search

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
https://argocd-vault-plugin.readthedocs.io
Apache License 2.0
784 stars 185 forks source link

The indent function strips empty lines that might be required #650

Open PascalVA opened 1 week ago

PascalVA commented 1 week ago

Describe the bug

The indent function strips empty lines that might be required. In our example the issue occurs while trying to print a PGP public key block. The empty line is required for the PGP PUBLIC KEY BLOCK to be considered valid.

To Reproduce

  1. Create a secret on HashiCorp Vault with the following content

    -----BEGIN PGP PUBLIC KEY BLOCK-----

TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAKTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duCk5ldmVyIGdv
bm5hIHJ1biBhcm91bmQgYW5kIGRlc2VydCB5b3UKTmV2ZXIgZ29ubmEgbWFrZSB5b3UgY3J5Ck5l
dmVyIGdvbm5hIHNheSBnb29kYnllCk5ldmVyIGdvbm5hIHRlbGwgYSBsaWUgYW5kIGh1cnQgeW91
Cg==
-----END PGP PUBLIC KEY BLOCK-----

  2. Create a ConfigMap file with the following content and replace the HashiCorp Vault path. (NOTE: the config key here is a multiline-string. Indentation in a yaml structure is not necessary since is already handled corretly by the plugin)

    ---
apiVersion: v1
kind: ConfigMap
data:
  config: |
    pgp_key: |
      <path:/mount_point/data/path/to/secret#key | indent 2>

  3. Run the argocd-vault-plugin to template the file

    # Version we have deployed
argocd-vault-plugin_1.17.0_linux_amd64 generate configmap.yaml

# Latest version
argocd-vault-plugin_1.18.1_linux_amd64 generate configmap.yaml

Expected behavior

We expect to have all content returned with proper indentation as below:

apiVersion: v1
data:
  config: |
    pgp_key: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----

      TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAKTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duCk5ldmVyIGdv
      bm5hIHJ1biBhcm91bmQgYW5kIGRlc2VydCB5b3UKTmV2ZXIgZ29ubmEgbWFrZSB5b3UgY3J5Ck5l
      dmVyIGdvbm5hIHNheSBnb29kYnllCk5ldmVyIGdvbm5hIHRlbGwgYSBsaWUgYW5kIGh1cnQgeW91
      Cg==
      -----END PGP PUBLIC KEY BLOCK-----
kind: ConfigMap

Screenshots/Verbose output

We receive the output with the empty line removed by the indent plugin.

apiVersion: v1
data:
  config: |
    pgp_key: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAKTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duCk5ldmVyIGdv
      bm5hIHJ1biBhcm91bmQgYW5kIGRlc2VydCB5b3UKTmV2ZXIgZ29ubmEgbWFrZSB5b3UgY3J5Ck5l
      dmVyIGdvbm5hIHNheSBnb29kYnllCk5ldmVyIGdvbm5hIHRlbGwgYSBsaWUgYW5kIGh1cnQgeW91
      Cg==
      -----END PGP PUBLIC KEY BLOCK-----
kind: ConfigMap

Additional Infromation

I assume the problem comes from here: https://github.com/argoproj-labs/argocd-vault-plugin/blob/810f1fe9b4a064b145621ac42113860487551bd7/pkg/kube/modifiers.go#L49-L57

I think the function should always write the trailing newline and not only if the length of the line is greater than 0.