echo "Fetching secrets from $context..."
kubectl "--context=$context" get secret -o json --all-namespaces | jq -r '.items[] | select(.data.known_hosts) | select (.data.known_hosts | @base64d | contains("ecdsa") | not) | [.metadata.name, .metadata.namespace] | @tsv' | \
while read -r name namespace; do
echo "$mode patch for context=$context namespace=$namespace name=$name"
if [ "$mode" != "list" ]; then
kubectl "--context=$context" "--namespace=$namespace" get secret "$name" -o json | jq --arg known_hosts "$known_hosts" '.stringData["known_hosts"]=$known_hosts' | kubectl "--context=$context" "$mode" -f -
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment