Special characters like & not handled correctly in --docker-password when creating secrets using kubectl create secret

[kaec-santos]

I’m facing an issue when trying to create a Secret in Kubernetes with a password that contains the special character & using the kubectl create secret command. The password is either being encoded incorrectly or not handled properly when the special character is included.
Here’s the command I’m trying to execute:
kubectl create secret docker-registry docker-login-secret10
--docker-server=
registry.example.com
--docker-username=mke_prod
--docker-password="5a6g(07hl9gsv&QzF9Fgcrz@6rnHA4h7"
--docker-email=[email protected]
--namespace=default
The secret creation seems to work correctly, but when I decode the .dockerconfigjson field, the password appears in the format
"password": "5a6g(07hl9gsv\u0026QzF9Fgcrz@6rnHA4h7"
Expected result:
"password": "5a6g(07hl9gsv&QzF9Fgcrz@6rnHA4h7"
Actual result:
"password": "5a6g(07hl9gsv&QzF9Fgcrz@6rnHA4h7"

"&" character is being encoded as \u0026 or another incorrect value, which is not the expected behavior.

What I’ve tried:
Escaped the & using & in the command, but it didn't work.
Tried using single and double quotes around the password, but the issue persists.
Checked the base64 encoding, but the special character seems to be handled incorrectly.

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Ruchi1499]

I investigated the issue related to Docker registry passwords containing special characters (like &) being incorrectly encoded when creating a Kubernetes secret using the kubectl create secret docker-registry command.
As stated, the password value was being encoded incorrectly, with special characters like & being converted to \u0026. This encoding issue persisted even when retrieving the secret using kubectl get.

[Ruchi1499]

To resolve this, I manually created the .dockerconfigjson file and base64 encoded it to create the secret:
Step1 : Create config.json

Step2: Base64 encode the content
cat config.json | base64 | tr -d '\n'
Step3: Create and apply secret.yaml
( Note: add .dockerconfigjson: <base64-encoded-value in step 2> in secret.yaml

Step4: Apply the secret
kubectl apply -f secret.yaml

[Ruchi1499]

After applying the secret, verifying with kubectl get secret docker-login-secret10 -o jsonpath="{.data.\.dockerconfigjson}" | base64 --decode now shows the correct password without encoding issues.

[Ruchi1499]

Hope this help as it seems that kubectl create secret docker-registry improperly encodes special characters in passwords. So for now we can manually create the .dockerconfigjson file, base64 encode it, and apply it with kubectl apply in this case.

We need to address this behavior in future updates to kubectl create secret docker-registry.

[mpuckett159]

/close
General recommendation is to use kubectl apply instead of kubectl create also it seems like there is a reasonable work around using base64 encoding.

[k8s-ci-robot]

@mpuckett159: Closing this issue.

In response to this:

/close
General recommendation is to use kubectl apply instead of kubectl create also it seems like there is a reasonable work around using base64 encoding.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.