Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decode input secrets used in template stringData #446

Closed
wants to merge 2 commits into from

Conversation

carpenterm
Copy link

If an input resource is of kind Secret, and that is used in an expression in the stringData field of a SecretTemplate, then base64 decode it when evaluating the stringData field.

Fixes #445: Secrets used as input resources are double base64 encoded when used in stringData

secretTemplateOwnerRef("secretTemplate"),
},
},
Data: map[string][]byte{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

139-142 should be covered by the previous unit-test.

},
}},
JSONPathTemplate: &sg2v1alpha1.JSONPathTemplate{
Data: map[string]string{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

109-112 should be covered by the previous unit-test. This test is only for StringData

@@ -283,7 +284,12 @@ func evaluateTemplate(template *sg2v1alpha1.JSONPathTemplate, values map[string]
}

// Template Secret StringData
stringData, err := evaluate(template.StringData, values)
decodedValues, err := decodeSecrets(values)
Copy link
Contributor

@neil-hickey neil-hickey Sep 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a pre-processing step which ends up having to iterate all the values even if you never specify a SecretData field. We also don't have any test for the "else" case, i.e.

if obj.GetKind() == "Secret" { } else { // no tests }

Is there a way to fold this into our existing evaluate function or a new function evaluateStringData which could delegate to the existing evaluateBytes or similar for most of the work.

@devthejo
Copy link
Contributor

I need this too, can I do something to help with this ?
@carpenterm are you still on the case ?

@carpenterm
Copy link
Author

Sorry but I am not working on this anymore, by the time the review came in I'd found another way using Kyverno.

@carpenterm carpenterm closed this Dec 18, 2023
@github-actions github-actions bot added the carvel-triage This issue has not yet been reviewed for validity label Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
carvel-triage This issue has not yet been reviewed for validity
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Secrets used as input resources are double base64 encoded when used in stringData
4 participants