Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't create Secret in Kubernetes: illegal base64 data at input

I want to create a secret for my kubernetes cluster. So I composed following dummy-secret.yaml file:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=

When I run kubectl create -f dummy-secret.yaml I receive back following message:

Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret: Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...

Not sure why it happens.

As I understood, I need to encode all values under the data key in the yaml file. So I did base64 encoding, but kubernetes still doesn't handle the yaml secret file as I expect.

UPDATE:

I used this command to encode data values on my mac:

echo -n 'mega_secret_key' | openssl base64
like image 647
Alex Fruzenshtein Avatar asked Nov 20 '18 14:11

Alex Fruzenshtein


People also ask

Do Kubernetes secrets have to be base64 encoded?

The data and the stringData fields are optional. The values for all keys in the data field have to be base64-encoded strings.

What is b64enc?

For a little background history, base64-encoding is a way of taking binary data and turning it into text so that it's more easily transmitted in things like e-mail and HTML form data. By base64 encoding the output of {{ . Files.


4 Answers

I got the decoded values "mega_secret_key" and "really_secret_value1" from from your encoded data. Seems they are not encoded in right way. So, encode your data in right way:

$ echo "mega_secret_key" | base64
bWVnYV9zZWNyZXRfa2V5Cg==

$ echo "really_secret_value1" | base64
cmVhbGx5X3NlY3JldF92YWx1ZTEK

Then check whether they are encoded properly:

$ echo "bWVnYV9zZWNyZXRfa2V5Cg==" | base64 -d
mega_secret_key

$ echo "cmVhbGx5X3NlY3JldF92YWx1ZTEK" | base64 -d
really_secret_value1

So they are ok. Now use them in your dummy-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5Cg==
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTEK

And run $ kubectl create -f dummy-secret.yaml.


UPDATE on 11-02-2022:

The newer versions of Kubernetes support the optional stringData property where one can provide the value against any key without decoding.

All key-value pairs in the stringData field are internally merged into the data field. If a key appears in both the data and the stringData field, the value specified in the stringData field takes precedence.

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
stringData:
  API_KEY: mega_secret_key
  API_SECRET: really_secret_value1

UPDATE:

If you use -n flag while running $ echo "some_text", it will trim the trailing \n (newline) from the string you are printing.

$ echo "some_text"
some_text
$ echo -n "some_text"
some_text⏎

Just try it,

# first encode
$ echo -n "mega_secret_key" | base64
bWVnYV9zZWNyZXRfa2V5
$ echo -n "really_secret_value1" | base64
cmVhbGx5X3NlY3JldF92YWx1ZTE=
# then decode and check whether newline is stripped
$ echo "bWVnYV9zZWNyZXRfa2V5" | base64 -d
mega_secret_key⏎
$ echo "cmVhbGx5X3NlY3JldF92YWx1ZTE=" | base64 -d
really_secret_value1⏎

You can use these newly (without newline) decoded data in your secret instead. That also should fine.

$ cat - <<-EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=
EOF
secret/dummy-secret created

At the time of update, my kubernetes version is,

Minor:"17", GitVersion:"v1.17.3",
GitCommit:"06ad960bfd03b39c8310aaf92d1e7c1 2ce618213",
GitTreeState:"clean", BuildDate:"2020-02-11T18:14:22Z",
GoVersion:"go1.13.6", Compiler:"gc", Platform:"l inux/amd64"} Server
Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3",
GitCommit:"06ad960bfd03b39c8310aaf92d1e7c1 2ce618213",
GitTreeState:"clean", BuildDate:"2020-02-11T18:07:13Z",
GoVersion:"go1.13.6", Compiler:"gc", Platform:"l inux/amd64"} ```
like image 200
Shudipta Sharma Avatar answered Oct 18 '22 20:10

Shudipta Sharma


This was already answered but for future reference, there is no need to encode the strings by using stringData instead of data field as shown below:

#secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  API_KEY: "STRING_IN_CLEAR_TEXT"
  API_SECRET: "STRING_IN_CLEAR_TEXT"
like image 42
Tomas Fornara Avatar answered Oct 18 '22 20:10

Tomas Fornara


After a while I want to return back to this question and leave an answer with a reference to official kubernetes docs:

echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

Pay extra attention to -n, because it guaranties that after decoding your secret key will not contain 'new line symbol'.

like image 14
Alex Fruzenshtein Avatar answered Oct 18 '22 20:10

Alex Fruzenshtein


Looks like your error message happens with a different dummy-secret.yaml.

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: af76fsdK_cQ89_Hj1Aq
  API_SECRET: bsdfmkwegwegwe

Then:

$ kubectl create -f s.yaml
Error from server (BadRequest): error when creating "dummy-secret.yaml": Secret in version "v1" cannot be handled as a Secret: v1.Secret.Data: decode base64: illegal base64 data at input byte 8, error found in #10 byte of ...|Q89_Hj1Aq","API_SECR|..., bigger context ...|sion":"v1","data":{"API_KEY":"af76fsdK_cQ89_Hj1Aq","API_SECRET":"bsdfmkwegwegwe"},"kind":"Secret","m|...

If I use your original it works fine:

apiVersion: v1
kind: Secret
metadata:
  name: dummy-secret
type: Opaque
data:
  API_KEY: bWVnYV9zZWNyZXRfa2V5
  API_SECRET: cmVhbGx5X3NlY3JldF92YWx1ZTE=

Then:

$ kubectl create -f dummy-secret.yaml
secret/dummy-secret created

I'm using the following version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-30T21:39:38Z", GoVersion:"go1.11.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.1", GitCommit:"4ed3216f3ec431b140b1d899130a69fc671678f4", GitTreeState:"clean", BuildDate:"2018-10-05T16:36:14Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
like image 2
Rico Avatar answered Oct 18 '22 21:10

Rico