Decoding Strategies
The External Secrets Operator has the feature to allow multiple decoding strategies during an object generation.
The decodingStrategy
field allows the user to set the following Decoding Strategies based on their needs. decodingStrategy
can be placed under spec.data.remoteRef
, spec.dataFrom.extract
or spec.dataFrom.find
. It will configure the decoding strategy for that specific operation, leaving others with the default behavior if not set.
None (default)
ESO will not try to decode the secret value.
Base64
ESO will try to decode the secret value using base64 method. If the decoding fails, an error is produced.
Base64URL
ESO will try to decode the secret value using base64url method. If the decoding fails, an error is produced.
Auto
ESO will try to decode using Base64/Base64URL strategies. If the decoding fails, ESO will apply decoding strategy None. No error is produced to the user.
Examples
Setting Decoding strategy Auto in a DataFrom.Extract
Given that we have the given secret information:
{
"name": "Gustavo",
"surname": "Fring",
"address":"aGFwcHkgc3RyZWV0",
}
spec:
dataFrom:
- extract:
key: my-secret
decodingStrategy: Auto
data:
name: R3VzdGF2bw== #Gustavo
surname: RnJpbmc= #Fring
address: aGFwcHkgc3RyZWV0 #happy street
Limitations
At this time, decoding Strategy Auto is only trying to check if the original input is valid to perform Base64 operations. This means that some non-encoded secret values might end up being decoded, producing gibberish. This is the case for numbered values like 123456
or some specially crafted string values such as happy/street
.
Note
If you are using decodeStrategy: Auto
and start to see ESO pulling completely wrong secret values into your kubernetes secret, consider changing it to None
to investigate it.