Polycrate CLI: Helpful Tools for Developers and Platform Engineers
ayedo Redaktion 10 Minuten Lesezeit

Polycrate CLI: Helpful Tools for Developers and Platform Engineers

polycrate tools includes 11 built-in CLI helpers for developers and platform engineers: Base64, Cert, Check, CIDR, Diff, DNS, Hash, JWT, Pwgen, Timestamp, and Wait – no external tools required, built right into the CLI.
polycrate kubernetes devops platform-engineering developer-tools infrastructure-as-code cli

Anyone working with Polycrate daily inevitably runs into recurring tasks: checking TLS certificates, verifying DNS records, calculating subnets, debugging tokens. Until now, that meant installing tool after tool and switching context constantly. With polycrate tools, that’s a thing of the past.

polycrate tools is an integrated toolkit with 11 specialized helpers – no separate install, no context switching, no external dependency management. Just launch, select a tool, or call it directly as a subcommand.

polycrate tools

The interactive selector opens a TUI listing all available tools. Alternatively, call any tool directly:

polycrate tools <tool> [args] [flags]

base64 – Encode and Decode for Pipelines

Base64 encoding is ubiquitous in infrastructure work: Kubernetes Secrets, API tokens, TLS certificates. polycrate tools base64 supports standard and URL-safe encoding including padding control, and reads input from arguments, files, or stdin.

# Encode a string
polycrate tools base64 "Hello World"
# SGVsbG8gV29ybGQ=

# Encode from a file (e.g. a certificate)
polycrate tools base64 --file certificate.pem

# Decode
polycrate tools base64 -d "SGVsbG8gV29ybGQ="

# URL-safe encoding (for URLs, cookies, filenames)
polycrate tools base64 -u "data with special chars"

# In a pipeline
kubectl get secret my-secret -o jsonpath='{.data.token}' | polycrate tools base64 -d

Flags: -d decode, -u URL-safe, -p no padding, --file file as input.

cert – Inspect TLS Certificates

polycrate tools cert inspects TLS certificates directly from remote hosts or local PEM files. It shows Subject, Issuer, SANs, expiration date, key type, and validates the full certificate chain. Perfect for daily checks of Let’s Encrypt certificates or self-signed Kubernetes Ingress certs.

# Inspect a remote certificate
polycrate tools cert google.com
polycrate tools cert api.example.com:8443

# URL as input (host is extracted automatically)
polycrate tools cert https://api.example.com/health

# Analyze a local PEM file
polycrate tools cert /etc/ssl/certs/server.pem

# Verify private key matches certificate
polycrate tools cert cert.pem -k private-key.pem

# Expired or self-signed certificates
polycrate tools cert --insecure self-signed.example.com

# Full details including PEM output
polycrate tools cert -d google.com

For certificate chains, each certificate is numbered (1/N = Leaf, N/N = Root CA) with days remaining until expiry, showing a warning when fewer than 30 days remain.

Flags: -d details, -k key file, --insecure skip TLS verification.

check – Connectivity Testing for TCP and HTTP

polycrate tools check is the universal connectivity tester for TCP ports and HTTP/HTTPS endpoints. Unlike ping, it operates at the application layer and measures DNS lookup, TCP connect, TLS handshake, and time-to-first-byte separately. Watch mode provides a live TUI for continuous monitoring.

# Check TCP port
polycrate tools check google.com:443
polycrate tools check tcp://db.example.com:5432

# HTTP/HTTPS endpoint
polycrate tools check https://api.example.com/health
polycrate tools check -X POST https://api.example.com/health

# 10 checks with 500ms interval
polycrate tools check -n 10 -i 500 example.com:80

# Watch mode: live monitoring TUI (quit with q)
polycrate tools check -w google.com:443
polycrate tools check -w -i 2000 https://api.example.com

The summary shows min/avg/max latency and packet loss rate – similar to ping, but for HTTP and TCP.

Flags: -n count, -i interval (ms), -t timeout (ms), -w watch mode, -X HTTP method, --insecure.

cidr – Network Planning Right in the CLI

polycrate tools cidr calculates all relevant network information from CIDR notation: network and broadcast addresses, netmask, wildcard, first and last usable host addresses, and total IP count. Supports both IPv4 and IPv6. Particularly useful for VPC planning, Kubernetes cluster subnets, and firewall rules.

# Network information
polycrate tools cidr 192.168.1.0/24
polycrate tools cidr 10.0.0.0/8

# IPv6
polycrate tools cidr 2001:db8::/32
polycrate tools cidr fd00::/8

# Check if an IP is within a network (exit code 0/1)
polycrate tools cidr contains 192.168.1.0/24 192.168.1.50
# YES: 192.168.1.50 is within 192.168.1.0/24

# Split a network into subnets
polycrate tools cidr split 10.0.0.0/16 24
# Splits /16 into 256 /24 subnets
# (output shows max 20 subnets, then "... and 236 more subnets")

polycrate tools cidr split 192.168.0.0/24 26
# Splits /24 into 4 /26 subnets (all 4 are displayed)

The contains command returns exit code 0 on match and 1 on no-match – ideal for shell scripts and CI/CD pipelines to validate IP assignments. For large networks, split shows a maximum of 20 subnets and summarizes the rest.

diff – Semantic Comparison for YAML and JSON

polycrate tools diff understands the data structure of YAML and JSON, not just the text. Key order doesn’t matter – only real content differences are displayed. Each change is output with its full path (spec.containers[0].image). Output is color-coded: green for added, red for removed, yellow for changed values.

# Compare Kubernetes manifests
polycrate tools diff deployment-v1.yaml deployment-v2.yaml

# JSON configurations
polycrate tools diff config.json config.new.json

# From stdin (in pipelines)
kubectl get deployment nginx -o yaml | polycrate tools diff - local.yaml

# Compare Helm values
polycrate tools diff values.yaml values-production.yaml

# Without colors (for logs or non-interactive output)
polycrate tools diff --no-color old.yaml new.yaml

Example output:

Found 3 difference(s):

~ spec.replicas:
  - 1
  + 3
~ spec.containers[0].image:
  - "nginx:1.24"
  + "nginx:1.25"
+ spec.containers[0].resources: {"limits":{"memory":"512Mi"}}

Flags: --color/--no-color color output, -f format (text/json).

dns – DNS Debugging with Timing

polycrate tools dns performs DNS queries with detailed diagnostics: response time, resolver used, and all common record types in a single run. Supports A, AAAA, CNAME, MX, TXT, NS, PTR, and SRV. A specific DNS server can optionally be specified – ideal for comparing different resolvers during DNS propagation issues.

# Query all common record types
polycrate tools dns google.com

# Query a specific record type
polycrate tools dns -t MX gmail.com
polycrate tools dns -t TXT _dmarc.google.com
polycrate tools dns -t AAAA google.com

# Reverse DNS (IP → hostname)
polycrate tools dns 8.8.8.8

# Use a specific DNS server (e.g. for propagation check)
polycrate tools dns -s 8.8.8.8 example.com
polycrate tools dns -s 1.1.1.1 example.com

# All record types including SOA, CAA, SRV
polycrate tools dns -t ALL example.com

The output shows response time per record type in milliseconds. The summary lists total duration and resolver used.

Flags: -t record type, -s DNS server, --protocol udp/tcp, --timeout timeout (ms).

hash – Checksums and File Integrity

polycrate tools hash calculates cryptographic checksums for files or strings using MD5, SHA1, SHA256 (default), or SHA512. Verify mode checks whether a file matches an expected checksum and returns exit code 0 or 1 – directly usable in CI/CD pipelines for verifying downloaded artifacts.

# Hash a file (default: SHA256)
polycrate tools hash myfile.tar.gz
# a1b2c3d4...  myfile.tar.gz

# Use a specific algorithm
polycrate tools hash -a sha512 important.bin
polycrate tools hash -a md5 legacy-file.iso

# Calculate all algorithms at once
polycrate tools hash --all downloaded-file.zip

# Hash a string directly
polycrate tools hash "my secret string"

# From stdin (in pipelines)
curl -sL https://example.com/release.tar.gz | polycrate tools hash

# Verify checksum (exit code 0 = OK, 1 = mismatch)
polycrate tools hash -v "a1b2c3d4e5f6..." downloaded.tar.gz

Flags: -a algorithm, -v verify hash, --all all algorithms.

jwt – Debug JSON Web Tokens

polycrate tools jwt decodes JWT tokens without signature verification and displays header, payload, and token status clearly. Unix timestamps in iat, exp, and nbf are automatically converted to readable date strings. The --raw flag outputs pure JSON that can be piped directly to jq.

Important note: This tool does NOT verify the signature. It is solely for debugging – never use it for security-relevant decisions.

# Decode a JWT
polycrate tools jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

# From environment variable
polycrate tools jwt "$ACCESS_TOKEN"

# From stdin
echo "$TOKEN" | polycrate tools jwt
cat token.txt | polycrate tools jwt

# Bearer prefix is stripped automatically
polycrate tools jwt "Bearer eyJhbGciOi..."

# Raw JSON for jq
polycrate tools jwt --raw "$TOKEN" | jq '.payload.email'
polycrate tools jwt --raw "$TOKEN" | jq '.payload.exp'

Example output:

=== JWT Header ===
  alg:            RS256
  typ:            JWT
  kid:            abc123

=== JWT Payload ===
  sub:            user@example.com
  email:          user@example.com
  exp:            1735689600 (2026-01-01T00:00:00Z)
  iat:            1735603200 (2025-12-31T00:00:00Z)

=== Token Info ===
  Status:         VALID
  Expires in:     23 hours
  Issued:         1 hours ago
  Subject:        user@example.com

Flags: -r/--raw JSON output.

pwgen – Secure Passwords and Encryption Keys

polycrate tools pwgen generates cryptographically secure passwords with configurable character sets and optional output as a hash or encryption key. By default it produces 16-character alphanumeric passwords without repetition. Supports bcrypt for password hashing, htpasswd for Apache-compatible hashes, and age for encryption keypairs.

# Default: 16-character alphanumeric password
polycrate tools pwgen

# 32-character password
polycrate tools pwgen 32

# With special characters (-s adds specials on top of the default alphanumeric set)
polycrate tools pwgen -s
polycrate tools pwgen 24 -s

# Generate multiple passwords at once
polycrate tools pwgen -n 5
polycrate tools pwgen 20 -n 10

# As bcrypt hash (for config files)
polycrate tools pwgen -a bcrypt

# As htpasswd-compatible bcrypt hash (outputs the hash string only, not "user:hash" Apache format)
polycrate tools pwgen -a htpasswd

# Generate age encryption keypair
polycrate tools pwgen -a age
# Output:
# # Age Encryption Keypair
# # Public key (share this):
# #   age1...
# # Private key (keep secret):
# AGE-SECRET-KEY-1...

# Digits only (for PINs)
polycrate tools pwgen 6 -d

# Lowercase only (for readable tokens)
polycrate tools pwgen 12 -L

Flags: -s special characters, -d digits only, -U uppercase only, -L lowercase only, -r allow repeats, -a algorithm, -n count.

timestamp – Convert Unix Timestamps

polycrate tools timestamp converts between Unix timestamps and human-readable date formats in both directions. It automatically detects whether numeric input is in seconds or milliseconds. Supports a wide range of input formats from RFC3339 and ISO 8601 to European date format.

# Current timestamp
polycrate tools timestamp
polycrate tools timestamp --utc

# Unix timestamp → date
polycrate tools timestamp 1702234567
# Unix:        1702234567
# Unix Milli:  1702234567000
# RFC3339:     2023-12-10T15:36:07+01:00
# Human:       Sunday, December 10, 2023 at 3:36:07 PM CET
# Ago:         441 days

# Milliseconds timestamp
polycrate tools timestamp 1702234567890

# Date string → Unix timestamp
polycrate tools timestamp "2024-12-10 15:30"
polycrate tools timestamp "2024-12-10T15:30:00Z"
polycrate tools timestamp "10.12.2024 15:30:00"

# Custom format
polycrate tools timestamp -f "2006-01-02" 1702234567
polycrate tools timestamp -f "15:04:05"

Flags: -f format (Go time format), -u/--utc UTC timezone, -m/--millis milliseconds.

wait – Wait for Services

polycrate tools wait waits until one or more network services become available – designed for CI/CD pipelines, container orchestration, and startup scripts. Supports TCP, HTTP/HTTPS, and DNS resolution. Multiple targets are checked in parallel. Exit code 0 on success, 1 on timeout.

# Wait for database and cache
polycrate tools wait tcp://db:5432 tcp://redis:6379

# Wait for API health endpoint
polycrate tools wait http://api:8080/health

# With custom timeout (60 seconds)
polycrate tools wait -t 60 tcp://slow-service:80

# Strict mode: require HTTP 2xx response
polycrate tools wait --strict https://api.example.com/health

# Wait for DNS resolution
polycrate tools wait dns://new-service.example.com

# Quiet mode for scripts (exit code only)
polycrate tools wait -q tcp://db:5432

# Custom interval (500ms)
polycrate tools wait -i 500 tcp://db:5432

# In a Kubernetes init container
polycrate tools wait tcp://postgres:5432 tcp://redis:6379 && ./start-app.sh

Flags: -t timeout (seconds), -i interval (ms), -q quiet mode, --strict require 2xx for HTTP.

All Tools at a Glance

Tool Description Typical Use Case
base64 Base64 encode/decode Kubernetes Secrets, API tokens
cert TLS certificate inspection Expiry checks, chain validation
check TCP/HTTP connectivity Service monitoring, latency measurement
cidr CIDR network calculator VPC planning, subnet design
diff YAML/JSON semantic diff Manifest reviews, config comparison
dns DNS lookup with diagnostics DNS propagation, MX/SPF checks
hash Checksum calculation Artifact verification, integrity
jwt JWT token inspection Auth debugging, token expiry
pwgen Password and key generator Service secrets, bcrypt, age keys
timestamp Unix timestamp conversion Log analysis, token expiry
wait Service readiness check CI/CD, init containers

Interactive Selector

Without a subcommand, polycrate tools opens an interactive selector where the desired tool can be navigated and selected using the keyboard. Useful for occasional use or when exploring the available tools.

polycrate tools
# → Opens TUI selection of all 11 tools

Polycrate is ayedo’s Infrastructure-as-Code tool for declarative multi-cluster management. Learn more →

Vorheriger Post Alle Posts Nächster Post

Ähnliche Artikel