Skip to content

Version 1.4.1 / 2019-11-28

Compare
Choose a tag to compare
@ricoberger ricoberger released this 28 Nov 19:29

Add new spec.isBinary field to the CRD, to indicate that the Vault secret contains binary data which is already in base64 encoded format. The binary data stored in vault requires base64 encoding. The
spec.isBinary can be used to prevent such data get base64 encoded again when store as secret in Kubernetes. Thanks to @SiweiWang for the PR #24.

Example:

 vault kv put kvv1/example-vaultsecret foo=YmFyCg==

You can specify spec.isBinary to indicate this is a binary data which is already in base64 encoded format:

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: kvv1-example-vaultsecret
spec:
  keys:
    - foo
  isBinary: true
  path: kvv1/example-vaultsecret
  type: Opaque

The resulting Kubernetes secret will be:

apiVersion: v1
data:
  foo: YmFyCg==
kind: Secret
metadata:
  labels:
    created-by: vault-secrets-operator
  name: kvv2-example-vaultsecret
type: Opaque

The value for foo stays as YmFyCg== which does not get base64 encoded again.