0

I am wondering if it is possible to have a byte array as kubernetes secret. I created a byte array and a base64-encoded string as below

    SecureRandom random = new SecureRandom();
    byte bytes[] = new byte[32];

    random.nextBytes(bytes);
    for (int i = 0; i < bytes.length; i++) {
        System.out.print(bytes[i] + ",");
    }

    String token = Base64.getEncoder().withoutPadding().encodeToString(bytes);

Then I used the resulting string in a kubernetes secret. The secret gets created successfully. Now I would like my Spring Boot application, that is running in kubernetes, to read and decode that value. However, I get an IllegalArgumentException (Illegal base64 character) When running the application locally reading the same token from a properties file, it can be decoded.

So my question again: Is it possible to use a byte array as kubernetes secret?

Martin Baeumer
  • 189
  • 1
  • 1
  • 9

2 Answers2

1

You don't need to encode it manually. Just supply plain text to secret and it will be base64 encoded by k8s. Otherwise it is encoded twice.

kind: Secret
apiVersion: v1
stringData: # allows to add plain text (will be encoded by k8s and kept in Base64 encoded format under data) 
  foo: plain text
data:
fg78nc
  • 4,774
  • 3
  • 19
  • 32
  • hm, if I create the secret using kubectl apply -f ... the value needs to be base64- encoded – Martin Baeumer Dec 11 '19 at 17:07
  • It will be encoded automatically - you can just provide plain string. See updated answer above. – fg78nc Dec 11 '19 at 17:59
  • If you need to read a base64 to be passed to your app, use a configmap instead. The Secret, as "fg78nc" said is already encoded in base64 or take the advise of "gears" – Armando Cuevas Dec 11 '19 at 22:19
  • If I properly understood the question, it is about storing in Secret a byte array that represents a SecureRandom number. My understanding is that using `stringData` field, which allows secret data to be provided as unencoded *strings*, would work for plain *text* data, yes, but not for binary values. – gears Dec 11 '19 at 23:24
  • 1
    What makes you think so? Did you try? – fg78nc Dec 12 '19 at 13:25
1

The plain value is expected when creating a secret with kubectl create secret generic whether using --from-file or --from-literal (as @fg78nc eluded to).

base64-encoded value is required when Creating a Secret Manually from binary value.

If secret's value is a binary value, I'd suggest mounting the secret as a volume and reading it from the file as a byte array - it will be base64-decoded in the file.

The secrets are base64-decoded automatically when getting the value from an environment variable created from the secret, from a file mounted as a volume, but not by kubectl get secret or when directly using the Kubernetes API (GET /api/v1/namespaces/{namespace}/secrets/{name}).

gears
  • 690
  • 3
  • 6