Skip to content

Commit 81f828d

Browse files
authored
fix: tls type convert double encode (#18)
Signed-off-by: Sn0rt <wangguohao.2009@gmail.com>
1 parent 4365f62 commit 81f828d

File tree

6 files changed

+76
-54
lines changed

6 files changed

+76
-54
lines changed

e2e/e2e.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ function apply_external_secret_template() {
2323
}
2424

2525
function wait_external_secret_template_ready() {
26-
for i in $(seq 1 7);
26+
for i in $(seq 1 9);
2727
do
2828
kubectl wait --for=condition=Ready=True es/input"$i" --timeout=60s || (kubectl describe es/input"$i" && return 1)
2929
done

e2e/templated.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,17 @@ stringData:
137137
---
138138
apiVersion: v1
139139
kind: Secret
140+
metadata:
141+
name: input9
142+
annotations:
143+
avp.kubernetes.io/path: "secret/data/test-foo"
144+
type: kubernetes.io/tls
145+
data:
146+
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyakNDQVpZQ0NRQ1N4TjdEbUl3OVRqQU5CZ2txaGtpRzl3MEJBUXNGQURBWk1SY3dGUVlEVlFRRERBNTUKYjNWeVpHOXRZV2x1TG1OdmJUQWVGdzB5TkRBNE1qWXdOakV4TlRKYUZ3MHlOVEE0TWpZd05qRXhOVEphTUJreApGekFWQmdOVkJBTU1Ebmx2ZFhKa2IyMWhhVzR1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXpJZDZDMU12ZkN3V0xDanNnejEwa29Ga3M2RklIbHlVNElwUDVtcitERVRGTnFKT1p6dnoKZStreGFFNjBsYkNhVDV6U2YxZDllQWM0M0t2b0w1eXBieUxWVGJjdCtlNnNYMm9rbWlzdGtxUmRxcjNtMm9hSAoyY3pKeUhEVVpyT3Z6SkRHTDJoNGdUdE03QXpsb3VaN3ViOGZNQUJDR3B5bUppNjlzMEZRQ21DakltWUdxcm02CnlpOU83VXp4bTlabmgzUWhXZ2xzbFJuS05oVUhzdHIxbnQ0K1NsMWU2TEhBbHJtTzF5eVJHUmphdHh1d1NKYTMKTUZKeFJnTHRWbnlMNzJmTWY3c1R3RzcrbDVXMmhsM2x5QW1yeGpORnIvMGJ6WHBVZHFnc0dObW84Ny80NmdSego1UFMrZVc5UzNwVDZPN2NkUlQzcTB3NVk2VUhidGdIQ3d3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQU1HS3paS2ZsTllwRkpDczNMMEt6TFgrWmEzdG9jQUlBODFjQXU0NzNEem9uc1B3cEZaUnRPeVAzV0Foc0EKalpNcitnaVhkY3lvWjVEQTdEUkkxN0UxSDduZTFiaDR6RmtYRE1HdGQxdnZXM0xQNVlhb2NxUjlzdGMyL3A0dgpxVE03bjZ0alRqY2RYNEQ2eG5KSHRzbmF1dVBwTUdiTzUwK04yK3JobU1NbjZPVmpFRkgrRWlQYmYzNWtSbkhXCi83ZnowWnVtYkxwNUlqdWFjSFM2YXJwR25KNGZON1I2NVNHa0FpNEtvMFZ6VTNNM1laclFneFdpK29aTHpTUHUKUUZveWpYRlgvQlhBRG9vaEFuTlpkN2FmVmFaMlU3MjJqaEpKaEkxM0tobHRXb2RUT2hQVytabWxYeHZmRy9acwprdU1SVmZraHowaGlQWGtMWUVvQTZlN3MKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
147+
tls.key: <TLS_KEY>
148+
---
149+
apiVersion: v1
150+
kind: Secret
140151
metadata:
141152
name: approle1-secret
142153
annotations:

pkg/converter/secret_opaque.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package converter
22

33
import (
4+
"encoding/base64"
45
"fmt"
56
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
67
corev1 "k8s.io/api/core/v1"
@@ -50,6 +51,11 @@ func generateEsByOpaqueSecret(inputSecret *internalSecret, storeType, storeName
5051
} else {
5152
propertyFromSecretData := captureFromFile.FindStringSubmatch(value)
5253
if len(propertyFromSecretData) == 0 {
54+
if IsBase64(value) {
55+
templateData[key] = fmt.Sprintf(`{{ "%s" | b64dec }}`, value)
56+
} else {
57+
templateData[key] = value
58+
}
5359
continue
5460
}
5561
externalSecretData = append(externalSecretData, esv1beta1.ExternalSecretData{
@@ -147,6 +153,11 @@ func generateEsByOpaqueSecret(inputSecret *internalSecret, storeType, storeName
147153
}, nil
148154
}
149155

156+
func IsBase64(s string) bool {
157+
_, err := base64.StdEncoding.DecodeString(s)
158+
return err == nil
159+
}
160+
150161
func contains(data []esv1beta1.ExternalSecretData, output string) bool {
151162
for _, d := range data {
152163
if d.SecretKey == output {

pkg/converter/secret_opaque_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -599,6 +599,7 @@ port = 4000`,
599599
},
600600
MergePolicy: esv1beta1.MergePolicyReplace,
601601
Data: map[string]string{
602+
"data1": "data1",
602603
"data2": "ubuntu",
603604
"data3": `"{{ .FROM_VAULT_DATA3 }}"`,
604605
},

pkg/converter/secret_tls.go

Lines changed: 6 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -3,61 +3,20 @@ package converter
33
import (
44
"fmt"
55
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
6-
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
6+
corev1 "k8s.io/api/core/v1"
77
)
88

99
func generateEsByTLS(inputSecret *internalSecret, storeType, storeName string, creationPolicy esv1beta1.ExternalSecretCreationPolicy) (*esv1beta1.ExternalSecret, error) {
1010
if len(inputSecret.StringData) != 0 {
1111
return nil, fmt.Errorf(ErrTLSNotAllowDataField, inputSecret.Name)
1212
}
1313

14-
// get the vault secret key
15-
var vaultSecretKey, err = getVaultSecretKey(inputSecret.Annotations["avp.kubernetes.io/path"])
14+
// prepare the ref of sensitive data
15+
output, err := generateEsByOpaqueSecret(inputSecret, storeType, storeName, creationPolicy)
1616
if err != nil {
17-
return nil, fmt.Errorf(illegalVaultPath, resolvedValueFromEnv)
17+
return nil, err
1818
}
19+
output.Spec.Target.Template.Type = corev1.SecretTypeTLS
1920

20-
// for specific secret opaque sub-type
21-
var externalSecretData []esv1beta1.ExternalSecretData
22-
for fileName, pemContent := range inputSecret.Data {
23-
propertyFromSecretData := captureFromFile.FindStringSubmatch(pemContent)
24-
if len(propertyFromSecretData) == 0 {
25-
continue
26-
}
27-
externalSecretData = append(externalSecretData, esv1beta1.ExternalSecretData{
28-
SecretKey: fileName,
29-
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
30-
ConversionStrategy: esv1beta1.ExternalSecretConversionDefault,
31-
DecodingStrategy: esv1beta1.ExternalSecretDecodeNone,
32-
MetadataPolicy: esv1beta1.ExternalSecretMetadataPolicyNone,
33-
Key: vaultSecretKey,
34-
Property: propertyFromSecretData[1],
35-
},
36-
})
37-
}
38-
39-
return &esv1beta1.ExternalSecret{
40-
TypeMeta: metav1.TypeMeta{
41-
APIVersion: "external-secrets.io/v1beta1",
42-
Kind: "ExternalSecret",
43-
},
44-
ObjectMeta: metav1.ObjectMeta{
45-
Name: inputSecret.Name,
46-
Namespace: inputSecret.Namespace,
47-
Labels: inputSecret.Labels,
48-
},
49-
Spec: esv1beta1.ExternalSecretSpec{
50-
RefreshInterval: stopRefreshInterval,
51-
SecretStoreRef: esv1beta1.SecretStoreRef{
52-
Name: storeName,
53-
Kind: storeType,
54-
},
55-
Target: esv1beta1.ExternalSecretTarget{
56-
Name: inputSecret.Name,
57-
CreationPolicy: creationPolicy,
58-
DeletionPolicy: esv1beta1.DeletionPolicyRetain,
59-
},
60-
Data: externalSecretData,
61-
},
62-
}, nil
21+
return output, nil
6322
}

pkg/converter/secret_tls_test.go

Lines changed: 46 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package converter
33
import (
44
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
55
"github.com/google/go-cmp/cmp"
6+
corev1 "k8s.io/api/core/v1"
67
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
78
"testing"
89
)
@@ -52,20 +53,33 @@ data:
5253
Name: "tls_secret_case1",
5354
CreationPolicy: esv1beta1.CreatePolicyOrphan,
5455
DeletionPolicy: esv1beta1.DeletionPolicyRetain,
56+
Template: &esv1beta1.ExternalSecretTemplate{
57+
Type: corev1.SecretTypeTLS,
58+
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
59+
Labels: map[string]string{
60+
"app": "test",
61+
},
62+
},
63+
MergePolicy: esv1beta1.MergePolicyReplace,
64+
Data: map[string]string{
65+
"tls.crt": `{{ "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyakNDQVpZQ0NRQ1N4TjdEbUl3OVRqQU5CZ2txaGtpRzl3MEJBUXNGQURBWk1SY3dGUVlEVlFRRERBNTUKYjNWeVpHOXRZV2x1TG1OdmJUQWVGdzB5TkRBNE1qWXdOakV4TlRKYUZ3MHlOVEE0TWpZd05qRXhOVEphTUJreApGekFWQmdOVkJBTU1Ebmx2ZFhKa2IyMWhhVzR1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXpJZDZDMU12ZkN3V0xDanNnejEwa29Ga3M2RklIbHlVNElwUDVtcitERVRGTnFKT1p6dnoKZStreGFFNjBsYkNhVDV6U2YxZDllQWM0M0t2b0w1eXBieUxWVGJjdCtlNnNYMm9rbWlzdGtxUmRxcjNtMm9hSAoyY3pKeUhEVVpyT3Z6SkRHTDJoNGdUdE03QXpsb3VaN3ViOGZNQUJDR3B5bUppNjlzMEZRQ21DakltWUdxcm02CnlpOU83VXp4bTlabmgzUWhXZ2xzbFJuS05oVUhzdHIxbnQ0K1NsMWU2TEhBbHJtTzF5eVJHUmphdHh1d1NKYTMKTUZKeFJnTHRWbnlMNzJmTWY3c1R3RzcrbDVXMmhsM2x5QW1yeGpORnIvMGJ6WHBVZHFnc0dObW84Ny80NmdSego1UFMrZVc5UzNwVDZPN2NkUlQzcTB3NVk2VUhidGdIQ3d3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQU1HS3paS2ZsTllwRkpDczNMMEt6TFgrWmEzdG9jQUlBODFjQXU0NzNEem9uc1B3cEZaUnRPeVAzV0Foc0EKalpNcitnaVhkY3lvWjVEQTdEUkkxN0UxSDduZTFiaDR6RmtYRE1HdGQxdnZXM0xQNVlhb2NxUjlzdGMyL3A0dgpxVE03bjZ0alRqY2RYNEQ2eG5KSHRzbmF1dVBwTUdiTzUwK04yK3JobU1NbjZPVmpFRkgrRWlQYmYzNWtSbkhXCi83ZnowWnVtYkxwNUlqdWFjSFM2YXJwR25KNGZON1I2NVNHa0FpNEtvMFZ6VTNNM1laclFneFdpK29aTHpTUHUKUUZveWpYRlgvQlhBRG9vaEFuTlpkN2FmVmFaMlU3MjJqaEpKaEkxM0tobHRXb2RUT2hQVytabWxYeHZmRy9acwprdU1SVmZraHowaGlQWGtMWUVvQTZlN3MKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" | b64dec }}`,
66+
"tls.key": `"{{ .TLS_KEY_VAULT }}"`,
67+
},
68+
},
5569
},
5670
SecretStoreRef: esv1beta1.SecretStoreRef{
5771
Name: "tenant-b",
5872
Kind: "ClusterSecretStore",
5973
},
6074
Data: []esv1beta1.ExternalSecretData{
6175
{
62-
SecretKey: "tls.key",
76+
SecretKey: "TLS_KEY_VAULT",
6377
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
6478
Key: "test-foo",
6579
MetadataPolicy: "None",
6680
Property: "TLS_KEY_VAULT",
6781
ConversionStrategy: "Default",
68-
DecodingStrategy: "None",
82+
DecodingStrategy: "Auto",
6983
},
7084
},
7185
},
@@ -110,20 +124,33 @@ data:
110124
Name: "open-source-secret-with-github-action-test-sn0rt-dev",
111125
CreationPolicy: esv1beta1.CreatePolicyOrphan,
112126
DeletionPolicy: esv1beta1.DeletionPolicyRetain,
127+
Template: &esv1beta1.ExternalSecretTemplate{
128+
Type: corev1.SecretTypeTLS,
129+
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
130+
Labels: map[string]string{
131+
"app": "test",
132+
},
133+
},
134+
MergePolicy: esv1beta1.MergePolicyReplace,
135+
Data: map[string]string{
136+
"tls.crt": `{{ "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyakNDQVpZQ0NRQ1N4TjdEbUl3OVRqQU5CZ2txaGtpRzl3MEJBUXNGQURBWk1SY3dGUVlEVlFRRERBNTUKYjNWeVpHOXRZV2x1TG1OdmJUQWVGdzB5TkRBNE1qWXdOakV4TlRKYUZ3MHlOVEE0TWpZd05qRXhOVEphTUJreApGekFWQmdOVkJBTU1Ebmx2ZFhKa2IyMWhhVzR1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXpJZDZDMU12ZkN3V0xDanNnejEwa29Ga3M2RklIbHlVNElwUDVtcitERVRGTnFKT1p6dnoKZStreGFFNjBsYkNhVDV6U2YxZDllQWM0M0t2b0w1eXBieUxWVGJjdCtlNnNYMm9rbWlzdGtxUmRxcjNtMm9hSAoyY3pKeUhEVVpyT3Z6SkRHTDJoNGdUdE03QXpsb3VaN3ViOGZNQUJDR3B5bUppNjlzMEZRQ21DakltWUdxcm02CnlpOU83VXp4bTlabmgzUWhXZ2xzbFJuS05oVUhzdHIxbnQ0K1NsMWU2TEhBbHJtTzF5eVJHUmphdHh1d1NKYTMKTUZKeFJnTHRWbnlMNzJmTWY3c1R3RzcrbDVXMmhsM2x5QW1yeGpORnIvMGJ6WHBVZHFnc0dObW84Ny80NmdSego1UFMrZVc5UzNwVDZPN2NkUlQzcTB3NVk2VUhidGdIQ3d3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQU1HS3paS2ZsTllwRkpDczNMMEt6TFgrWmEzdG9jQUlBODFjQXU0NzNEem9uc1B3cEZaUnRPeVAzV0Foc0EKalpNcitnaVhkY3lvWjVEQTdEUkkxN0UxSDduZTFiaDR6RmtYRE1HdGQxdnZXM0xQNVlhb2NxUjlzdGMyL3A0dgpxVE03bjZ0alRqY2RYNEQ2eG5KSHRzbmF1dVBwTUdiTzUwK04yK3JobU1NbjZPVmpFRkgrRWlQYmYzNWtSbkhXCi83ZnowWnVtYkxwNUlqdWFjSFM2YXJwR25KNGZON1I2NVNHa0FpNEtvMFZ6VTNNM1laclFneFdpK29aTHpTUHUKUUZveWpYRlgvQlhBRG9vaEFuTlpkN2FmVmFaMlU3MjJqaEpKaEkxM0tobHRXb2RUT2hQVytabWxYeHZmRy9acwprdU1SVmZraHowaGlQWGtMWUVvQTZlN3MKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" | b64dec }}`,
137+
"tls.key": `"{{ .TLS_KEY_VAULT }}"`,
138+
},
139+
},
113140
},
114141
SecretStoreRef: esv1beta1.SecretStoreRef{
115142
Name: "tenant-b",
116143
Kind: "ClusterSecretStore",
117144
},
118145
Data: []esv1beta1.ExternalSecretData{
119146
{
120-
SecretKey: "tls.key",
147+
SecretKey: "TLS_KEY_VAULT",
121148
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
122149
Key: "test-foo",
123150
MetadataPolicy: "None",
124151
Property: "TLS_KEY_VAULT",
125152
ConversionStrategy: "Default",
126-
DecodingStrategy: "None",
153+
DecodingStrategy: "Auto",
127154
},
128155
},
129156
},
@@ -181,20 +208,33 @@ data:
181208
Name: "open-source-secret-with-github-action-test-sn0rt-dev",
182209
CreationPolicy: esv1beta1.CreatePolicyOrphan,
183210
DeletionPolicy: esv1beta1.DeletionPolicyRetain,
211+
Template: &esv1beta1.ExternalSecretTemplate{
212+
Type: corev1.SecretTypeTLS,
213+
Metadata: esv1beta1.ExternalSecretTemplateMetadata{
214+
Labels: map[string]string{
215+
"app": "test",
216+
},
217+
},
218+
MergePolicy: esv1beta1.MergePolicyReplace,
219+
Data: map[string]string{
220+
"tls.crt": `{{ "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyakNDQVpZQ0NRQ1N4TjdEbUl3OVRqQU5CZ2txaGtpRzl3MEJBUXNGQURBWk1SY3dGUVlEVlFRRERBNTUKYjNWeVpHOXRZV2x1TG1OdmJUQWVGdzB5TkRBNE1qWXdOakV4TlRKYUZ3MHlOVEE0TWpZd05qRXhOVEphTUJreApGekFWQmdOVkJBTU1Ebmx2ZFhKa2IyMWhhVzR1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXpJZDZDMU12ZkN3V0xDanNnejEwa29Ga3M2RklIbHlVNElwUDVtcitERVRGTnFKT1p6dnoKZStreGFFNjBsYkNhVDV6U2YxZDllQWM0M0t2b0w1eXBieUxWVGJjdCtlNnNYMm9rbWlzdGtxUmRxcjNtMm9hSAoyY3pKeUhEVVpyT3Z6SkRHTDJoNGdUdE03QXpsb3VaN3ViOGZNQUJDR3B5bUppNjlzMEZRQ21DakltWUdxcm02CnlpOU83VXp4bTlabmgzUWhXZ2xzbFJuS05oVUhzdHIxbnQ0K1NsMWU2TEhBbHJtTzF5eVJHUmphdHh1d1NKYTMKTUZKeFJnTHRWbnlMNzJmTWY3c1R3RzcrbDVXMmhsM2x5QW1yeGpORnIvMGJ6WHBVZHFnc0dObW84Ny80NmdSego1UFMrZVc5UzNwVDZPN2NkUlQzcTB3NVk2VUhidGdIQ3d3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQU1HS3paS2ZsTllwRkpDczNMMEt6TFgrWmEzdG9jQUlBODFjQXU0NzNEem9uc1B3cEZaUnRPeVAzV0Foc0EKalpNcitnaVhkY3lvWjVEQTdEUkkxN0UxSDduZTFiaDR6RmtYRE1HdGQxdnZXM0xQNVlhb2NxUjlzdGMyL3A0dgpxVE03bjZ0alRqY2RYNEQ2eG5KSHRzbmF1dVBwTUdiTzUwK04yK3JobU1NbjZPVmpFRkgrRWlQYmYzNWtSbkhXCi83ZnowWnVtYkxwNUlqdWFjSFM2YXJwR25KNGZON1I2NVNHa0FpNEtvMFZ6VTNNM1laclFneFdpK29aTHpTUHUKUUZveWpYRlgvQlhBRG9vaEFuTlpkN2FmVmFaMlU3MjJqaEpKaEkxM0tobHRXb2RUT2hQVytabWxYeHZmRy9acwprdU1SVmZraHowaGlQWGtMWUVvQTZlN3MKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" | b64dec }}`,
221+
"tls.key": `"{{ .TLS_KEY_VAULT }}"`,
222+
},
223+
},
184224
},
185225
SecretStoreRef: esv1beta1.SecretStoreRef{
186226
Name: "tenant-b",
187227
Kind: "ClusterSecretStore",
188228
},
189229
Data: []esv1beta1.ExternalSecretData{
190230
{
191-
SecretKey: "tls.key",
231+
SecretKey: "TLS_KEY_VAULT",
192232
RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
193233
Key: "test-foo",
194234
MetadataPolicy: "None",
195235
Property: "TLS_KEY_VAULT",
196236
ConversionStrategy: "Default",
197-
DecodingStrategy: "None",
237+
DecodingStrategy: "Auto",
198238
},
199239
},
200240
},

0 commit comments

Comments
 (0)