From 836e6f09f2d0a84c942055954c64a37c0da9f558 Mon Sep 17 00:00:00 2001
From: Glen Johnson <glen.johnson@cyberark.com>
Date: Fri, 24 Mar 2023 15:57:58 -0600
Subject: [PATCH 1/3] Add base64 decoding e2e test for K8s and rotation

---
 deploy/config/k8s/k8s-secret.yml              |  2 +-
 .../config/k8s/test-env-k8s-rotation.sh.yml   |  5 +++++
 deploy/config/k8s/test-env.sh.yml             |  5 +++++
 deploy/config/openshift/k8s-secret.yml        |  2 +-
 .../openshift/test-env-k8s-rotation.sh.yml    |  5 +++++
 deploy/config/openshift/test-env.sh.yml       |  5 +++++
 .../secrets-provider-init-container.sh.yml    |  4 ++--
 .../k8s/secrets-provider-k8s-rotation.sh.yml  |  4 ++--
 ...ables_with_base64_decoding_successfully.sh | 20 +++++++++++++++++++
 .../TEST_ID_29_k8s_secrets_rotation.sh        |  6 ++++++
 ..._2_multiple_pods_changing_pwd_inbetween.sh |  6 ++----
 11 files changed, 54 insertions(+), 10 deletions(-)
 create mode 100755 deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh

diff --git a/deploy/config/k8s/k8s-secret.yml b/deploy/config/k8s/k8s-secret.yml
index 680e2b90..7f1a49ac 100644
--- a/deploy/config/k8s/k8s-secret.yml
+++ b/deploy/config/k8s/k8s-secret.yml
@@ -9,7 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
-    var_with_encoded:
+    var_with_base64:
       id: secrets/encoded
       content-type: base64
   non-conjur-key: some-value
diff --git a/deploy/config/k8s/test-env-k8s-rotation.sh.yml b/deploy/config/k8s/test-env-k8s-rotation.sh.yml
index 2f66ead1..cf889948 100755
--- a/deploy/config/k8s/test-env-k8s-rotation.sh.yml
+++ b/deploy/config/k8s/test-env-k8s-rotation.sh.yml
@@ -69,6 +69,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/config/k8s/test-env.sh.yml b/deploy/config/k8s/test-env.sh.yml
index 4855d526..a97fc2ca 100755
--- a/deploy/config/k8s/test-env.sh.yml
+++ b/deploy/config/k8s/test-env.sh.yml
@@ -56,6 +56,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/config/openshift/k8s-secret.yml b/deploy/config/openshift/k8s-secret.yml
index 680e2b90..7f1a49ac 100644
--- a/deploy/config/openshift/k8s-secret.yml
+++ b/deploy/config/openshift/k8s-secret.yml
@@ -9,7 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
-    var_with_encoded:
+    var_with_base64:
       id: secrets/encoded
       content-type: base64
   non-conjur-key: some-value
diff --git a/deploy/config/openshift/test-env-k8s-rotation.sh.yml b/deploy/config/openshift/test-env-k8s-rotation.sh.yml
index 18648daa..a446faf1 100755
--- a/deploy/config/openshift/test-env-k8s-rotation.sh.yml
+++ b/deploy/config/openshift/test-env-k8s-rotation.sh.yml
@@ -63,6 +63,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_pluses
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/config/openshift/test-env.sh.yml b/deploy/config/openshift/test-env.sh.yml
index 2f177792..0805b854 100755
--- a/deploy/config/openshift/test-env.sh.yml
+++ b/deploy/config/openshift/test-env.sh.yml
@@ -55,6 +55,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml
index 7c5fb79c..7f359877 100755
--- a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml
+++ b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml
@@ -46,11 +46,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
-          - name: VARIABLE_WITH_ENCODED_SECRET
+          - name: VARIABLE_WITH_BASE64_SECRET
             valueFrom:
               secretKeyRef:
                 name: test-k8s-secret
-                key: var_with_encoded
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml
index 026e077f..7eb6abdf 100755
--- a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml
+++ b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml
@@ -69,11 +69,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
-          - name: VARIABLE_WITH_ENCODED_SECRET
+          - name: VARIABLE_WITH_BASE64_SECRET
             valueFrom:
               secretKeyRef:
                 name: test-k8s-secret
-                key: var_with_encoded
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh b/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh
new file mode 100755
index 00000000..4f5013d2
--- /dev/null
+++ b/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+secret_value="secret-value"
+encoded_secret_value="$(echo -n "$secret_value" | base64)"
+environment_variable_name="VARIABLE_WITH_BASE64_SECRET"
+
+# Set the encoded secret value in Conjur
+set_conjur_secret "secrets/encoded" "$encoded_secret_value"
+
+set_namespace "$APP_NAMESPACE_NAME"
+deploy_env
+
+echo "Verifying pod test_env has environment variable '$environment_variable_name' with value '$secret_value'"
+pod_name="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
+verify_secret_value_in_pod "$pod_name" "$environment_variable_name" "$secret_value"
diff --git a/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh b/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
index 2a80a4bc..a2d8544a 100755
--- a/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
+++ b/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
@@ -13,11 +13,17 @@ pod_name1="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
 echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'supersecret'"
 verify_secret_value_in_pod $pod_name1 TEST_SECRET supersecret
 
+echo "Verify pod $pod_name1 has environment variable 'VARIABLE_WITH_BASE64_SECRET' with value 'secret-value'"
+verify_secret_value_in_pod $pod_name1 VARIABLE_WITH_BASE64_SECRET secret-value
+
 set_conjur_secret secrets/test_secret secret2
+set_conjur_secret secrets/encoded "$(echo "secret-value2" | base64)"
 sleep 10
 
 echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'secret2'"
 verify_secret_value_in_pod $pod_name1 TEST_SECRET secret2
+echo "Verify pod $pod_name1 has environment variable 'VARIABLE_WITH_BASE64_SECRET' with value 'secret-value2'"
+verify_secret_value_in_pod $pod_name1 VARIABLE_WITH_BASE64_SECRET secret-value2
 
 # Note: We're not testing secrets deletion here like we do in TEST_ID_28_push_to_file_secrets_rotation. This is because removing the
 # secret values from K8s will cause the pod to fail on startup due to the missing secretKeyRefs. We would need another way to test this
diff --git a/deploy/test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh b/deploy/test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh
index 5a0e573d..b20e8a76 100755
--- a/deploy/test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh
+++ b/deploy/test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh
@@ -1,11 +1,9 @@
 #!/bin/bash
 set -euxo pipefail
 
-echo "Creating secrets access role"
-wait_for_it 600  "$CONFIG_DIR/secrets-access-role.sh.yml | $cli_without_timeout apply -f -"
+create_secret_access_role
 
-echo "Creating secrets access role binding"
-wait_for_it 600 "$CONFIG_DIR/secrets-access-role-binding.sh.yml | $cli_without_timeout apply -f -"
+create_secret_access_role_binding
 
 deploy_env
 

From 909449f18594beacffcafbd14594ea985a763314 Mon Sep 17 00:00:00 2001
From: Glen Johnson <glen.johnson@cyberark.com>
Date: Wed, 29 Mar 2023 11:52:01 -0600
Subject: [PATCH 2/3] Add p2f e2e tests and large secret e2e test

---
 .../config/k8s/test-env-p2f-rotation.sh.yml   |  4 +++
 .../config/k8s/test-env-push-to-file.sh.yml   |  4 +++
 .../openshift/test-env-p2f-rotation.sh.yml    |  4 +++
 .../openshift/test-env-push-to-file.sh.yml    |  4 +++
 .../secrets-provider-init-push-to-file.sh.yml |  4 +++
 .../k8s/secrets-provider-p2f-rotation.sh.yml  |  4 +++
 deploy/policy/load_policies.sh                |  2 +-
 ...ables_with_base64_decoding_successfully.sh |  4 ---
 ...ing_large_decoded_variable_successfully.sh | 30 +++++++++++++++++++
 .../test_cases/TEST_ID_27_push_to_file.sh     |  5 ++--
 ...EST_ID_28_push_to_file_secrets_rotation.sh |  6 ++--
 .../TEST_ID_29_k8s_secrets_rotation.sh        |  3 ++
 deploy/utils.sh                               |  2 +-
 13 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100755 deploy/test/test_cases/TEST_ID_1.7_providing_large_decoded_variable_successfully.sh

diff --git a/deploy/config/k8s/test-env-p2f-rotation.sh.yml b/deploy/config/k8s/test-env-p2f-rotation.sh.yml
index f0f4c400..b1318f9e 100755
--- a/deploy/config/k8s/test-env-p2f-rotation.sh.yml
+++ b/deploy/config/k8s/test-env-p2f-rotation.sh.yml
@@ -34,12 +34,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/config/k8s/test-env-push-to-file.sh.yml b/deploy/config/k8s/test-env-push-to-file.sh.yml
index 8a990738..4f623613 100755
--- a/deploy/config/k8s/test-env-push-to-file.sh.yml
+++ b/deploy/config/k8s/test-env-push-to-file.sh.yml
@@ -31,11 +31,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/config/openshift/test-env-p2f-rotation.sh.yml b/deploy/config/openshift/test-env-p2f-rotation.sh.yml
index 94de8f1b..5d9edcc4 100755
--- a/deploy/config/openshift/test-env-p2f-rotation.sh.yml
+++ b/deploy/config/openshift/test-env-p2f-rotation.sh.yml
@@ -33,12 +33,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/config/openshift/test-env-push-to-file.sh.yml b/deploy/config/openshift/test-env-push-to-file.sh.yml
index df392129..32fb64db 100755
--- a/deploy/config/openshift/test-env-push-to-file.sh.yml
+++ b/deploy/config/openshift/test-env-push-to-file.sh.yml
@@ -30,11 +30,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml b/deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml
index 280c202d..1d312df5 100755
--- a/deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml
+++ b/deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml
@@ -31,11 +31,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml b/deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml
index 98f63033..833314eb 100755
--- a/deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml
+++ b/deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml
@@ -34,12 +34,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env
diff --git a/deploy/policy/load_policies.sh b/deploy/policy/load_policies.sh
index c49c3e57..e69d08d3 100755
--- a/deploy/policy/load_policies.sh
+++ b/deploy/policy/load_policies.sh
@@ -34,7 +34,7 @@ conjur variable set -i secrets/test_secret -v "some-secret"
 conjur variable set -i "secrets/var with spaces" -v "some-secret"
 conjur variable set -i "secrets/var+with+pluses" -v "some-secret"
 conjur variable set -i "secrets/umlaut" -v "some-secret"
-conjur variable set -i "secrets/encoded" -v "c2VjcmV0LXZhbHVl" # == secret-value
+conjur variable set -i "secrets/encoded" -v "$(echo "secret-value" | tr -d '\n' | base64)" # == "c2VjcmV0LXZhbHVl"
 conjur variable set -i secrets/url -v "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 conjur variable set -i secrets/username -v "some-user"
 conjur variable set -i secrets/password -v "7H1SiSmYp@5Sw0rd"
diff --git a/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh b/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh
index 4f5013d2..7c60a474 100755
--- a/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh
+++ b/deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh
@@ -6,12 +6,8 @@ create_secret_access_role
 create_secret_access_role_binding
 
 secret_value="secret-value"
-encoded_secret_value="$(echo -n "$secret_value" | base64)"
 environment_variable_name="VARIABLE_WITH_BASE64_SECRET"
 
-# Set the encoded secret value in Conjur
-set_conjur_secret "secrets/encoded" "$encoded_secret_value"
-
 set_namespace "$APP_NAMESPACE_NAME"
 deploy_env
 
diff --git a/deploy/test/test_cases/TEST_ID_1.7_providing_large_decoded_variable_successfully.sh b/deploy/test/test_cases/TEST_ID_1.7_providing_large_decoded_variable_successfully.sh
new file mode 100755
index 00000000..74440358
--- /dev/null
+++ b/deploy/test/test_cases/TEST_ID_1.7_providing_large_decoded_variable_successfully.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+# Generate a large base64 encoded string (> 65k characters)
+secret_value=$(openssl rand -base64 $((66 * 2**10)) | tr -d '\n')
+encoded_secret_value=$(echo "$secret_value" | base64)
+environment_variable_name="VARIABLE_WITH_BASE64_SECRET"
+
+# Set the encoded secret value in Conjur
+set_conjur_secret "secrets/encoded" "$encoded_secret_value"
+
+set_namespace "$APP_NAMESPACE_NAME"
+deploy_env
+
+echo "Verifying pod test_env has environment variable '$environment_variable_name' with expected value"
+test_pod="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
+actual_value=$($cli_with_timeout "exec $test_pod -- printenv | grep VARIABLE_WITH_BASE64_SECRET | cut -d= -f2")
+
+if [[ "$actual_value" == "$secret_value" ]]; then
+    echo "$environment_variable_name is set correctly"
+    # Reset the secret value to the original value for subsequent tests
+    set_conjur_secret secrets/encoded "$(echo "secret-value" | tr -d '\n' | base64)" # == "c2VjcmV0LXZhbHVl"
+else
+    echo "$environment_variable_name is not set correctly"
+    exit 1
+fi
diff --git a/deploy/test/test_cases/TEST_ID_27_push_to_file.sh b/deploy/test/test_cases/TEST_ID_27_push_to_file.sh
index 0295ff73..8f8af343 100755
--- a/deploy/test/test_cases/TEST_ID_27_push_to_file.sh
+++ b/deploy/test/test_cases/TEST_ID_27_push_to_file.sh
@@ -21,8 +21,9 @@ FILES="group1.yaml group2.json some-dotenv.env group4.bash group5.template"
 declare -A expected_content
 expected_content[group1.yaml]='"url": "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 "username": "some-user"
-"password": "7H1SiSmYp@5Sw0rd"'
-expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd"}'
+"password": "7H1SiSmYp@5Sw0rd"
+"encoded": "secret-value"'
+expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","still_encoded":"c2VjcmV0LXZhbHVl"}'
 expected_content[some-dotenv.env]='url="postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 username="some-user"
 password="7H1SiSmYp@5Sw0rd"'
diff --git a/deploy/test/test_cases/TEST_ID_28_push_to_file_secrets_rotation.sh b/deploy/test/test_cases/TEST_ID_28_push_to_file_secrets_rotation.sh
index 66d97110..c92599f1 100755
--- a/deploy/test/test_cases/TEST_ID_28_push_to_file_secrets_rotation.sh
+++ b/deploy/test/test_cases/TEST_ID_28_push_to_file_secrets_rotation.sh
@@ -20,6 +20,7 @@ $cli_with_timeout "get pod $pod_name --namespace=$APP_NAMESPACE_NAME | grep -c 2
 
 # Change a conjur variable
 set_conjur_secret secrets/test_secret secret2
+set_conjur_secret secrets/encoded "$(echo "secret-value2" | tr -d '\n' | base64)" # == c2VjcmV0LXZhbHVlMg==
 
 # Check if the new value is picked up by secrets provider
 sleep 10
@@ -30,8 +31,9 @@ declare -A expected_content
 expected_content[group1.yaml]='"url": "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 "username": "some-user"
 "password": "7H1SiSmYp@5Sw0rd"
-"test": "secret2"'
-expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","test":"secret2"}'
+"test": "secret2"
+"encoded": "secret-value2"'
+expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","test":"secret2","still_encoded":"c2VjcmV0LXZhbHVlMg=="}'
 expected_content[some-dotenv.env]='url="postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 username="some-user"
 password="7H1SiSmYp@5Sw0rd"
diff --git a/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh b/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
index a2d8544a..7e80e2b1 100755
--- a/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
+++ b/deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh
@@ -5,6 +5,9 @@ create_secret_access_role
 
 create_secret_access_role_binding
 
+set_conjur_secret secrets/test_secret supersecret
+set_conjur_secret secrets/encoded "$(echo "secret-value" | base64)"
+
 export SECRETS_MODE="k8s-rotation"
 deploy_env
 
diff --git a/deploy/utils.sh b/deploy/utils.sh
index 159e4acd..e02b730e 100644
--- a/deploy/utils.sh
+++ b/deploy/utils.sh
@@ -391,7 +391,7 @@ set_conjur_secret() {
   echo "Set secret '$SECRET_NAME' to '$SECRET_VALUE'"
   set_namespace "$CONJUR_NAMESPACE_NAME"
   configure_cli_pod
-  $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i $SECRET_NAME -v $SECRET_VALUE"
+  $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i $SECRET_NAME -v \"$SECRET_VALUE\""
   set_namespace $APP_NAMESPACE_NAME
 }
 

From 47d8fd10ec9e72b8ff5f5c86744486be4e41aa4d Mon Sep 17 00:00:00 2001
From: Glen Johnson <glen.johnson@cyberark.com>
Date: Wed, 29 Mar 2023 12:02:47 -0600
Subject: [PATCH 3/3] Update changelog

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0331f535..559a9f0d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Adds support for binary secret values and values with special characters.
   [cyberark/secrets-provider-for-k8s#500](https://github.com/cyberark/secrets-provider-for-k8s/pull/500)
-- Adds support for content-type annotation.
+- Adds support for content-type annotation (K8s secrets) and base64 secrets decoding.
+  [cyberark/secrets-provider-for-k8s#508](https://github.com/cyberark/secrets-provider-for-k8s/pull/508)
+- Adds support for content-type annotation (P2F) and base64 secrets decoding.
   [cyberark/secrets-provider-for-k8s#511](https://github.com/cyberark/secrets-provider-for-k8s/pull/511)
 - Updating documentation for base64 decoding.
   [cyberark/secrets-provider-for-k8s#513](https://github.com/cyberark/secrets-provider-for-k8s/pull/513)