-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decode input secrets used in template stringData #446
Conversation
Signed-off-by: Matthew Carpenter <[email protected]>
617ff2e
to
1876909
Compare
secretTemplateOwnerRef("secretTemplate"), | ||
}, | ||
}, | ||
Data: map[string][]byte{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
139-142 should be covered by the previous unit-test.
}, | ||
}}, | ||
JSONPathTemplate: &sg2v1alpha1.JSONPathTemplate{ | ||
Data: map[string]string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
109-112 should be covered by the previous unit-test. This test is only for StringData
@@ -283,7 +284,12 @@ func evaluateTemplate(template *sg2v1alpha1.JSONPathTemplate, values map[string] | |||
} | |||
|
|||
// Template Secret StringData | |||
stringData, err := evaluate(template.StringData, values) | |||
decodedValues, err := decodeSecrets(values) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pre-processing step which ends up having to iterate all the values even if you never specify a SecretData field. We also don't have any test for the "else" case, i.e.
if obj.GetKind() == "Secret" { } else { // no tests }
Is there a way to fold this into our existing evaluate
function or a new function evaluateStringData
which could delegate to the existing evaluateBytes or similar for most of the work.
I need this too, can I do something to help with this ? |
Sorry but I am not working on this anymore, by the time the review came in I'd found another way using Kyverno. |
If an input resource is of kind Secret, and that is used in an expression in the stringData field of a SecretTemplate, then base64 decode it when evaluating the stringData field.
Fixes #445: Secrets used as input resources are double base64 encoded when used in stringData