*: bazelify
diff --git a/tools/BUILD b/tools/BUILD
new file mode 100644
index 0000000..9a1df68
--- /dev/null
+++ b/tools/BUILD
@@ -0,0 +1,25 @@
+load("//bzl:rules.bzl", "copy_go_binary")
+
+py_binary(
+ name = "secretstore",
+ srcs = ["secretstore.py"],
+)
+
+copy_go_binary(
+ name = "kubectl",
+ src = "@io_k8s_kubernetes//cmd/kubectl:kubectl",
+)
+
+copy_go_binary(
+ name = "kubecfg",
+ src = "@com_github_ksonnet_kubecfg//:kubecfg",
+)
+
+filegroup(
+ name = "tools",
+ srcs = [
+ ":secretstore",
+ ":kubectl",
+ ":kubecfg",
+ ],
+)
diff --git a/tools/secretstore.py b/tools/secretstore.py
new file mode 100644
index 0000000..6b88d28
--- /dev/null
+++ b/tools/secretstore.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+
+# A little tool to encrypt/decrypt git secrets. Kinda like password-store, but more purpose specific and portable.
+
+import sys
+import subprocess
+
+keys = [
+ "63DFE737F078657CC8A51C00C29ADD73B3563D82", # q3k
+ "482FF104C29294AD1CAF827BA43890A3DE74ECC7", # inf
+]
+
+def main():
+ if len(sys.argv) < 3 or sys.argv[1] not in ('encrypt', 'decrypt'):
+ sys.stderr.write("Usage: {} encrypt/decrypt file\n".format(sys.argv[0]))
+ sys.stderr.flush()
+ return 1
+
+ action = sys.argv[1]
+ src = sys.argv[2]
+
+ if action == 'encrypt':
+ cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', '-']
+ for k in keys:
+ cmd.append('--recipient')
+ cmd.append(k)
+ cmd.append(src)
+ subprocess.check_call(cmd)
+ else:
+ cmd = ['gpg', '--decrypt', '--output', '-', src]
+ subprocess.check_call(cmd)
+
+if __name__ == '__main__':
+ sys.exit(main() or 0)