Kubernetes Secrets encoding gotcha
Kubernetes provides a neat concept for managing sensitive pieces of data, the Secret
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don’t need to include confidential data in your application code.
Secret text is by default base64 encoded. For this reason it’s recommended that secret definitions are not published to git.
A sample configuration:
apiVersion v1
kind: Secret
metadata:
name: postgres-secrets
namespace: bencode
type: Opaque
data:
username: cG9zdGdyZXMK #postgres
password: cGFzc3dvcmQK #password
---
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: awesome-db
image: postgres:latest
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-secrets
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secrets
key: password
restartPolicy: Never
I recently wasted several hours troubleshooting Pods that had environment bound to opaque passwords. Here’s how I base64 encoded things:
echo password | base64
Turns out this is WRONG, as echo
by default will emit line endings. This issue is rather tough to troubleshoot, as echoing out the environment variables from within the running Pods, everything appears to be in order.
The correct way to encode:
echo -n password | base64