terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

`kubernetes_secret` data source returns hex style data if secret is not base64 encoded

Open nitrocode opened this issue 1 year ago • 2 comments

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.3.0
Kubernetes provider version: 1.13.1

Affected Resource(s)

  • kubernetes_secret

Terraform Configuration Files

data "kubernetes_secret" "example" {
  metadata {
    name = "service"
  }
}

output "value" {
  value = data.kubernetes_secret.example.data["key"]
}

Debug Output

Panic Output

Steps to Reproduce

  1. terraform apply

Expected Behavior

Correct output

Actual Behavior

Shows hex data when retrieving secret

Important Factoids

Secret value is in plain text, not base64 encoded

References

N/A

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

nitrocode avatar Sep 21 '22 16:09 nitrocode

The values in the Kubernetes Secret data field are always base64-encoded. This is by design, and you can read more about it in the Kubernetes documentation. When you use the Secret, e.g. in envFrom or by mounting it as a Volume, the base64-encoded value is decoded. If you read the Secret from your own software or using kubectl, you need to decode it yourself.

jbg avatar Sep 22 '22 03:09 jbg

Hi @nitrocode,

I wasn't able to reproduce this issue. To test, I created a secret with kubernetes_secret and then output: data.kubernetes_secret.this.data["password"].

The output was in plain text. Just to confirm, are you expecting plain-text output, and instead, getting base64?

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

this = "P4ssw0rd"

Here's the code:

terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.13.1"
    }
  }
}

locals {
  name = "test"
}

resource "kubernetes_secret" "this" {
  metadata {
    name = local.name
  }

  data = {
    username = "admin"
    password = "P4ssw0rd"
  }

  type = "kubernetes.io/basic-auth"
}

data "kubernetes_secret" "this" {
  metadata {
    name = local.name
  }

  depends_on = [
    kubernetes_secret.this
  ]
}

output "this" {
  value = nonsensitive(data.kubernetes_secret.this.data["password"])
  sensitive = false
}

flynnhandley avatar Sep 22 '22 05:09 flynnhandley

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

github-actions[bot] avatar Sep 29 '23 00:09 github-actions[bot]

Apologies, I should have included an annonymized secret with a full reproduction. I forget the exact secret that caused this. Please feel free to close and if I or someone else runs into it again we can always open it back up or create a new issue.

Thank you for investigating this issue for me

nitrocode avatar Sep 29 '23 05:09 nitrocode