Something we have to do aLL the time when manipulating Secrets objects in Kubernetes is to display in plain text the “secrets” contained in our Secret (or to encode them).
For those who don't know, Secrets in Kubernetes are unfortunately not very secret, since they are nothing more or less than base64 encoded strings (which is therefore anthing but secure). To tell the truth, I even wonder why bother encoding them at all. The only security we add compared to ConfigMaps is simply that the string is not readable by a human who would stick his head over your shoulder.
Anyways, you are probably going to have to encode or decode strings in base64 and it's sometimes a bit of a pain. The commonly accepted method is to simply use the linux echo and base64 binaries.
echo "ma string" | base64
bWEgc3RyaW5nCg==
echo bWEgc3RyaW5nCg== | base64 -d
my string
It's a pain to type, but it's relatively trivial.
It's a trap!
Except there are traps!
The first one you will get when encoding. In my first example, the string is very short. And sometimes, size matters.
echo "my long string" | base64
bWEgc3RyaW5nIHRyw6hzIGxvbmd1ZSBzdHJpbmcgcG91ciBtb250cmVyIHF1ZSDDp2EgdmEgcGFz
IGxlIGZhaXJlCg==
Here we end up with a line break in our output string. But, if you copy and paste this into your Kubernetes YAML, you're going to get a big syntax error.
The YAML will only be valid if you put the entire string, on a single line.
echo "my long string" | base64 -w0
bWEgc3RyaW5nIHRyw6hzIGxvbmd1ZSBzdHJpbmcgcG91ciBtb250cmVyIHF1ZSDDp2EgdmEgcGFzIGxlIGZhaXJlCg==
And it's not over!
The 2nd trap is again a line break issue, but in the base64 string this time.
In fact, it's super treacherous because you won't see it on the screen at first, but you should know that echo adds a line break at the end of your string. The return you got in base64 therefore contains a line break, which will almost systematically be unwanted when managing Secrets.
So the correct command is not echo but echo -n !
echo "my string" | base64
bWEgc3RyaW5nCg==
echo -n "my string" | base64 -w0
bWEgc3RyaW5n
Okay this is starting to get really annoying...
To decode fortunately, it is simpler. The command given at the beginning is enough, even if it will be safer to add the “-n” to the echo:
echo -n bWEgc3RyaW5n | base64 -d
my string
Gain some characters
Since I'm lazy, I looked for a trick to save a few characters to type. There is a solution, but unfortunately it only works for decode, since in the case of encoding we risk adding an unwanted line break:
echo bWEgc3RyaW5n | base64 -d
base64 -d <<< bWEgc3RyaW5n
my string
We just saved 3 characters but especially a “|”, much more difficult to do on a standard qwerty keyboard than 3 “<”.
A little simpler
Here's a ittle script to make our lives easier:
~$ cat > b64 <<EOF
> #!/bin/bash
> echo -e "Base64 encoding.. \n"
> for arg in "\$@"; do
> echo "\$arg :"
> echo -n "\$arg" | base64
> echo
> done
> EOF
~$ cat > b64d <<EOF
> #!/bin/bash
> echo -e "Base64 decoding.. \n"
> for arg in "\$@"; do
> echo "\$arg :"
> echo -n "\$arg" | base64 -d
> echo
> done
> EOF
~$ sudo cp b64* /usr/local/bin/
You can now directly invoke b64 followed by any number of strings to have their value encoded, or b64d followed by any number of strings to decode them.
Top comments (0)