external-secrets · silasbw · Mar 27, 2020 · Mar 26, 2020 · Mar 26, 2020 · Mar 26, 2020
diff --git a/README.md b/README.md
@@ -410,6 +410,24 @@ spec:
       property: value
 ```
 
+Due to the way Azure handles binary files, you need to explicitly let the ExternalSecret know that the secret is binary.
+You can do that with the `isBinary` field on the key. This is necessary for certificates and other secret binary files.
+
+```yml
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: hello-keyvault-service
+spec:
+  backendType: azureKeyVault
+  keyVaultName: hello-world
+  data:
+    - key: hello-service/credentials
+      name: password
+      isBinary: true
+```
+
+
 ## Metrics
 
 kubernetes-external-secrets exposes the following metrics over a prometheus endpoint:

diff --git a/crd.yaml b/crd.yaml
@@ -69,6 +69,12 @@ spec:
                     type: string
                   property:
                     description: Property to extract if secret in backend is a JSON object
+                  isBinary:
+                    description: >-
+                      You must set this to true if configuring an item for a binary file stored in Azure KeyVault.
+                      Azure automatically base64 encodes binary files and setting this to true ensures External Secrets
+                      does not base64 encode the base64 encoded binary files.
+                    type: boolean
                 required:
                   - name
                   - key

diff --git a/lib/backends/azure-keyvault-backend.js b/lib/backends/azure-keyvault-backend.js
@@ -26,13 +26,18 @@ class AzureKeyVaultBackend extends KVBackend {
    * Get secret property value from Azure Key Vault.
    * @param {string} key - Key used to store secret property value in Azure Key Vault.
    * @param {string} specOptions.keyVaultName - Name of the azure key vault
+   * @param {string} keyOptions.isBinary - Does the secret contain a binary? Set to "true" to handle as binary. Does not work with "property"
    * @returns {Promise} Promise object representing secret property value.
    */
 
-  async _get ({ key, specOptions: { keyVaultName } }) {
+  async _get ({ key, keyOptions, specOptions: { keyVaultName } }) {
     const client = this._keyvaultClient({ keyVaultName })
     this._logger.info(`fetching secret ${key} from Azure KeyVault ${keyVaultName}`)
     const secret = await client.getSecret(key)
+    // Handle binary files, since the Azure client does not
+    if (keyOptions && keyOptions.isBinary) {
+      return Buffer.from(secret.value, 'base64')
+    }
     return JSON.stringify(secret)
   }
 }