EncryptSecret function ignores stringData

atomist / sdm-pack-k8s

Extension Pack for an Atomist SDM to integrate Kubernetes deployments

Apache License 2.0

3 stars 2 forks source link

EncryptSecret function ignores stringData #78

Closed timothysparg closed 5 years ago

timothysparg commented 5 years ago

The Kubernetes secrets page has the following line:

The Secret contains two maps: data and stringData. The data field is used to store arbitrary data, encoded using base64. The stringData field is provided for convenience, and allows you to provide secret data as unencoded strings.

but if I encrypt a secret then the stringData section remains unchanged.

see example below:

If I read the section properly, the following should be expected

stringData should be encrypted and moved into the data section
If a field exists in the data and stringData then the value from the stringData field should be used

ddgenome commented 5 years ago

Good catch.

When you say, "stringData should be encrypted and moved into the data section", do you mean "stringData should be encoded and moved into the data section"?

timothysparg commented 5 years ago

I think the answer is encodedand then encrypted. At least that's my reading of this section:

For certain scenarios, you may wish to use the stringData field instead. This field allows you to put a non-base64 encoded string directly into the Secret, and the string will be encoded for you when the Secret is created or updated.

I think my point was a little ambiguously written - I was making a general remark and not a procedural one.

So for clarity perhaps, I see as follows: StringData should be encoded and moved into the data section where it should be encrypted (along with the rest of the data) section

ddgenome commented 5 years ago

That makes sense to me. Basically, we should support stringData since we currently do not.