-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: implicitly base64 encode base64 secret values #138
Conversation
Are we sure about this assumption? |
Recap of how the plugin works now:
This PR addresses the last one so that I think it's a good feature to have but it will be inconsistent with how the plugin works in the 3rd and 4th scenarios |
So if we're going down this route then to make 3rd and 4th scenarios consistent, we'd have to change the rules so that AVP will re-encode into base64 the result of any replacements of strings in |
Codecov Report
@@ Coverage Diff @@
## main #138 +/- ##
==========================================
+ Coverage 57.88% 58.11% +0.23%
==========================================
Files 16 16
Lines 539 542 +3
==========================================
+ Hits 312 315 +3
Misses 187 187
Partials 40 40
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Talked to Jake some more about it and Jake pointed out that the 3rd and 4th scenarios I brought up would only happen if a YAML outside of someone's control (so from an upstream chart) did something like:
data:
credentials: |
[block]
password: {{ .values.password }}
and just expected that to work, no base64'ing done anywhere. That's unreasonable.
If the user did have control over the YAML, this is easily solved by swapping data
for stringData
. So there is nothing "inconsistent" about what this PR does and I approve!
Sorry about the delay :)
@teejaded Can you add documentation to the readme about how the encoding/decoding will work? |
Description
If a secret is successfully decoded from base64, assume it needs to be re-encoded. This allows for secret values with multiple placeholders or concatenation with other strings.
Fixes: #124
Checklist
Please make sure that your PR fulfills the following requirements:
Type of Change
Other information