If you use
external-secrets to sync secrets from some a key management system like AWS KMS or Vault into your cluster, you have become familiar with the
ExternalSecret object introduced by it.
In case you want to sync a secret that has multiple lines, you need to encode the secret inside your KMS, and decode it inside the
ExternalSecret using a
decodingStrategy. The values will be base64-encoded again by k8s when the
Secret gets created.
An example would be as follows (taken from here):
KMS secret value: aGFwcHkgc3RyZWV0 ExternalSecret decodes it: happy street k8s Secret data: aGFwcHkgc3RyZWV0 Application reads: happy street
Please see the following object definition for a complete definition:
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: your-access-credentials spec: refreshInterval: 1m secretStoreRef: name: cluster-secrets-store kind: ClusterSecretStore target: name: your-access-credentials dataFrom: - extract: key: svc/app/secret decodingStrategy: Base64