Byte array as kubernetes secret?

Question

I am wondering if it is possible to have a byte array as kubernetes secret. I created a byte array and a base64-encoded string as below

    SecureRandom random = new SecureRandom();
    byte bytes[] = new byte[32];

    random.nextBytes(bytes);
    for (int i = 0; i < bytes.length; i++) {
        System.out.print(bytes[i] + ",");
    }

    String token = Base64.getEncoder().withoutPadding().encodeToString(bytes);

Then I used the resulting string in a kubernetes secret. The secret gets created successfully. Now I would like my Spring Boot application, that is running in kubernetes, to read and decode that value. However, I get an IllegalArgumentException (Illegal base64 character) When running the application locally reading the same token from a properties file, it can be decoded.

So my question again: Is it possible to use a byte array as kubernetes secret?

Answer 1

You don't need to encode it manually. Just supply plain text to secret and it will be base64 encoded by k8s. Otherwise it is encoded twice.

kind: Secret
apiVersion: v1
stringData: # allows to add plain text (will be encoded by k8s and kept in Base64 encoded format under data) 
  foo: plain text
data:

Answer 2

The plain value is expected when creating a secret with kubectl create secret generic whether using --from-file or --from-literal (as @fg78nc eluded to).

base64-encoded value is required when Creating a Secret Manually from binary value.

If secret's value is a binary value, I'd suggest mounting the secret as a volume and reading it from the file as a byte array - it will be base64-decoded in the file.

The secrets are base64-decoded automatically when getting the value from an environment variable created from the secret, from a file mounted as a volume, but not by kubectl get secret or when directly using the Kubernetes API (GET /api/v1/namespaces/{namespace}/secrets/{name}).