Unable to add binary file to KamusSecret

[Ant59]

In trying to add a DER-encoded certificate to a KamusSecret, it's proven to not be possible. With standard Kubernetes secrets, it would be a case of base64-encoding the file and applying that Secret manifest. With KamusSecret, the encryptor-api expects plaintext (non-base64-encoded) input.

I tried to just pass the DER file raw to the kamus-cli, but I was getting a different output each time it ran. I feel like this should be the correct workflow, but the inconsistent response that it was giving me was not leaving Kubernetes happy.

[shaikatz]

Hi,

When providing the CLI with long string with many special characters as certificate, it gets confused.
In order to encrypt certificates with kamus-cli, you better use the --secret-file option.
Just dump the certificate into a file, and let the kamus-cli read that file.

Please let me know if it helps.

[Ant59]

As explained, when passing a file to kamus-cli, we get inconsistent responses. Seems to be random.

[shaikatz]

Sorry I've probably misunderstood your issue.
The encrypted value will never be the same, Kamus is using random IV for each encryption operation resulting in different encrypted strings.

After the decryption, you supposed to get the same value, isn't that the case?

[Ant59]

Oh, my bad. Yeah, we're not seeming to get the correct value upon decryption.

[shaikatz]

Can you supply me with an example of the DER certificate file you trying to encrypt?
I would like to try and reproduce that.
You can find me at shai@soluto.com

[Ant59]

Yes. I'll try and send it over in the next hour or so. Thanks for your quick replies.

[omerlh]

I was able to reproduce it - it is because we assume the data is always string, so we create it as string - and Kubernetes SDK wraps it in base64 encoding. Fixing it now - please take a look at the proposed solution!