I want to create a secret for my kubernetes cluster. So I composed following dummy-secret.yaml
file:
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
data:
API_KEY: bWVnYV9zZWNyZXRfa2V5
API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=
When I run kubectl create -f dummy-secret.yaml
I receive back following message:
Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret: Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...
Not sure why it happens.
As I understood, I need to encode all values under the data
key in the yaml file. So I did base64 encoding, but kubernetes still doesn't handle the yaml secret file as I expect.
UPDATE:
I used this command to encode data
values on my mac:
echo -n 'mega_secret_key' | openssl base64
The data and the stringData fields are optional. The values for all keys in the data field have to be base64-encoded strings.
For a little background history, base64-encoding is a way of taking binary data and turning it into text so that it's more easily transmitted in things like e-mail and HTML form data. By base64 encoding the output of {{ . Files.
I got the decoded values "mega_secret_key" and "really_secret_value1" from from your encoded data. Seems they are not encoded in right way. So, encode your data in right way:
$ echo "mega_secret_key" | base64
bWVnYV9zZWNyZXRfa2V5Cg==
$ echo "really_secret_value1" | base64
cmVhbGx5X3NlY3JldF92YWx1ZTEK
Then check whether they are encoded properly:
$ echo "bWVnYV9zZWNyZXRfa2V5Cg==" | base64 -d
mega_secret_key
$ echo "cmVhbGx5X3NlY3JldF92YWx1ZTEK" | base64 -d
really_secret_value1
So they are ok. Now use them in your dummy-secret.yaml
:
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
data:
API_KEY: bWVnYV9zZWNyZXRfa2V5Cg==
API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTEK
And run $ kubectl create -f dummy-secret.yaml
.
UPDATE on 11-02-2022:
The newer versions of Kubernetes support the optional stringData
property where one can provide the value against any key without decoding.
All key-value pairs in the
stringData
field are internally merged into thedata
field. If a key appears in both thedata
and thestringData
field, the value specified in thestringData
field takes precedence.
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
stringData:
API_KEY: mega_secret_key
API_SECRET: really_secret_value1
UPDATE:
If you use -n
flag while running $ echo "some_text"
, it will trim the trailing \n
(newline) from the string you are printing.
$ echo "some_text"
some_text
$ echo -n "some_text"
some_text⏎
Just try it,
# first encode
$ echo -n "mega_secret_key" | base64
bWVnYV9zZWNyZXRfa2V5
$ echo -n "really_secret_value1" | base64
cmVhbGx5X3NlY3JldF92YWx1ZTE=
# then decode and check whether newline is stripped
$ echo "bWVnYV9zZWNyZXRfa2V5" | base64 -d
mega_secret_key⏎
$ echo "cmVhbGx5X3NlY3JldF92YWx1ZTE=" | base64 -d
really_secret_value1⏎
You can use these newly (without newline) decoded data in your secret instead. That also should fine.
$ cat - <<-EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
data:
API_KEY: bWVnYV9zZWNyZXRfa2V5
API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=
EOF
secret/dummy-secret created
At the time of update, my kubernetes version is,
Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c1 2ce618213", GitTreeState:"clean", BuildDate:"2020-02-11T18:14:22Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"l inux/amd64"} Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c1 2ce618213", GitTreeState:"clean", BuildDate:"2020-02-11T18:07:13Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"l inux/amd64"} ```
This was already answered but for future reference, there is no need to encode the strings by using stringData
instead of data
field as shown below:
#secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
API_KEY: "STRING_IN_CLEAR_TEXT"
API_SECRET: "STRING_IN_CLEAR_TEXT"
After a while I want to return back to this question and leave an answer with a reference to official kubernetes docs:
echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
Pay extra attention to -n
, because it guaranties that after decoding your secret key will not contain 'new line symbol'.
Looks like your error message happens with a different dummy-secret.yaml
.
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
data:
API_KEY: af76fsdK_cQ89_Hj1Aq
API_SECRET: bsdfmkwegwegwe
Then:
$ kubectl create -f s.yaml
Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret.Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...
If I use your original it works fine:
apiVersion: v1
kind: Secret
metadata:
name: dummy-secret
type: Opaque
data:
API_KEY: bWVnYV9zZWNyZXRfa2V5
API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=
Then:
$ kubectl create -f dummy-secret.yaml
secret/dummy-secret created
I'm using the following version:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-30T21:39:38Z", GoVersion:"go1.11.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.1", GitCommit:"4ed3216f3ec431b140b1d899130a69fc671678f4", GitTreeState:"clean", BuildDate:"2018-10-05T16:36:14Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With