helmfile · seuf · Mar 16, 2026 · Copilot · Mar 23, 2026 · Copilot
@@ -24,6 +24,7 @@ import (
 type provider struct {
 	log *log.Logger
 
+	Encode string
 	// KeyType is either "filepath"(default) or "base64".
 	KeyType string
 	// Format is --input-type of sops
@@ -39,6 +40,10 @@ func New(l *log.Logger, cfg api.StaticConfig, awsLogLevel string) *provider {
 	p := &provider{
 		log: l,
 	}
+	p.Encode = cfg.String("encode")
+	if p.Encode == "" {
+		p.Encode = "raw"
+	}
 	p.Format = cfg.String("format")
 	p.KeyType = cfg.String("key_type")
 	if p.KeyType == "" {
@@ -60,7 +65,14 @@ func (p *provider) GetString(key string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return string(cleartext), nil
+	switch p.Encode {
+	case "raw":
+		return string(cleartext), nil
+	case "base64":
+		return base64.StdEncoding.EncodeToString(cleartext), nil
+	default:
+		return "", fmt.Errorf("Unsupported encode parameter: '%s'.", p.Encode)
+	}
 }
 
 func (p *provider) GetStringMap(key string) (map[string]interface{}, error) {

@@ -238,6 +238,30 @@ func TestNewProviderDefaultKeyType(t *testing.T) {
 	}
 }
 
+func TestNewProviderDefaultEncode(t *testing.T) {
+	cfg := config.MapConfig{M: map[string]interface{}{}}
+
+	p := New(log.New(log.Config{}), cfg, "")
+
+	if p.Encode != "raw" {
+		t.Errorf("Encode = %q, want %q (default)", p.Encode, "raw")
+	}
+}
+
+func TestNewProviderReadsEncodeBase64(t *testing.T) {
+	cfg := config.MapConfig{
+		M: map[string]interface{}{
+			"encode": "base64",
+		},
+	}
+
+	p := New(log.New(log.Config{}), cfg, "")
+
+	if p.Encode != "base64" {
+		t.Errorf("Encode = %q, want %q", p.Encode, "base64")
+	}
+}
+
 // staticCredProvider is a no-op aws.CredentialsProvider used in tests.
 type staticCredProvider struct{}