Kubit logoKubit

Kubit CLI

Setup

You can download and install kubit-cli with this link.

$ kubit

 
$ kubit --help
Usage: kubit [OPTIONS] COMMAND [ARGS]...

  kubit cli to interact with Pack and other resources

Options:
  -n, --namespace TEXT  The namespace scope for this CLI request
  -x, --context TEXT    The name of the kubeconfig context to use
  --version             Show the version and exit.
  -h, --help            Show this message and exit.

Commands:
  beta           Beta features not released yet
  clear-cache    Clear pack-operator cache
  completion     Usage: source <(kubit completion bash)
  helm-diff      Run a helm diff command againest a pack remotely
  helm-template  Run a helm template command againest a pack remotely
  vault          Vault encrypt/decrypt related commands

$ kubit vault

Important information, such as passwords, must be stored inside the k8s Secrets, but sometimes it is necessary to store the values inside the Pack securely. Therefore, they need to be encrypted. To do this, AES256 encryption is used with the password and the password itself is stored in a Secret called vault-id. The following commands show how to create a vault-id and how to encrypt / decrypt with it.

...:
  values:
    password: |
      $KUBIT_VAULT;1.2;AES256;webvp
      33363334363436353336363636333334363633393631363533333636363533350a38643634346430
      34616436343434313037623964326565334265623639613137613930653664633032383861333662
      37623937303039633366383331313561360a34636136303833626638313739616565616464383162
      66616331643488363533

$ kubit vault --help
Usage: kubit vault [OPTIONS] COMMAND [ARGS]...

  Vault encrypt/decrypt related commands

Options:
  -n, --namespace TEXT  The namespace scope for this CLI request
  -x, --context TEXT    The name of the kubeconfig context to use
  -h, --help            Show this message and exit.

Commands:
  create   Create new vault-id to use for encrypting
  decrypt  Decrypt an already encrypted vaulttext
  encrypt  Encrypt a plaintext
  list     List existing vault-ids

$ kubit vault list

 
$ kubit vault list --help
Usage: kubit vault list [OPTIONS]

  List existing vault-ids

Options:
  -n, --namespace TEXT  The namespace scope for this CLI request
  -A, --all-namespaces  Run in scope of all namespaces.
  -x, --context TEXT    The name of the kubeconfig context to use
  -h, --help            Show this message and exit.

$ kubit vault create

 
$ kubit vault create --help
Usage: kubit vault create [OPTIONS]

  Create new vault-id to use for encrypting

Options:
  -i, --vault-id TEXT        Vault-id for created vault.  [required]
  -s, --vault-salt TEXT      If present, used as vault salt. Otherwide a random 16chart will generated and used.
  -p, --vault-password TEXT  If present, used as vault password. Otherwise a random 16chart will generated and used.
  --vault-password-stdin     If present, password will read from stdin.
  --dry-run                  Do not create vault secret and return its yaml only.
  -n, --namespace TEXT       The namespace scope for this CLI request
  -x, --context TEXT         The name of the kubeconfig context to use
  -h, --help                 Show this message and exit.

Samples

  • Create a vault-id with name webvp in prod-web namespace with autogenerated password and salt

      kubit vault create -n prod-web -i webvp

  • Create a vault-id with name webvp in prod-web namespace with given password

      kubit vault create -n prod-web -i webvp --vault-password 'dummy-vau!t-p@ssword'

  • Create a vault-id with name webvp in prod-web namespace and get its manifest but not apply

      kubit vault create -n prod-web -i webvp --dry-run

$ kubit vault encrypt

 
$ kubit vault encrypt --help
Usage: kubit vault encrypt [OPTIONS] [PLAINTEXT]

  Encrypt a plaintext

Options:
  -i, --vault-id TEXT        Vault-id in same namespace to encrypt with.  [required]
  -s, --vault-salt TEXT      If namespace is not present, used as vault salt together with vault-id.
  -p, --vault-password TEXT  If namespace is not present, used as vault password together with vault-id.
  -n, --namespace TEXT       The namespace scope for this CLI request
  -x, --context TEXT         The name of the kubeconfig context to use
  -h, --help                 Show this message and exit.

Samples

  • Encrypt "secret-string" with vault-id/testvp in namespace/prod-web

      kubit vault encrypt -i webvp -n prod-web 'secret-string'

  • Encrypt piped stdin with vault-id/testvp in namespace/prod-web

      echo $ENV | kubit vault encrypt -i webvp -n prod-web

  • Interactively encrypt with vault-id/testvp in namespace/prod-web

      kubit vault encrypt -i webvp -n prod-web

  Enter plaintext and then press Ctrl+D (text will dedented and whitespace stripped):
  secret-string
  <Ctrl+D>
  $KUBIT_VAULT;1.2;AES256;webvp
  33363334363436353336363636333334363633393631363533333636363533350a38643634346430
  34616436343434313037623964326565334265623639613137613930653664633032383861333662
  37623937303039633366383331313561360a34636136303833626638313739616565616464383162
  66616331643488363533

$ kubit vault decrypt

 
$ kubit vault decrypt --help
Usage: kubit vault decrypt [OPTIONS] [VAULTTEXT]

  Decrypt an already encrypted vaulttext

Options:
  -p, --vault-password TEXT  If namespace is not present, used as vault password to decrypt
  -n, --namespace TEXT       The namespace scope for this CLI request
  -x, --context TEXT         The name of the kubeconfig context to use
  -h, --help                 Show this message and exit.

Samples

  • Decrypt piped stdin with vault-id from namespace/prod-web

      echo $ENV | kubit vault decrypt -n prod-web

  • Decrypt piped stdin with given vault-password

      echo $ENV | kubit vault decrypt --vault-password $PASSWORD_ENV

  • Interactively decrypt with vault-id from namespace/prod-web

      kubit vault decrypt -n prod-web

  Enter vaulttext and then press Ctrl+D (text will dedented and whitespace stripped):
  $KUBIT_VAULT;1.2;AES256;webvp
  33363334363436353336363636333334363633393631363533333636363533350a38643634346430
  34616436343434313037623964326565334265623639613137613930653664633032383861333662
  37623937303039633366383331313561360a34636136303833626638313739616565616464383162
  66616331643488363533
  <Ctrl+D>
  secret-string

$ kubit clear-cache

 
$ kubit clear-cache --help
Usage: kubit clear-cache [OPTIONS]

  Clear pack-operator cache

Options:
  -x, --context TEXT  The name of the kubeconfig context to use
  -h, --help          Show this message and exit.

$ kubit helm-diff

 
$ kubit helm-diff --help
Usage: kubit helm-diff [OPTIONS] [PACKNAME]

  Run a helm diff command againest a pack remotely

Options:
  -f, --packfile PATH   Path to local pack manifest file
  -o, --outfile PATH    Path to output file instead of stdout
  -n, --namespace TEXT  The namespace scope for this CLI request
  -x, --context TEXT    The name of the kubeconfig context to use
  -h, --help            Show this message and exit.

$ kubit helm-template

 
$ kubit helm-template --help
Usage: kubit helm-template [OPTIONS] [PACKNAME]

  Run a helm template command againest a pack remotely

Options:
  -f, --packfile PATH   Path to local pack manifest file
  -o, --outfile PATH    Path to output file instead of stdout
  -n, --namespace TEXT  The namespace scope for this CLI request
  -x, --context TEXT    The name of the kubeconfig context to use
  -h, --help            Show this message and exit.

last update: 2022-01-22