feat: support stringData in secretGenerator

Author: stealthybox

api/internal/generators/secret.go

@@ -4,28 +4,36 @@
 package generators
 
 import (
+	"fmt"
+
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 // MakeSecret makes a kubernetes Secret.
 //
-// Secret: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#secret-v1-core
+// Secret: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/
 //
 // ConfigMaps and Secrets are similar.
 //
 // Like a ConfigMap, a Secret has a `data` field, but unlike a ConfigMap it has
-// no `binaryData` field.
+// no `binaryData` field. Secret also provides a `stringData` field.
 //
-// All of a Secret's data is assumed to be opaque in nature, and assumed to be
+// A Secret's `data` is assumed to be opaque in nature, and assumed to be
 // base64 encoded from its original representation, regardless of whether the
 // original data was UTF-8 text or binary.
 //
 // This encoding provides no secrecy. It's just a neutral, common means to
 // represent opaque text and binary data.  Beneath the base64 encoding
 // is presumably further encoding under control of the Secret's consumer.
 //
+// A Secret's `stringData` field is similar to ConfigMap's `data` field.
+// `stringData` allows specifying non-binary, UTF-8 secret data in string form.
+// It is provided as a write-only input field for convenience.
+// All keys and values are merged into the data field on write, overwriting any
+// existing values. The stringData field is never output when reading from the API.
+//
 // A Secret has string field `type` which holds an identifier, used by the
 // client, to choose the algorithm to interpret the `data` field.  Kubernetes
 // cannot make use of this data; it's up to a controller or some pod's service
@@ -50,8 +58,14 @@ func MakeSecret(
 	if err != nil {
 		return nil, err
 	}
-	if err = rn.LoadMapIntoSecretData(m); err != nil {
-		return nil, err
+	if args.StringData {
+		if err = rn.LoadMapIntoSecretStringData(m); err != nil {
+			return nil, fmt.Errorf("Failed to load map into Secret stringData: %w", err)
+		}
+	} else {
+		if err = rn.LoadMapIntoSecretData(m); err != nil {
+			return nil, fmt.Errorf("Failed to load map into Secret data: %w", err)
+		}
 	}
 	copyLabelsAndAnnotations(rn, args.Options)
 	setImmutable(rn, args.Options)

api/krusty/secrets_test.go

@@ -236,18 +236,18 @@ type: Opaque
 `)
 }
 
-var binaryHunter2 = []byte{
-	0xff, // non-utf8
-	0x68, // h
-	0x75, // u
-	0x6e, // n
-	0x74, // t
-	0x65, // e
-	0x72, // r
-	0x32, // 2
-}
-
 func manyHunter2s(count int) (result []byte) {
+	binaryHunter2 := []byte{
+		0xff, // non-utf8
+		0x68, // h
+		0x75, // u
+		0x6e, // n
+		0x74, // t
+		0x65, // e
+		0x72, // r
+		0x32, // 2
+	}
+
 	for i := 0; i < count; i++ {
 		result = append(result, binaryHunter2...)
 	}
@@ -358,100 +358,6 @@ type: Opaque
 `)
 }
 
-func secretGeneratorMergeNamePrefix(t *testing.T) {
-	th := kusttest_test.MakeHarness(t)
-	th.WriteK("base", `
-secretGenerator:
-- name: cm
-  behavior: create
-  literals:
-  - foo=bar
-`)
-	th.WriteK("o1", `
-resources:
-- ../base
-namePrefix: o1-
-`)
-	th.WriteK("o2", `
-resources:
-- ../base
-nameSuffix: -o2
-`)
-	th.WriteK(".", `
-resources:
-- o1
-- o2
-secretGenerator:
-- name: o1-cm
-  behavior: merge
-  literals:
-  - big=bang
-- name: cm-o2
-  behavior: merge
-  literals:
-  - big=crunch
-`)
-	m := th.Run(".", th.MakeDefaultOptions())
-	th.AssertActualEqualsExpected(m, `
-apiVersion: v1
-data:
-  big: bang
-  foo: bar
-kind: Secret
-metadata:
-  name: o1-cm-ft9mmdc8c6
-type: Opaque
----
-apiVersion: v1
-data:
-  big: crunch
-  foo: bar
-kind: Secret
-metadata:
-  name: cm-o2-5k95kd76ft
-type: Opaque
-`)
-}
-
-func secretGeneratorLiteralNewline(t *testing.T) {
-	th := kusttest_test.MakeHarness(t)
-	th.WriteK(".", `
-generators:
-- secrets.yaml
-`)
-	th.WriteF("secrets.yaml", `
-apiVersion: builtin
-kind: SecretGenerator
-metadata:
-  name: testing
-type: Opaque
-literals:
-  - |
-    initial.txt=greetings
-    everyone
-  - |
-    final.txt=different
-    behavior
----
-`)
-	m := th.Run(".", th.MakeDefaultOptions())
-	th.AssertActualEqualsExpected(
-		m, `
-apiVersion: v1
-data:
-  final.txt: |
-    different
-    behavior
-  initial.txt: |
-    greetings
-    everyone
-kind: Secret
-metadata:
-  name: testing-tt4769fb52
-type: Opaque
-`)
-}
-
 // regression test for https://github.com/kubernetes-sigs/kustomize/issues/4233
 func TestSecretDataEndsWithQuotes(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)

api/resmap/reswrangler.go

@@ -591,6 +591,7 @@ func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error {
 			res.CopyMergeMetaDataFieldsFrom(old)
 			res.MergeDataMapFrom(old)
 			res.MergeBinaryDataMapFrom(old)
+			res.MergeStringDataMapFrom(old)
 			if orig != nil {
 				res.SetOrigin(orig)
 			}

api/resource/resource.go

@@ -157,7 +157,7 @@ func (r *Resource) DeepCopy() *Resource {
 // the resource.
 // TODO: move to RNode, use GetMeta to improve performance.
 // TODO: make a version of mergeStringMaps that is build-annotation aware
-//   to avoid repeatedly setting refby and genargs annotations
+// to avoid repeatedly setting refby and genargs annotations
 // Must remove the kustomize bit at the end.
 func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
 	if err := r.SetLabels(
@@ -197,6 +197,10 @@ func (r *Resource) MergeBinaryDataMapFrom(o *Resource) {
 	r.SetBinaryDataMap(mergeStringMaps(o.GetBinaryDataMap(), r.GetBinaryDataMap()))
 }
 
+func (r *Resource) MergeStringDataMapFrom(o *Resource) {
+	r.SetStringDataMap(mergeStringMaps(o.GetStringDataMap(), r.GetStringDataMap()))
+}
+
 func (r *Resource) ErrIfNotEquals(o *Resource) error {
 	meYaml, err := r.AsYAML()
 	if err != nil {

api/types/secretargs.go

@@ -16,4 +16,10 @@ type SecretArgs struct {
 	// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
 	// keys: "tls.key" and "tls.crt"
 	Type string `json:"type,omitempty" yaml:"type,omitempty"`
+
+	// StringData if true generates a v1/Secret with plain-text stringData fields
+	// instead of base64-encoded data fields. If a generating field does not have a
+	// UTF-8 value, it falls back to being stored as base64-encoded data field. This
+	// is similar to the default binaryData fallback of a ConfigMapGenerator.
+	StringData bool `json:"stringData,omitempty" yaml:"stringData,omitempty"`
 }

kyaml/yaml/const.go

@@ -24,6 +24,7 @@ const (
 	MetadataField    = "metadata"
 	DataField        = "data"
 	BinaryDataField  = "binaryData"
+	StringDataField  = "stringData"
 	NameField        = "name"
 	NamespaceField   = "namespace"
 	LabelsField      = "labels"

kyaml/yaml/datamap.go

@@ -95,6 +95,35 @@ func makeSecretValueRNode(s string) *RNode {
 	return NewRNode(yN)
 }
 
+func (rn *RNode) LoadMapIntoSecretStringData(m map[string]string) error {
+	for _, k := range SortedMapKeys(m) {
+		fldName, vrN := makeSecretStringValueRNode(m[k])
+		if _, err := rn.Pipe(
+			LookupCreate(MappingNode, fldName),
+			SetField(k, vrN)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// valid UTF-8 strings can be stringData, but fallback to Base64 for non UTF-8
+func makeSecretStringValueRNode(s string) (field string, rN *RNode) {
+	yN := &Node{Kind: ScalarNode}
+	yN.Tag = NodeTagString
+	if utf8.ValidString(s) {
+		field = StringDataField
+		yN.Value = s
+	} else {
+		field = DataField
+		yN.Value = encodeBase64(s)
+	}
+	if strings.Contains(yN.Value, "\n") {
+		yN.Style = LiteralStyle
+	}
+	return field, NewRNode(yN)
+}
+
 // encodeBase64 encodes s as base64 that is broken up into multiple lines
 // as appropriate for the resulting length.
 func encodeBase64(s string) string {

kyaml/yaml/rnode.go

@@ -632,6 +632,19 @@ func (rn *RNode) GetBinaryDataMap() map[string]string {
 	return result
 }
 
+func (rn *RNode) GetStringDataMap() map[string]string {
+	n, err := rn.Pipe(Lookup(StringDataField))
+	if err != nil {
+		return nil
+	}
+	result := map[string]string{}
+	_ = n.VisitFields(func(node *MapNode) error {
+		result[GetValue(node.Key)] = GetValue(node.Value)
+		return nil
+	})
+	return result
+}
+
 // GetValidatedDataMap retrieves the data map and returns an error if the data
 // map contains entries which are not included in the expectedKeys set.
 func (rn *RNode) GetValidatedDataMap(expectedKeys []string) (map[string]string, error) {
@@ -688,6 +701,21 @@ func (rn *RNode) SetBinaryDataMap(m map[string]string) {
 	}
 }
 
+func (rn *RNode) SetStringDataMap(m map[string]string) {
+	if rn == nil {
+		log.Fatal("cannot set stringData map on nil Rnode")
+	}
+	if err := rn.PipeE(Clear(StringDataField)); err != nil {
+		log.Fatal(err)
+	}
+	if len(m) == 0 {
+		return
+	}
+	if err := rn.LoadMapIntoSecretStringData(m); err != nil {
+		log.Fatal(err)
+	}
+}
+
 // AppendToFieldPath appends a field name to the FieldPath.
 func (rn *RNode) AppendToFieldPath(parts ...string) {
 	rn.fieldPath = append(rn.fieldPath, parts...)

site/content/en/docs/Reference/API/included/secretargs.md

@@ -16,3 +16,10 @@ _build:
 * **type** (string), optional
 
     Type of the secret. Must be `Opaque` or `kubernetes.io/tls`. Defaults to `Opaque`.
+
+* **stringData** (bool), optional
+
+	  stringData if true generates a v1/Secret with plain-text stringData fields
+	  instead of base64-encoded data fields. If a generating field does not have a
+	  UTF-8 value, it falls back to being stored as base64-encoded data field. This
+	  is similar to the default binaryData fallback of a configMapGenerator.