mlbiam/secret2valueseso.py

## secret2valueseso.py
#!/bin/python3

# takes the secrets from a ns as listed, pushes them into Vault, then generates External Secret Operator objects

# requireminets
# hvac
# kubernetes

# usage
# make sure your kubectl configuration is set
# python secret2valueseso.py namespace secret1,secret2,secret3,... /secret/path/in/vault/prefix name-of-eso-backend /path/to/store/generated/yaml


from kubernetes import client, config
import sys
import base64
import json
import yaml
import hvac
import os

namespace = sys.argv[1]
secret_names = sys.argv[2].split(',')
prefix = sys.argv[3]
vaultname = sys.argv[4]
pathtooutput = sys.argv[5]

vault = hvac.Client(
    url=os.environ['VAULT_ADDR'],
    token=os.environ['VAULT_TOKEN']
)

print("connected to Vault: " + str(vault.is_authenticated()))


print("searching namespace " + namespace)

config.load_kube_config()
v1 = client.CoreV1Api()

secretsFromNamespace = v1.list_namespaced_secret(namespace=namespace)
for secret in secretsFromNamespace.items:
    if secret.metadata.name in secret_names:
        print(secret.metadata.name)
        secret_type = secret.type
        print(secret_type)
        vault_secret_data = {}
        ext_secret = {
            "apiVersion": "external-secrets.io/v1beta1",
            "kind": "ExternalSecret",
            "metadata": {
                "name": secret.metadata.name,
                "namespace": "openunison"
            },
            "spec": {
                "refreshInterval": "1m",
                "secretStoreRef": {
                "kind": "SecretStore",
                "name": vaultname,
                },
                "target": {
                "name": secret.metadata.name + "-sync"
                },
                "data": [

                ]
            }
            }

        for key in secret.data:
            print(key)
            secret_val = base64.b64decode(secret.data[key]).decode('utf-8')
            print(secret_val)
            vault_secret_data[key] = secret_val
            ext_secret["spec"]["data"].append(
                {
                    "secretKey": key,
                    "remoteRef": {
                        "key": prefix + "/" + secret.metadata.name,
                        "property": key
                    }
                }
            )

        create_response = vault.secrets.kv.v2.create_or_update_secret(
            path=prefix + "/" + secret.metadata.name,
            secret=vault_secret_data
        )

        objYaml = yaml.dump(ext_secret)
        f = open(pathtooutput + "/" + secret.metadata.name + ".yaml","w")
        f.write(objYaml)
        f.close()

        print(create_response)
	#!/bin/python3

	# takes the secrets from a ns as listed, pushes them into Vault, then generates External Secret Operator objects

	# requireminets
	# hvac
	# kubernetes

	# usage
	# make sure your kubectl configuration is set
	# python secret2valueseso.py namespace secret1,secret2,secret3,... /secret/path/in/vault/prefix name-of-eso-backend /path/to/store/generated/yaml


	from kubernetes import client, config
	import sys
	import base64
	import json
	import yaml
	import hvac
	import os

	namespace = sys.argv[1]
	secret_names = sys.argv[2].split(',')
	prefix = sys.argv[3]
	vaultname = sys.argv[4]
	pathtooutput = sys.argv[5]

	vault = hvac.Client(
	url=os.environ['VAULT_ADDR'],
	token=os.environ['VAULT_TOKEN']
	)

	print("connected to Vault: " + str(vault.is_authenticated()))


	print("searching namespace " + namespace)

	config.load_kube_config()
	v1 = client.CoreV1Api()

	secretsFromNamespace = v1.list_namespaced_secret(namespace=namespace)
	for secret in secretsFromNamespace.items:
	if secret.metadata.name in secret_names:
	print(secret.metadata.name)
	secret_type = secret.type
	print(secret_type)
	vault_secret_data = {}
	ext_secret = {
	"apiVersion": "external-secrets.io/v1beta1",
	"kind": "ExternalSecret",
	"metadata": {
	"name": secret.metadata.name,
	"namespace": "openunison"
	},
	"spec": {
	"refreshInterval": "1m",
	"secretStoreRef": {
	"kind": "SecretStore",
	"name": vaultname,
	},
	"target": {
	"name": secret.metadata.name + "-sync"
	},
	"data": [

	]
	}
	}

	for key in secret.data:
	print(key)
	secret_val = base64.b64decode(secret.data[key]).decode('utf-8')
	print(secret_val)
	vault_secret_data[key] = secret_val
	ext_secret["spec"]["data"].append(
	{
	"secretKey": key,
	"remoteRef": {
	"key": prefix + "/" + secret.metadata.name,
	"property": key
	}
	}
	)

	create_response = vault.secrets.kv.v2.create_or_update_secret(
	path=prefix + "/" + secret.metadata.name,
	secret=vault_secret_data
	)

	objYaml = yaml.dump(ext_secret)
	f = open(pathtooutput + "/" + secret.metadata.name + ".yaml","w")
	f.write(objYaml)
	f.close()

	print(create_response)