How to Base64 Encode Kubernetes Secrets

Published: August 12, 2020 by Author's Photo Shane Rainville | Reading time: 3 minutes
Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

Kubernetes secrets allow us to segregate our secret and sensitive information from our resources. Instead of storing the data as clear text inside of, for example, a Pod manifest we can add a place holder that is replaced by Kubernetes when the Pod is created.

Kubernetes stores secrets as base64 encoded strings and encrypts the data on disk. In order to save a secret in Kubernetes it must be converted to a base64 string.

As an example, if the following string were the password for our database

super-secret-password

It would look like the following when base64 encoded:

c3VwZXItc2VjcmV0LXBhc3N3b3Jk

Secrets Manifest

Secrets are populated in Kubernetes using Secrets resources. The following is an example of a Secrets manifest.

apiVersion: v1
kind: Secrets
metadata:
  name: example-secrets
data:
  DB_PASSWORD: c3VwZXItc2VjcmV0LXBhc3N3b3Jk
  DB_USER: ZGVtby1hcHAx

Notice the values for DB_PASSWORD and DB_USER. The values are actually base64 encoded strings, which is how Kubernetes stores secrets in its database. When creating a Secrets manifest you must base64 encode your string values.

Base64 Encode Secrets

Base64 encoding a string in OSX and Linux can be done from the shell. Both operating systems typically come bundled with the base64 command-line tool.

In order to convert a string into a valid base64 encoded string using the base64 command, we echo the string and pipe the output to the base64 command. The -n flag set for echo ensures only the characters within the commas will be encoded.

echo -n 'super-secret-password' | base64
| Output
c3VwZXItc2VjcmV0LXBhc3N3b3Jk
Always remember to set the -n flag for echo when encoding secrets. The flag prevents trailing newline characters from being encoded. Hidden characters in base64 encoded secrets will result in improperly formed strings, which will cause you grief with Kubernetes.

Using stringData

For those who wish not to encode values as base64 encoded string first, an alternative is to use the stringData key instead of the data key in your manifest. The stringData key allows us to store our secrets as plain text in the file.

apiVersion: v1
kind: Secrets
metadata:
  name: example-secrets
stringData:
  DB_PASSWORD: "super-secret-password"
  DB_USER: "demo-app1"

Base64 Encoding Files

The base64 command on OSX and Linux is capable of more than just encoding strings. We can also encode the contents of an entire file, which is useful when we need to encode a configuration file or a certificate for a Kubernetes service.

Files are encoded using the --input flag with base64.

base64 --input cert.pem

Decode Base64 Encodings

So far we’ve discussed base64 encoding your strings, but there are times when we need to do the reverse. You may need to decode a base64 string just to verify it was encoded correctly.

The base64 command has a --decode flag that will decode a given string.

echo -n 'c3VwZXItc2VjcmV0LXBhc3N3b3Jk' | base64 --decode

If you are decoding a file you can set the -o <output-file> flag. This is more useful when we are decoding a value that is known to be a file, such as a PEM file.

echo -n 'yBQYWdlIENvbnRlbnQgVHlwZXMKQ2xvdWR5VHV0cyBwb3N0cyBmb2xsb3dzIHNldmVyYWwgdHlwZXMgb2YgcGFnZSBjb250ZW50LgoqIFR1dG9yaWFscwoqIEd1aWRlcwoqIE5ld3MKKiBBdXRob3JzCgpUaGUgaW50ZW50aW9uIG9mIHRoaXMgZ3VpZGUgaXMgdG8gaGVscCBuZXcgY29udHJpYnV0b3JzIHN1Ym1pdCBuZXcgY29udGVudCB0aGF0IG1hdGNoZXMgQ2xvdWR5VHV0cyBleHBlY3RhdGlvbnMuCgojIyBUdXRvcmlhbHMKQSB0dXRvcmlhbCBpcyBhIHBvc3Qgd2l0aCBhIGxpbWl0ZWQgc2NvcGUgdGh' | base64 --decode -o test.md
Author Photo
Blogger, Developer, pipeline builder, cloud engineer, and DevSecOps specialist. I have been working in the cloud for over a decade and running containized workloads since 2012, with gigs at small startups to large financial enterprises.

How to Effectively use Kubernetes Quality of Service

Publised October 6, 2021 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Deploy Jekyll on Kubernetes

Publised September 15, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Update Kubernetes Deployments

Publised September 11, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Configure Node-based apps in Kubernetes

Publised September 9, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Backup and Restore MongoDB Deployment on Kubernetes

Publised September 3, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Immediately Start Kubernetes CronJobs Manually

Publised September 2, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Copy Files to a Pod Container in Kubernetes

Publised August 27, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.

How to Set PHP Options for Wordpress in Docker

Publised August 27, 2020 by Shane Rainville

Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.