Secret stringData Encoding #424
Assignees
Labels
3-Container
Relates to plugin related issues
enhancement
New feature or request
priority/medium
Default priority for items
size m
Milestone
Comments
lb4368
added
enhancement
jezogwza
added
priority/medium
|
I'll take this one |
|
This has been a limitation of the stringData, which is intended for non-encoded data, per their website: "The values for all keys in the data field have to be base64-encoded strings. If the conversion to base64 string is not desirable, you can choose to specify the stringData field instead" https://kubernetes.io/docs/concepts/configuration/secret/ So, the solution should be to start using data rather than stringData |
|
@gtsteffaniak Patchset here: https://review.opendev.org/c/airship/airshipctl/+/780317. Did you see comments in patchset? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem description
We are using stringData as a human-friendly way to author Secret data, with the understanding that Kubernetes will change it into a b64-enc data (which it does).
However the kubectl library also adds a kubectl.kubernetes.io/last-applied-configuration annotation, which unfortunately includes the clear text secretData, which kind of defeats the point.
Is there some trick we can employ to change this behavior, or do we need to switch from stringData to data? The ReplacementTransformer has b64-enc capabilities that should make this easier to deal with than it was.
Some discussion here : kubernetes/kubernetes#23564 (comment)
Design Discussion here: https://hackmd.io/QiEksO4fRk-MnBjwBFaAkQ#Secret-stringData-amp-last-applied-configuration
Proposed change
Update/enhance/use the replacement transformer or another encoding transformer plugin to encode the data from stringData to data field prior to applying against kubernetes.
Potential impacts
Potential security or performance related impacts.
The text was updated successfully, but these errors were encountered: