Skip to content

Support Binary/Base64-encoded Secret Values #159

New issue
New issue
Open
#161
Open
Support Binary/Base64-encoded Secret Values#159
#161
Labels
kind/featureCategorizes issue or PR as related to a new feature.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@kevarr

Description

@kevarr
kevarr
opened on Sep 26, 2025

Describe the solution you'd like

I have binary secret data, which I am storing in an external secret provider in Base64-encoded form. I want to be able to inject this Base64 data directly as a Secret value.

This currently isn't possible as SecretSync values, resolved via sourcePath, are expected to be strings, which are then Base64-encoded into the K8s Secret values.

This is how the secret is represented in the provider backend as JSON:

{
  "foo": "YmFyCg==",
  "bar": "Zm9vCg=="
}

Assume that each of these values are returned from the provider as their own "files" whose names are the keys shown in the json above, and I want to create a secret with the following SecretSync object:

apiVersion: secret-sync.x-k8s.io/v1alpha1
kind: SecretSync
metadata:
  name: my-secret
spec:
  serviceAccountName: my-service-account
  secretProviderClassName: my-secret-provider-class
  secretObject:
    type: Opaque
    data:
      - targetKey:  foo
        sourcePath: foo
      - targetKey: bar
        sourcePath: bar

This will yield the secret

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  foo: WW1GeUNnPT0K
  bar: Wm05dkNnPT0K

Where the keys foo and bar are now doubly base64 encoded.

One thought would be to expose a stringData field that follows the same model as the existing data property.

stringData allows specifying non-binary secret data in string form.
It is provided as a write-only input field for convenience.
All keys and values are merged into the data field on write, overwriting any existing values.
The stringData field is never output when reading from the API.
https://pkg.go.dev/k8s.io/api/core/v1#Secret

A hypothetical implementation could look like

apiVersion: secret-sync.x-k8s.io/v1alpha1
kind: SecretSync
metadata:
  name: my-secret
spec:
  serviceAccountName: my-service-account
  secretProviderClassName: my-secret-provider-class
  secretObject:
    type: Opaque
    data:
    stringData:
      - targetKey:  foo
        sourcePath: foo
      - targetKey: bar
        sourcePath: bar

Resulting in the Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  foo: Zm9vCg==
  bar: YmFyCg==

Anything else you would like to add:

I'm using the AWS Secrets Manager and Config Provider for Secret Store CSI Driver and the secret is stored in AWS Secrets Manager.

A similar problem is described here: external-secrets/external-secrets#712

Environment:

  • Secrets Store Sync Controller version: (use the image tag): v0.0.2
  • Kubernetes version: (use kubectl version): N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    SIG Auth

    Status

    Subprojects - Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions