search

mittwald / kubernetes-secret-generator

Kubernetes controller for automatically generating and updating secrets
Apache License 2.0
329 stars 56 forks source link

Secrets generated from custom resources don't use the default controller's encoding #63

Closed akolosov-a closed 2 years ago

akolosov-a commented 2 years ago

Describe the bug When kubernetes-secret-generator controller is explicitly configured to use some encoding different from base64 then the secrets generated from custom resources with no encoding field specified are still created with base64 encoding.

To Reproduce

  1. Deploy kubernetes-secret-generator controller with the parameter to use e.g. hex encoding by default.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-secret-generator
  namespace: kube-system
  labels:
    app: kubernetes-secret-generator
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: kubernetes-secret-generator
  template:
    metadata:
      labels:
        app: kubernetes-secret-generator
    spec:
      serviceAccountName: kubernetes-secret-generator
      containers:
      - name: kubernetes-secret-generator
        image: quay.io/mittwald/kubernetes-secret-generator:v3.3.4
        command:
        - kubernetes-secret-generator
        ports:
        - containerPort: 8080
          name: http
        env:
        - name: WATCH_NAMESPACE
          value: ''
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: OPERATOR_NAME
          value: kubernetes-secret-generator
        - name: SECRET_ENCODING
          value: hex
  1. Create a custom resource for string secret with no encoding specified.
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
  name: the-secret-crd
spec:
  fields:
  - fieldName: password
  1. Check the encoding of the generated secret (it is not the hex encoding which is configured for controller):
$ kubectl get secret the-secret-crd -o jsonpath='{.data.password}' | base64 --decode
wjjH7N8AJqOSL4UXIo46sYJHuy9pPYYd+j4evnoe

Expected behavior The expected behaviour is similar to the secrets which items are generated with the annotations - the default encoding is used if no secret-generator.v1.mittwald.de/encoding annotation is specified. E.g. this is the password generated in the secret generated with annotations:

$ kubectl describe secret the-secret
Name:         the-secret
Namespace:    default
Labels:       <none>
Annotations:  secret-generator.v1.mittwald.de/autogenerate: password
              secret-generator.v1.mittwald.de/autogenerate-generated-at: 2021-11-23T13:25:22Z
              secret-generator.v1.mittwald.de/secure: yes
              secret-generator.v1.mittwald.de/type: string

Type:  Opaque

Data
====
password:  40 bytes

$ kubectl get secret the-secret -o jsonpath='{.data.password}' | base64 --decode
a9838164a615daa23a2731aedc36ece46021e6da

Environment: