0

I'm trying to deploy a java application which requires a couple of environmetal variables to connect to other systems. I'm using kubernetes to deploy the application to a namespace. I manage to do this successfully. What I cannot seem to get correct is how to inject secret values from the pipeline environmental variables into secrets.yaml file. Obviously I don't want the secrets to be visible in the pipeline. Basically I'm trying to avoid doing this:

apiVersion: v1
kind: Secret
metadata:
  name: access-keys
type: Opaque
data:
  ACCESS_KEY: uio8093210980khdsk

and I want to do something like this(ACCESS_KEY is set as a variable in the pipeline):

apiVersion: v1
kind: Secret
metadata:
  name: access-keys
type: Opaque
data:
  ACCESS_KEY: $(ACCESS_KEY)

When running the pipeline with the value converted to base64 it works fine. As soon as I change the value in secrets.yaml to $(ACCESS_KEY) I get the below error:

[error]Error: 1 error occurred:
    * Secret in version "v1" cannot be handled as a Secret: illegal base64 data at input byte 0

How should I approach this? or maybe there is a better way of hiding secrets in Azure Devops?

davidb
  • 1,503
  • 4
  • 30
  • 49

1 Answers1

0

I have tried reproducing the issue in my own environment and encountered the same problem. I followed the suggestion given by @Shiva to use variables, which made the pipeline succeed. However, when I checked the secret value in Kubernetes, I noticed that nothing was created.

To address this, I added a PowerShell task before the Kubernetes secret task to convert normal values to base64-encoded values. After implementing this solution, I observed positive results.

Here are the steps I followed to reproduce the issue and resolve it successfully:

  1. In the Azure Pipeline variables, I created a secret variable.

  2. Next, I added a powershell task to convert normal value to its base64-encoded equivalent. 1. I placed this task before the Kubernetes task.

Below is the complete pipeline code that I tested in my environment, and it worked as expected:

trigger: none

pool:
  vmImage: Windows-latest

steps:

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      $ACCESS_KEY = "$(ACCESS_KEY_VALUE)"
      $ACCESS_KEY = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ACCESS_KEY))
      Write-Host "##vso[task.setvariable variable=ACCESS_KEY]$ACCESS_KEY"

- task: Kubernetes@1
  inputs:
    connectionType: 'Kubernetes Service Connection'
    kubernetesServiceEndpoint: 'aks-k8s-sc'
    command: 'apply'
    useConfigurationFile: true
    configurationType: 'inline'
    inline: |
      apiVersion: v1
      kind: Secret
      metadata:
        name: access-keys
      type: Opaque
      data:
        ACCESS_KEY: $(ACCESS_KEY)
    secretType: 'generic'

Output: https://i.imgur.com/ir07QYD.png

HowAreYou
  • 605
  • 2
  • 6