The OpenShift Web Console (v4.14) corrupts binary data stored in Secrets when the "Edit Secret" form is used. If a Secret contains a binary file (e.g., a .jar or .jceks keystore) and a user edits any field in that Secret via the Console UI, the binary content is decoded as text, corrupted by UTF-8 replacement characters, and re-saved. This renders the binary file invalid and increases its file size.

    OpenShift Container Platform 4.14.42

    Always (100%)

1. Generate a binary keystore file (JCEKS) and pack it into a JAR:
`keytool -genseckey -alias encryption-key-alias -keyalg AES -keysize 256 -keystore jgroups.jceks -storetype JCEKS -storepass abcd1234 -keypass abcd1234`
`jar cf jgroups-encryption.jar jgroups.jceks`

2. Create a Secret containing this JAR and a separate password field:
`oc create secret generic test-ocp-secret --from-file=JGROUPS_ENCRYPTION=jgroups-encryption.jar --from-literal=JGROUPS_KEYSTORE_PASSWORD=abcd1234`

3. Log in to the OpenShift Web Console, navigate to the Secret `test-ocp-secret`, and click **Edit Secret**.

4. Change the `JGROUPS_KEYSTORE_PASSWORD` field to a new value (e.g., `newpassword123`). Do not touch the binary file field.

5. Click **Save**.

6. Download the binary file from the secret and verify its integrity:
`oc get secret test-ocp-secret -o jsonpath='{.data.JGROUPS_ENCRYPTION}' | base64 -d > corrupted.jar`
`md5sum jgroups-encryption.jar corrupted.jar`     

The downloaded JAR file is corrupted and unusable. The file size has increased significantly (e.g., from 912 bytes to 1174 bytes), and the MD5 checksum does not match the original file.    

    The binary file (JGROUPS_ENCRYPTION) should remain identical to the original file (unchanged) when only the password field (JGROUPS_KEYSTORE_PASSWORD) is modified. 

    Workaround: Users must use the CLI (oc patch) or edit yaml file to update secrets containing binary data.