feat(vault,openbao): support base64 decode via decode=base64#1156
Open
digiserg wants to merge 4 commits into
Open
feat(vault,openbao): support base64 decode via decode=base64#1156digiserg wants to merge 4 commits into
digiserg wants to merge 4 commits into
Conversation
digiserg
requested review from
itscaro,
mumoshu,
xiaomudk and
yxxhero
as code owners
digiserg
force-pushed
the
feat/vault-encode-64
branch
from
7716562 to
dcc0b82
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an encode query option to the Vault and OpenBao providers so returned secret string values can be base64-decoded before substitution, and documents the new parameter in the README.
Changes:
- Add
encodeconfiguration parsing (defaultraw) to Vault and OpenBao providers. - Apply base64 decoding to string values returned by
GetStringMapwhenencode=base64. - Document the new
encodeoption for both Vault and OpenBao inREADME.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| README.md | Documents the new encode option for Vault and OpenBao URIs. |
| pkg/providers/vault/vault.go | Adds encode handling and base64 decoding logic for Vault secret maps. |
| pkg/providers/openbao/openbao.go | Adds encode handling and base64 decoding logic for OpenBao secret maps. |
digiserg
added a commit
to digitalis-io/vals
that referenced
this pull request
May 7, 2026
Address review feedback on PR helmfile#1156. The file provider already exposes encode=base64 to *encode* its output to base64; using the same name with the opposite meaning (decode) on Vault and OpenBao would confuse users. Rename the new query parameter to decode=base64 so each option's verb matches its behaviour. Also wrap the decode error with %w so callers can unwrap the underlying base64 error.
digiserg
added a commit
to digitalis-io/vals
that referenced
this pull request
May 7, 2026
Address review feedback on PR helmfile#1156. The file provider already exposes encode=base64 to *encode* its output to base64; using the same name with the opposite meaning (decode) on Vault and OpenBao would confuse users. Rename the new query parameter to decode=base64 so each option's verb matches its behaviour. Also wrap the decode error with %w so callers can unwrap the underlying base64 error. Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
digiserg
force-pushed
the
feat/vault-encode-64
branch
from
b17b610 to
5f940d9
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (3)
pkg/providers/vault/vault.go:189
- There are existing integration tests for Vault expansion (
vals_vault_test.go), but no coverage for the newdecode=base64behavior (success + invalid base64 error). Please add tests that write a base64 value to Vault and verify it is decoded when the query parameter is set.
if err := p.applyDecode(res); err != nil {
return nil, err
}
pkg/providers/openbao/openbao.go:189
- There are existing integration tests for OpenBao expansion (
vals_openbao_test.go), but no coverage for the newdecode=base64behavior (success + invalid base64 error). Please add tests that write a base64 value and verify it is decoded when the query parameter is set.
if err := p.applyDecode(res); err != nil {
return nil, err
}
README.md:371
- PR metadata says the query parameter is
encode=base64, but the documentation here introducesdecode=base64. Please align the public interface (PR title/description, README, and provider config key) to use a single parameter name to avoid breaking/ confusing users.
* `role_id` defaults to the value of the `BAO_ROLE_ID` envvar.
* `secret_id` defaults to the value of the `BAO_SECRET_ID` envvar.
* `version` is the specific version of the secret to be obtained. Used when you want to get a previous content of the secret.
* `decode` controls how the retrieved value is transformed before being returned. Defaults to `raw` (no transformation). Set to `base64` to base64-decode the stored value (useful when binary data such as certificates is stored as a base64 string).
digiserg
added a commit
to digitalis-io/vals
that referenced
this pull request
May 13, 2026
Move base64 decoding from GetStringMap (which decoded every string field and failed on mixed secrets, especially with #/field usage) into GetString where only the requested key is decoded. Addresses Copilot review feedback on PR helmfile#1156.
digiserg
changed the title
Mirror the file provider's encode option for the Vault and OpenBao providers. When encode=base64 is set in the URI query, string values returned from the secret are base64-decoded before being substituted. Useful when storing binary payloads (certificates, keystores) as base64 strings in the secret backend. Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
Address review feedback on PR helmfile#1156. The file provider already exposes encode=base64 to *encode* its output to base64; using the same name with the opposite meaning (decode) on Vault and OpenBao would confuse users. Rename the new query parameter to decode=base64 so each option's verb matches its behaviour. Also wrap the decode error with %w so callers can unwrap the underlying base64 error. Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
Move base64 decoding from GetStringMap (which decoded every string field and failed on mixed secrets, especially with #/field usage) into GetString where only the requested key is decoded. Addresses Copilot review feedback on PR helmfile#1156. Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
Add integration coverage for the new decode=base64 query option:
- success: decodes the targeted #/field value
- error: invalid base64 value surfaces a wrapped decode error
- mixed: sibling non-base64 keys in the same secret do not break the
targeted GetString call
- raw: omitting decode returns the stored value unchanged
Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
digiserg
force-pushed
the
feat/vault-encode-64
branch
from
8f35be0 to
c555acf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a
decodeoption to the Vault and OpenBao providers. Whendecode=base64is set in the URI query, string values returned viaGetStringare base64-decoded before being substituted. Useful when storing binary payloads (certificates, keystores) as base64 strings in the secret backend.Decoding is applied only to the specific key returned by
GetString(e.g. with#/fieldusage);GetStringMapis left untouched so secrets containing mixed (non-base64) string fields are not broken.