Skip to content

feat: add binary secret value support via ValueEncoding enum#375

Merged
jhrv merged 5 commits intomainfrom
binary-secret-values
Mar 20, 2026
Merged

feat: add binary secret value support via ValueEncoding enum#375
jhrv merged 5 commits intomainfrom
binary-secret-values

Conversation

@jhrv
Copy link
Copy Markdown
Contributor

@jhrv jhrv commented Mar 19, 2026
edited
Loading

Summary

Adds support for binary secret values (keystores, certificates, .p12 files) in the GraphQL API.

  • Adds ValueEncoding enum (PLAIN_TEXT / BASE64) to the GraphQL schema
  • SecretValue type now includes an encoding field
  • SecretValueInput accepts an optional encoding field (defaults to PLAIN_TEXT)
  • Binary values are base64-encoded before Kubernetes storage and decoded on read
  • Read path uses utf8.Valid() on raw Kubernetes data to detect binary values — no annotations needed
  • Both direct (GetSecretValues) and elevated (ViewSecretValues) read paths updated
  • Write path (AddSecretValue, UpdateSecretValue) handles encoding/decoding

Related

Notes

The ValueEncoding enum is intentionally named generically (not SecretValueEncoding) as it will be reused for config values.

@jhrv jhrv requested a review from a team as a code owner March 19, 2026 12:10
This was referenced Mar 19, 2026
Merged
Closed
@jhrv jhrv force-pushed the binary-secret-values branch from 81430b2 to 576e4c8 Compare March 19, 2026 12:20
@jhrv
feat: add binary secret value support via ValueEncoding enum
ab166a3 
Add ValueEncoding enum (PLAIN_TEXT/BASE64) to GraphQL schema for
secret values. Binary values are base64-encoded before storage and
decoded on read. Detection uses utf8.Valid() on raw Kubernetes data
to determine encoding on the read path.

Updates both read paths (GetSecretValues, ViewSecretValues) and
write paths (AddSecretValue, UpdateSecretValue) to handle encoding.
@jhrv jhrv force-pushed the binary-secret-values branch from 576e4c8 to ab166a3 Compare March 19, 2026 12:36
thokra-nav
thokra-nav approved these changes Mar 19, 2026
View reviewed changes
internal/graph/schema/secret.graphqls Outdated
"""
Encoding of a secret or config value.
"""
enum ValueEncoding {
Copy link
Copy Markdown
Contributor

@thokra-nav thokra-nav Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vi har ganske mange NoeValue... typer. Tenker vi at et generelt navn er helt i orden, at eller skulle vi vært pittelitt mer spesifikk ?

Copy link
Copy Markdown
Contributor Author

@jhrv jhrv Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Godt poeng! Navnet ValueEncoding er bevisst generelt fordi det skal gjenbrukes for config-verdier også (neste steg etter secrets). Men du har rett i at den ikke hørte hjemme i secret.graphqls — har nå flyttet den til workloads.graphqls der den lever som en delt type.

@jhrv
feat: add binary secret value support via ValueEncoding enum
e74a326 
Add ValueEncoding enum (PLAIN_TEXT/BASE64) to GraphQL schema for
secret values. Binary values are base64-encoded before storage and
decoded on read. Detection uses utf8.Valid() on raw Kubernetes data
to determine encoding on the read path.

Updates both read paths (GetSecretValues, ViewSecretValues) and
write paths (AddSecretValue, UpdateSecretValue) to handle encoding.
thokra-nav
thokra-nav reviewed Mar 20, 2026
View reviewed changes
sechmann
sechmann reviewed Mar 20, 2026
View reviewed changes
internal/workload/secret/models.go Outdated
return fmt.Errorf("enums must be strings")
}

*e = ValueEncoding(str)
Copy link
Copy Markdown
Contributor

@sechmann sechmann Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Denne burde kanskje ikke bli satt dersom det feiler?

	tmp := ValueEncoding(str)
	if tmp.IsValid() {
		return fmt.Errorf("%s is not a valid ValueEncoding", str)
	}

    *e = tmp
	return nil

eller noe sånt

Copy link
Copy Markdown
Contributor Author

@jhrv jhrv Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

God catch! Fikset — bruker nå en tmp-variabel og setter bare *e hvis validering er OK.

@jhrv
feat: add binary secret value support via ValueEncoding enum
4b31e99 
Add ValueEncoding enum (PLAIN_TEXT/BASE64) to GraphQL schema for
secret values. Binary values are base64-encoded before storage and
decoded on read. Detection uses utf8.Valid() on raw Kubernetes data
to determine encoding on the read path.

Updates both read paths (GetSecretValues, ViewSecretValues) and
write paths (AddSecretValue, UpdateSecretValue) to handle encoding.
@jhrv jhrv merged commit e3c8cf1 into main Mar 20, 2026
11 checks passed
@jhrv jhrv deleted the binary-secret-values branch March 20, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sechmann sechmann sechmann left review comments

@thokra-nav thokra-nav thokra-nav approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jhrv @sechmann @thokra-nav