Option to disable auto base64 encoding for templateFrom.target = Data

[towasz]

Is your feature request related to a problem? Please describe.

When using externalsecret.spec.target.template.templateFrom.literal with templateFrom.target set to Annotations, values are not automatically base64 encoded.

But when templateFrom.target is set to Data, values are automatically base64 encoded.

I’d like to have an option to disable automatic base64 encoding for Data targets on demand, so users can choose whether to encode values or not.

The rationale is that when extracting values from JSON containing binary data, automatic base64 encoding makes it impossible to use the original binary content as intended. In particular, the binary data in the JSON is already base64 encoded, so encoding it again is unnecessary and causes errors.

Example:

templateFrom:
- literal: |-
    {{- range $key, $val := . }}
      {{ $jsoncontent := $val | fromJson }}
      {{- if hasKey $jsoncontent "binaryFile" }}
      {{ $key }}: {{ $jsoncontent.binaryFile }}
      {{- end }}
    {{- end }}
  target: Data

Describe the solution you'd like
Add a boolean flag autoB64Enc on the templateFrom level to enable or disable automatic base64 encoding. Default behavior stays the same (true), but users can set autoB64Enc: false to prevent encoding.

templateFrom:
  target: Data
  autoB64Enc: false

[gusfcarvalho]

hi @towasz!

If what you want to do is to be able to store a Kubernetes Secret where the data field is not encoded, this is literally impossible to do 😄.

Now, if you just want your kubernetes Secret to not be double base64 encoded, you can simply:

templateFrom:
- literal: |-
    {{- range $key, $val := . }}
      {{ $jsoncontent := $val | fromJson }}
      {{- if hasKey $jsoncontent "binaryFile" }}
      {{ $key }}: {{ $jsoncontent.binaryFile | b64dec }}  #templating magic  =D
      {{- end }}
    {{- end }}
  target: Data

Adding such a flag like you proposed wouldn't help at all, as effectively what is double encoding those values is kubernetes itself, not external-secrets (you can even check our codebase 😄). So, in order to have only one encoding layer, you will need to pass the binary file already decoded (so kubernetes can re-encode it, I know 🤷) - which is what the snippet above will do for you.

[towasz]

Thanks @gusfcarvalho , I actually tried that approach first. Unfortunately, it doesn’t work for binary files - only for ASCII text. In fact, it causes this error:

could not apply template: error fetching templateFrom data: could not unmarshal template to 'map[string][]byte': error converting YAML to JSON: yaml: invalid leading UTF-8 octet

I suspect this happens because in YAML you can’t really store binary files in any format other than base64 encoded data, and attempting to decode them this way causes errors.

Even if I append quote as shown below, the error is gone, but the resulting data no longer matches the original binary content:

templateFrom:
- literal: |-
    {{- range $key, $val := . }}
      {{ $jsoncontent := $val | fromJson }}
      {{- if hasKey $jsoncontent "binaryFile" }}
      {{ $key }}: {{ $jsoncontent.binaryFile | b64dec | quote }} 
      {{- end }}
    {{- end }}
  target: Data

[gusfcarvalho]

hmm 🤔 if this is indeed a yaml parsing issue, I guess there is nothing we can really do on the templating side (at least with templateFrom.literal. We cannot generate a []byte if we cannot produce a valid yaml from literal.

Is this the same behavior with other templating techniques like templateFrom.Configmap or template.data approach?

[gusfcarvalho]

Also, can you try this?

templateFrom:
- literal: |-
    {{- range $key, $val := . }}
      {{ $jsoncontent := $val | fromJson }}
      {{- if hasKey $jsoncontent "binaryFile" }}
      {{ $key }}: | 
             {{ $jsoncontent.binaryFile | b64dec }} 
      {{- end }}
    {{- end }}
  target: Data

This should tell yaml to stay out of the way 🤔

PS you might need to nindent as well 🤔

[towasz]

Thanks for the suggestion @gusfcarvalho . I also tried before using the YAML block scalar (|) notation, but it didn’t help. It seems that binary content can’t be passed into YAML in principle.

The working solution is to extract the individual property and mark it explicitly as Base64, for example:

spec:
  data:
    - secretKey: binaryfile
      remoteRef:
        key: 'services-foo'
        property: binaryfile
        decodingStrategy: Base64

However, in this case it’s only possible to use externalsecret.spec.data, but not externalsecret.spec.dataFrom. That’s why I raised another feature request to support this.