CODEWITHSUNDEEP
node.jskubernetesgithub-actionsgnupg
devinmaking
devinmaking

Reputation: 11

kubernetes: Values from secret yaml are broken in node js container after gpg decryption

I am new to Kubernetes. I have a Kubernetes secret yaml file:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  API_KEY: 123409uhttt
  SECRET_KEY: yu676jfjehfuehfu02

that I have encoded using gpg encryption:

 gpg -a --symmetric --cipher-algo AES256 -o "secrets.yaml.gpg" "secrets.yaml"

and decrypting it in github action's workflow like this:

gpg -q --batch --yes --decrypt --passphrase=$GPG_SECRET my/location/to/secrets.yaml.gpg | kubectl apply -n $NAMESPACE -f -

When I run:

kubectl get secret my-secret -n my-namespace -o yaml

I get yaml showing correct values set for API_KEY and SECRET_KEY, like this:

apiVersion: v1
data:
  API_KEY: 123409uhttt
  SECRET_KEY: yu676jfjehfuehfu02
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"API_KEY":"123409uhttt","SECRET_KEY":"yu676jfjehfuehfu02"},"kind":"Secret","metadata":{"annotations":{},"name":"my-secret","namespace":"my-namespace"},"type":"Opaque"}
  creationTimestamp: "2021-07-12T23:28:56Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:API_KEY: {}
        f:SECRET_KEY: {}
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:type: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-07-10T23:28:56Z"
  name: my-secret
  namespace: my-namespace
  resourceVersion: "29813715"
  uid: 89a34b6d-914eded509
type: Opaque

But when application requests using SECRET_KEY and API_KEY, it shows these values in broken encoding. I get these values printed When I log them:

Api_Key -  ᶹ��4yַӭ�ӯu�ï¿8
Secret_Key - �V�s��Û[ï¶×¿zoï½9s��{�ï¿

When I don't use Api_Key and Secret_Key from secrets.yaml (as a hardcoded value in application) then it works as expected.

I need help to access secret data (Api_Key and Secret_Key) with correct values in container running node js application.

Upvotes: 1

Views: 286

Answers (1)

meaningqo
meaningqo

Reputation: 1938

it appears as though the value of your secrets are not base64 encoded. either change the type of data to "stringData" which does not need to be base64 encoded or encode the value of your secrets first.

e.g. echo "§SECRET_KEY" | base64 and use this value in your secrets. the problem you describe happens as the values of the secret get injected base64 decoded into your pods.

However, when you try to decode the values you supplied by

echo "123409uhttt" | base64 -d you get the following output: �m��ۡ��base64: invalid input

Upvotes: 1

Related Questions