feat: support stringData in secretGenerator

stealthybox · stealthybox · commit a2b1d739458c · 2025-04-21T23:57:43.000-06:00
diff --git a/api/internal/generators/secret.go b/api/internal/generators/secret.go
@@ -11,21 +11,27 @@ import (
 
 // MakeSecret makes a kubernetes Secret.
 //
-// Secret: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#secret-v1-core
+// Secret: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/
 //
 // ConfigMaps and Secrets are similar.
 //
 // Like a ConfigMap, a Secret has a `data` field, but unlike a ConfigMap it has
-// no `binaryData` field.
+// no `binaryData` field. Secret also provides a `stringData` field.
 //
-// All of a Secret's data is assumed to be opaque in nature, and assumed to be
+// A Secret's `data` is assumed to be opaque in nature, and assumed to be
 // base64 encoded from its original representation, regardless of whether the
 // original data was UTF-8 text or binary.
 //
 // This encoding provides no secrecy. It's just a neutral, common means to
 // represent opaque text and binary data.  Beneath the base64 encoding
 // is presumably further encoding under control of the Secret's consumer.
 //
+// A Secret's `stringData` field is similar to ConfigMap's `data` field.
+// `stringData` allows specifying non-binary, UTF-8 secret data in string form.
+// It is provided as a write-only input field for convenience.
+// All keys and values are merged into the data field on write, overwriting any
+// existing values. The stringData field is never output when reading from the API.
+//
 // A Secret has string field `type` which holds an identifier, used by the
 // client, to choose the algorithm to interpret the `data` field.  Kubernetes
 // cannot make use of this data; it's up to a controller or some pod's service
@@ -50,8 +56,14 @@ func MakeSecret(
 	if err != nil {
 		return nil, err
 	}
-	if err = rn.LoadMapIntoSecretData(m); err != nil {
-		return nil, err
+	if args.StringData {
+		if err = rn.LoadMapIntoSecretStringData(m); err != nil {
+			return nil, err
+		}
+	} else {
+		if err = rn.LoadMapIntoSecretData(m); err != nil {
+			return nil, err
+		}
 	}
 	copyLabelsAndAnnotations(rn, args.Options)
 	setImmutable(rn, args.Options)
diff --git a/api/resmap/reswrangler.go b/api/resmap/reswrangler.go
@@ -591,6 +591,7 @@ func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error {
 			res.CopyMergeMetaDataFieldsFrom(old)
 			res.MergeDataMapFrom(old)
 			res.MergeBinaryDataMapFrom(old)
+			res.MergeStringDataMapFrom(old)
 			if orig != nil {
 				res.SetOrigin(orig)
 			}
diff --git a/api/resource/resource.go b/api/resource/resource.go
@@ -157,7 +157,7 @@ func (r *Resource) DeepCopy() *Resource {
 // the resource.
 // TODO: move to RNode, use GetMeta to improve performance.
 // TODO: make a version of mergeStringMaps that is build-annotation aware
-//   to avoid repeatedly setting refby and genargs annotations
+// to avoid repeatedly setting refby and genargs annotations
 // Must remove the kustomize bit at the end.
 func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
 	if err := r.SetLabels(
@@ -197,6 +197,10 @@ func (r *Resource) MergeBinaryDataMapFrom(o *Resource) {
 	r.SetBinaryDataMap(mergeStringMaps(o.GetBinaryDataMap(), r.GetBinaryDataMap()))
 }
 
+func (r *Resource) MergeStringDataMapFrom(o *Resource) {
+	r.SetStringDataMap(mergeStringMaps(o.GetStringDataMap(), r.GetStringDataMap()))
+}
+
 func (r *Resource) ErrIfNotEquals(o *Resource) error {
 	meYaml, err := r.AsYAML()
 	if err != nil {
diff --git a/api/types/secretargs.go b/api/types/secretargs.go
@@ -16,4 +16,10 @@ type SecretArgs struct {
 	// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
 	// keys: "tls.key" and "tls.crt"
 	Type string `json:"type,omitempty" yaml:"type,omitempty"`
+
+	// StringData if true generates a v1/Secret with plain-text stringData fields
+	// instead of base64-encoded data fields. If any fields are not UTF-8, they
+	// are still base64-encoded and stored as data as a fallback behavior. This
+	// is similar to the default behavior of a ConfigMap.
+	StringData bool `json:"stringData,omitempty" yaml:"stringData,omitempty"`
 }
diff --git a/kyaml/yaml/const.go b/kyaml/yaml/const.go
@@ -24,6 +24,7 @@ const (
 	MetadataField    = "metadata"
 	DataField        = "data"
 	BinaryDataField  = "binaryData"
+	StringDataField  = "stringData"
 	NameField        = "name"
 	NamespaceField   = "namespace"
 	LabelsField      = "labels"
diff --git a/kyaml/yaml/datamap.go b/kyaml/yaml/datamap.go
@@ -95,6 +95,35 @@ func makeSecretValueRNode(s string) *RNode {
 	return NewRNode(yN)
 }
 
+func (rn *RNode) LoadMapIntoSecretStringData(m map[string]string) error {
+	for _, k := range SortedMapKeys(m) {
+		fldName, vrN := makeSecretStringValueRNode(m[k])
+		if _, err := rn.Pipe(
+			LookupCreate(MappingNode, fldName),
+			SetField(k, vrN)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// valid UTF-8 strings can be stringData, but fallback to Base64 for non UTF-8
+func makeSecretStringValueRNode(s string) (field string, rN *RNode) {
+	yN := &Node{Kind: ScalarNode}
+	yN.Tag = NodeTagString
+	if utf8.ValidString(s) {
+		field = StringDataField
+		yN.Value = s
+	} else {
+		field = DataField
+		yN.Value = encodeBase64(s)
+	}
+	if strings.Contains(yN.Value, "\n") {
+		yN.Style = LiteralStyle
+	}
+	return field, NewRNode(yN)
+}
+
 // encodeBase64 encodes s as base64 that is broken up into multiple lines
 // as appropriate for the resulting length.
 func encodeBase64(s string) string {
diff --git a/kyaml/yaml/rnode.go b/kyaml/yaml/rnode.go
@@ -632,6 +632,19 @@ func (rn *RNode) GetBinaryDataMap() map[string]string {
 	return result
 }
 
+func (rn *RNode) GetStringDataMap() map[string]string {
+	n, err := rn.Pipe(Lookup(StringDataField))
+	if err != nil {
+		return nil
+	}
+	result := map[string]string{}
+	_ = n.VisitFields(func(node *MapNode) error {
+		result[GetValue(node.Key)] = GetValue(node.Value)
+		return nil
+	})
+	return result
+}
+
 // GetValidatedDataMap retrieves the data map and returns an error if the data
 // map contains entries which are not included in the expectedKeys set.
 func (rn *RNode) GetValidatedDataMap(expectedKeys []string) (map[string]string, error) {
@@ -688,6 +701,21 @@ func (rn *RNode) SetBinaryDataMap(m map[string]string) {
 	}
 }
 
+func (rn *RNode) SetStringDataMap(m map[string]string) {
+	if rn == nil {
+		log.Fatal("cannot set stringData map on nil Rnode")
+	}
+	if err := rn.PipeE(Clear(StringDataField)); err != nil {
+		log.Fatal(err)
+	}
+	if len(m) == 0 {
+		return
+	}
+	if err := rn.LoadMapIntoSecretStringData(m); err != nil {
+		log.Fatal(err)
+	}
+}
+
 // AppendToFieldPath appends a field name to the FieldPath.
 func (rn *RNode) AppendToFieldPath(parts ...string) {
 	rn.fieldPath = append(rn.fieldPath, parts...)

Original file line number	Diff line number	Diff line change
`@@ -591,6 +591,7 @@ func (m resWrangler) appendReplaceOrMerge(res resource.Resource) error {`
`591`	`591`	`res.CopyMergeMetaDataFieldsFrom(old)`
`592`	`592`	`res.MergeDataMapFrom(old)`
`593`	`593`	`res.MergeBinaryDataMapFrom(old)`
	`594`	`+ res.MergeStringDataMapFrom(old)`
`594`	`595`	`if orig != nil {`
`595`	`596`	`res.SetOrigin(orig)`
`596`	`597`	`}`