Double encoded JKS files by vault-csi-provider

Hello Folks!

I have a situation where I need to store JKS keys in vault, but you know the key format is not accepted to be stored as is in vault kv … Currently I’m using vault-csi-provider with secretclassptovider , I base64 the key then store it in vault but when it get fitched by the csi-provider is get encoded again , so the key is double encoded

  1. Do you have any idea if I can ignore the base64 encoding and let the secretclassprovider fetch the values as is without any encoding?
  2. Do you recommend any approach to manage the JKS keys ?

Looking for your support,
Regards looks relevant

Hi @maxb , thanks for your response

it’s not really that relevant , I wanted the CSI to not encode the already encoded values iin vault

cause as you know the jks format is not accepted to be saved in vault as a plain it has to be base64, and when I did the csi feteched the value and encode it again so when it gets decoded the key is invalid cause it’s still need double decoding

Did you try it? The source code sure looked like it was decoding the specified encoding method, not applying an extra layer, to me.

yes I did, I stored a plane values and they get encoded , and same happened with the encoded values they get double encoded

I don’t have a test environment, but I don’t see how what you describe is possible given:

I see … This is really wired! I will update u with a full example and how it’s been fethced by the csi-provider

Hi again @maxb

here is an example of what I did and how it’s been fetched

the secret as plain in vault:

and here is the secret defenition from SecretClassStore

and finally, this is the data in K8s secret


So in my case and bacause of JKS format, I put the kv in vault as base64 encoded and found that when the secret created the value was double encoded

This is expected. The data key within a Kubernetes secret always renders the contents as base64-encoded. This appears to be working correctly.

yep it is expected to be rendered in the secret as encoded, but do u have any advise for the JKS keys with vault ? if it’s stored as base64 it will get encoded in secret = twice encodeing

I have already given all the relevant advice I have above.

1 Like