RFE: warn users when secret data is not base64 encoded

[dustymabe]

It might be nice to add a feature to warn a user when secret data that is being passed in is obviously not base64 encoded. For example, if I have a secret:

secrets:
  - name: foo-token
    data:
      FOO_TOKEN: [[ FOO_TOKEN ]]

and I accidentally populated $FOO_TOKEN in my environment with the original token and not the base64 encoded token then a warning to help me understand that would be nice.

[dustymabe]

another check could be to make sure the secret data doesn't have any newlines in it since those aren't allowed: see https://kubernetes.io/docs/concepts/configuration/secret/

[surajnarwade]

@dustymabe , How can we recognize whether string is base64 encoded or not?

What I read about it, I found we can check following parameters to verify:

• length of given string
• some regex trick

But here's the problem:

• if given string is abcd which is not encoded, it will pass both criterias mentioned above.

[dustymabe]

yeah mainly all we can do is do checks that guarantee it isn't a valid base64 secret string:

• no newlines
• does it have any non base64 characters?
• is there a length limit?

it is possible that a user did not base64 encode the data and it still passes all the checks, but in that case we can't really do anything.

[surajnarwade]

it is possible that a user did not base64 encode the data and it still passes all the checks, but in that case we can't really do anything.

for examples, abcd1234, it's not encoded and it will pass all checks

[dustymabe]

for examples, abcd1234, it's not encoded and it will pass all checks

right. in other words, we can't warn the user in all cases, but we certainly can warn the user in some cases.

[surajnarwade]

Yeah, we can do that.
@kadel @cdrage any suggestions here

[dustymabe]

so one thing I noticed today when I was playing around:

$ cat secrets.yaml                                          
name: foo-secret                                    

secrets:                                            
  - name: foo                                       
    data:                                           
      PAGURE_TOKEN: 'bogus'
$
$ kedge generate -f secrets.yaml 
unable to perform controller operations: App could not be loaded into internal struct: App could not be unmarshaled into internal struct: error unmarshaling JSON: illegal base64 data at input byte 4

so maybe some of this is already done for us?

[dustymabe]

adding a note here to anyone who may hit a similar problem.. here is how I put the token into my env before running kedge to replace [[ TOKEN ]] in the yaml

# export TOKEN=$(echo -n <token> | base64 -w 0)