I am wondering if it is possible to have a byte array as kubernetes secret. I created a byte array and a base64-encoded string as below
SecureRandom random = new SecureRandom();
byte bytes[] = new byte[32];
random.nextBytes(bytes);
for (int i = 0; i < bytes.length; i++) {
System.out.print(bytes[i] + ",");
}
String token = Base64.getEncoder().withoutPadding().encodeToString(bytes);
Then I used the resulting string in a kubernetes secret. The secret gets created successfully. Now I would like my Spring Boot application, that is running in kubernetes, to read and decode that value. However, I get an IllegalArgumentException (Illegal base64 character) When running the application locally reading the same token from a properties file, it can be decoded.
So my question again: Is it possible to use a byte array as kubernetes secret?
You don't need to encode it manually. Just supply plain text to secret and it will be base64 encoded by k8s. Otherwise it is encoded twice.
kind: Secret
apiVersion: v1
stringData: # allows to add plain text (will be encoded by k8s and kept in Base64 encoded format under data)
foo: plain text
data:
The plain value is expected when creating a secret with kubectl create secret generic
whether using --from-file
or --from-literal
(as @fg78nc eluded to).
base64-encoded value is required when Creating a Secret Manually from binary value.
If secret's value is a binary value, I'd suggest mounting the secret as a volume and reading it from the file as a byte array - it will be base64-decoded in the file.
The secrets are base64-decoded automatically when getting the value from an environment variable created from the secret, from a file mounted as a volume, but not by kubectl get secret
or when directly using the Kubernetes API (GET /api/v1/namespaces/{namespace}/secrets/{name}
).