K
Q

Can't create Secret in Kubernetes: illegal base64 data at input

11/20/2018

I want to create a secret for my kubernetes cluster. So I composed following dummy-secret.yaml file:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=

When I run kubectl create -f dummy-secret.yaml I receive back following message:

Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret: Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...

Not sure why it happens.

As I understood, I need to encode all values under the data key in the yaml file. So I did base64 encoding, but kubernetes still doesn't handle the yaml secret file as I expect.

UPDATE:

I used this command to encode data values on my mac:

echo -n 'mega_secret_key' | openssl base64
-- Alex Fruzenshtein
base64
kubernetes
kubernetes-secrets

Similar Questions

In Cluster Config is unable to get pods when deployed in a non-default namespace
Kubernetes context is not set
Gitlab CI Pipeline: Cannot create pods in the namespace
Kubernetes + Spring admin UI + Eureka not working
Kubebuilder: resource deletion not having expected side effects

5 Answers

10/17/2019

This may also happen when trying to remove the new line characters in a wrong way (the correct way is to remove the suffix "Cg==").

I used base64 from cli although there are workarounds to avoid the NL, like

https://superuser.com/questions/1225134/why-does-the-base64-of-a-string-contain-n/1225334

they don't work in MacOS, I found it simpler to use python like this

import base64

data = "abc123!?$*&()'-=@~"

# Standard Base64 Encoding
encodedBytes = base64.b64encode(data.encode("utf-8"))
encodedStr = str(encodedBytes, "utf-8")

Or still using a pure bash-based solution:

echo 'secret_to_encode' | tr -d \\n | base64
-- Fernando Gonzalez Sanchez
Source: StackOverflow
11/20/2018

I got the decoded values "mega_secret_key" and "really_secret_value1" from from your encoded data. Seems they are not encoded in right way. So, encode your data in right way:

$ echo "mega_secret_key" | base64
bWVnYV9zZWNyZXRfa2V5Cg==

$ echo "really_secret_value1" | base64
cmVhbGx5X3NlY3JldF92YWx1ZTEK

Then check whether they are encoded properly:

$ echo "bWVnYV9zZWNyZXRfa2V5Cg==" | base64 -d
mega_secret_key

$ echo "cmVhbGx5X3NlY3JldF92YWx1ZTEK" | base64 -d
really_secret_value1

So they are ok. Now use them in your dummy-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5Cg==
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTEK

And run $ kubectl create -f dummy-secret.yaml.

-- Shudipta Sharma
Source: StackOverflow
12/12/2019

After a while I want to return back to this question and leave an answer with a reference to official kubernetes docs:

echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

Pay extra attention to -n, because it guaranties that after decoding your secret key will not contain 'new line symbol'.

-- Alex Fruzenshtein
Source: StackOverflow
3/20/2020

This was already answered but for future reference, there is no need to encode the strings by using stringData instead of data field as shown below:

#secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  API_KEY: "STRING_IN_CLEAR_TEXT"
  API_SECRET: "STRING_IN_CLEAR_TEXT"
-- Tomas Fornara
Source: StackOverflow
11/20/2018

Looks like your error message happens with a different dummy-secret.yaml.

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: af76fsdK_cQ89_Hj1Aq
  API_SECRET: bsdfmkwegwegwe

Then:

$ kubectl create -f s.yaml
Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret.Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...

If I use your original it works fine:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=

Then:

$ kubectl create -f dummy-secret.yaml
secret/dummy-secret created

I'm using the following version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-30T21:39:38Z", GoVersion:"go1.11.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.1", GitCommit:"4ed3216f3ec431b140b1d899130a69fc671678f4", GitTreeState:"clean", BuildDate:"2018-10-05T16:36:14Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
-- Rico
Source: StackOverflow