blob: 204920a7f62e8c805f3a52726d276ccaa5417431 [file] [log] [blame]
#/bin/bash
# Backup all the kubernetes secrets to Google Cloud Storage after encrypting
# them with KMS. The secrets never touch disk and are only passed through
# pipes until they are encrypted and written to GCS.
# Note that this script requires that 'jq' be installed.
KEYRING=kubernetes-keyring
KEY=kubernetes-secrets
BUCKET=skia-public-backup
for secret in $(kubectl get secrets -o json | jq -r '.items[].metadata.name'); do
echo "Backing up" ${secret}
kubectl get secret ${secret} -o json | gcloud kms encrypt \
--keyring=${KEYRING} \
--key=${KEY} \
--location=global \
--plaintext-file=- \
--ciphertext-file=- | gsutil cp - gs://${BUCKET}/secrets/$(date +%Y-%m-%d)/${secret}.enc
done