search

mittwald / kubernetes-secret-generator

Kubernetes controller for automatically generating and updating secrets
Apache License 2.0
330 stars 57 forks source link

Invalid characters when using base64url #43

Closed lstoppa closed 3 years ago

lstoppa commented 3 years ago

I was under the impression that base64url shouldn't include URL-specific characters like + and /. However, sometimes I still get those characters. Not sure if I am using it the wrong way?

I use this file: root@ip-10-202-13-165:~$ cat test.yaml apiVersion: v1 kind: Secret metadata: name: celery-rabbitmq8 annotations: secret-generator.v1.mittwald.de/autogenerate: rabbitmq-password secret-generator.v1.mittwald.de/encoding: base64url

I wrote a script that every second recreates the secrete and checks the value: splunker@ip-10-202-13-165:~$ while true ; do sudo microk8s kubectl delete -f test.yaml ; sudo microk8s kubectl apply -f test.yaml ; sudo microk8s kubectl get secret celery-rabbitmq8 -o yaml | sed -e 's/[ ]+//g' | grep "^rabbitmq-password" | cut -d: -f2 | base64 -d | cut -d: -f2 ; sleep 1; done secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created KX5uhl/J1ItmsKPvTQ08a6TBkA3D6eCLSqI1UgO6 secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created iLUvzFWSQhDW4MfDv2WD3bnsiPX0sRN7ZvJ7N07e secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created JK+kDWEW6MO8eo3/VugU2zX++k3jG1YW1V9zYjfE secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created fMVnFYj5BQtbnbfGTYo6500ecxiLHgL5kMgI2Bm2 secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created tDxKy2Vkd3iC5w8lDJOWSFSKzJNp3qDfYLs2mTBm secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created 1LkQBFUz74IR5UqxDbQ/nrvumnYumnHpNpR+xVV8 secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created 0apehqCOxmJx2IS6I5oHjG0f+PdAA1xG6PdK+fhr secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created puDlNmtK5t2/j8A/sMOOV9qJTVS9y7rB5pb38qZu secret "celery-rabbitmq8" deleted secret/celery-rabbitmq8 created UrwYUWDOpvv6P8xKZyQUm/feDUnb1U/AoiBrAlWK

As you can see, sometimes "/" and "+" are still used. Am I doing something wrong?

martin-helmich commented 3 years ago

No, the secret-generator.v1.mittwald.de/encoding: base64url annotation should already do the trick. Which version of the generator are you using?

lstoppa commented 3 years ago

Sorry for my late answer:

apiVersion: helm.fluxcd.io/v1 kind: HelmRelease metadata: name: secret-gen spec: chart: name: kubernetes-secret-generator repository: https://helm.mittwald.de version: 3.1.0

I just noticed there's version 3.2.0. Maybe I should try that?

martin-helmich commented 3 years ago

Yes, please upgrade to 3.2.0 -- #29 is included since that version.