Base64 decode the K8 secrets on volume mount

Question

My k8.yaml looks like this.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: <...>
  namespace: <...>
spec:
  template:
    spec:
      containers:
      - name: <...>
        image: <...>
        volumeMounts:
          - name: decoded
            mountPath: /usr/src/app/decoded
      volumes:
        - name: decoded
          secret:
            secretName: base64-secret
            defaultMode: 0755

Variables in base64-secret k8 secrets are base64 encoded. Is there anyway to decode the content when they are mounted to a path using the k8 yaml configuration?

So far, the only way I could think of is using a script to decode when the container starts.

FYI: the secret type is Generic

Answer 1

It can be done using base64 -d command (-d : decode)

Example :

#secret name samplesecret 
kubectl get secret samplesecret
NAME           TYPE     DATA   AGE
samplesecret   Opaque   3      4m20s

#get all the keys in the secrets (keys wont be encoded but values will be encoded):
kubectl get secret samplesecret -o jsonpath='{.data}'
{"key1":"dmFsdWU=","key2":"dmFsdWUy","key3":"dmFsdWUz"}

#now decode the desired key's value by piping it to base64 -d:
kubectl get secret samplesecret -o jsonpath='{.data.key1}' | base64 -d
value

kubectl get secret samplesecret -o jsonpath='{.data.key2}' | base64 -d
value2

kubectl get secret samplesecret -o jsonpath='{.data.key3}' | base64 -d
value3

# if you want to iterate through all the keys & display their values decoded :
kubectl get secret <secretname> -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'

kubectl get secret samplesecret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'
### key1
value

### key2
value2

### key3
value3