keys.gpg is an encrypted file with key-value pairs like this:
# TEST_KEY is "foobar" (base64-encoded)
TEST_KEY="Zm9vYmFy"
values are base64-encoded
Usage in kustomization.yaml:
secretGenerator:
- name: foobar
commands:
somekey: '${GETPW} TEST_KEY'
Running kustomize:
GETPW="${PWD}/scripts/getpw.sh" kustomize build
| #!/bin/bash | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| set -o errtrace | |
| if [ $(uname) = Darwin ]; then | |
| readlinkf(){ perl -MCwd -e 'print Cwd::abs_path shift' "$1";} | |
| else | |
| readlinkf(){ readlink -f "$1"; } | |
| fi | |
| CONFIG_ROOT="$(cd $(dirname "$(readlinkf "${BASH_SOURCE}")")/..; pwd)" | |
| VAR="${1:-}" | |
| if [[ ! ${VAR} ]]; then | |
| echo >&2 "Must specify the var" | |
| exit 1 | |
| fi | |
| # obtained 'gpg --with-keygrip -K' | |
| KEY_ID=........................................ | |
| if [[ ! -S "${GNUPGHOME:-$HOME/.gnupg}/S.gpg-agent" ]]; then | |
| if [[ ! ${GPG_PASSPHRASE:-} ]]; then | |
| echo >&2 "Must provide GPG_PASSPHRASE" | |
| exit 1 | |
| fi | |
| if [[ ! ${GPG_KEY_FILE:-} ]]; then | |
| echo >&2 "Must provide GPG_KEY_FILE" | |
| exit 1 | |
| fi | |
| gpg-agent -q --daemon --allow-preset-passphrase --max-cache-ttl 3153600000 | |
| /usr/libexec/gpg-preset-passphrase \ | |
| --preset --passphrase "${GPG_PASSPHRASE}" "${KEY_ID}" | |
| gpg -q --batch --import "${GPG_KEY_FILE}" | |
| fi | |
| ( | |
| # breaks with bash 3 on Mac: | |
| # source <(gpg --batch --decrypt "${CONFIG_ROOT}/keys.gpg") | |
| # eval "echo \$${VAR}" | |
| (gpg -q --batch --decrypt "${CONFIG_ROOT}/keys.gpg"; echo; echo "echo \"\${${VAR}}\" | base64 --decode") | bash | |
| ) |