Fix continuous diff for Secret stringData field

CHANGELOG.md

@@ -1,6 +1,7 @@
 ## Unreleased
 
 - [sdk/python] Drop unused pyyaml dependency (https://github.com/pulumi/pulumi-kubernetes/pull/2502)
+- Fix continuous diff for Secret stringData field (https://github.com/pulumi/pulumi-kubernetes/pull/2511)
 
 ## 4.0.1 (July 19, 2023)
 

provider/pkg/clients/clients.go

@@ -246,6 +246,11 @@ func IsCRD(obj *unstructured.Unstructured) bool {
 		strings.HasPrefix(obj.GetAPIVersion(), "apiextensions.k8s.io/")
 }
 
+func IsSecret(obj *unstructured.Unstructured) bool {
+	gvk := obj.GroupVersionKind()
+	return (gvk.Group == corev1.GroupName || gvk.Group == "core") && gvk.Kind == string(kinds.Secret)
+}
+
 // IsConfigMap returns true if the resource is a configmap marked as immutable.
 func IsConfigMap(obj *unstructured.Unstructured) bool {
 	gvk := obj.GroupVersionKind()

provider/pkg/clients/unstructured.go

@@ -65,22 +65,35 @@ func ToUnstructured(object metav1.Object) (*unstructured.Unstructured, error) {
 // This process normalizes semantically-equivalent resources into an identical output, which is important for diffing.
 // If the scheme is not defined, then return the original resource.
 func Normalize(uns *unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	var result *unstructured.Unstructured
+
 	if IsCRD(uns) {
-		return normalizeCRD(uns), nil
+		result = normalizeCRD(uns)
+	} else if IsSecret(uns) {
+		result = normalizeSecret(uns)
+	} else {
+		obj, err := FromUnstructured(uns)
+		// Return the input resource rather than an error if this operation fails.
+		if err != nil {
+			return uns, nil
+		}
+		result, err = ToUnstructured(obj)
+		// Return the input resource rather than an error if this operation fails.
+		if err != nil {
+			return uns, err
+		}
 	}
 
-	obj, err := FromUnstructured(uns)
-	// Return the input resource rather than an error if this operation fails.
-	if err != nil {
-		return uns, nil
-	}
-	return ToUnstructured(obj)
+	// Remove output-only fields
+	unstructured.RemoveNestedField(result.Object, "metadata", "creationTimestamp")
+
+	return result, nil
 }
 
 // normalizeCRD manually normalizes CRD resources, which require special handling due to the lack of defined conversion
 // scheme for CRDs.
 func normalizeCRD(uns *unstructured.Unstructured) *unstructured.Unstructured {
-	contract.Assertf(IsCRD(uns), "normalizeCRD called on a non-CRD resource: %s", uns.GetAPIVersion())
+	contract.Assertf(IsCRD(uns), "normalizeCRD called on a non-CRD resource: %s:%s", uns.GetAPIVersion(), uns.GetKind())
 
 	// .spec.preserveUnknownFields is deprecated, and will be removed by the apiserver on the created resource if the
 	// value is false. Normalize for diffing by removing this field if present and set to "false".
@@ -92,6 +105,37 @@ func normalizeCRD(uns *unstructured.Unstructured) *unstructured.Unstructured {
 	return uns
 }
 
+// normalizeSecret manually normalizes Secret resources, which require special handling due to the apiserver replacing
+// the .stringData field with a base64-encoded value in the .data field.
+func normalizeSecret(uns *unstructured.Unstructured) *unstructured.Unstructured {
+	contract.Assertf(IsSecret(uns), "normalizeSecret called on a non-Secret resource: %s:%s", uns.GetAPIVersion(), uns.GetKind())
+
+	obj, err := FromUnstructured(uns)
+	if err != nil {
+		return uns // If the operation fails, just return the original object
+	}
+	secret := obj.(*corev1.Secret)
+
+	// See https://github.com/kubernetes/kubernetes/blob/v1.27.4/pkg/apis/core/v1/conversion.go#L406-L414
+	// StringData overwrites Data
+	if len(secret.StringData) > 0 {
+		if secret.Data == nil {
+			secret.Data = map[string][]byte{}
+		}
+		for k, v := range secret.StringData {
+			secret.Data[k] = []byte(v)
+		}
+
+		secret.StringData = nil
+	}
+
+	updated, err := ToUnstructured(secret)
+	if err != nil {
+		return uns // If the operation fails, just return the original object
+	}
+	return updated
+}
+
 func PodFromUnstructured(uns *unstructured.Unstructured) (*corev1.Pod, error) {
 	const expectedAPIVersion = "v1"
 

provider/pkg/clients/unstructured_test.go

@@ -207,6 +207,45 @@ var (
 			},
 		},
 	}
+
+	secretUnstructured = &unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "v1",
+			"kind":       "Secret",
+			"metadata": map[string]any{
+				"name": "foo"},
+			"stringData": map[string]any{
+				"foo": "bar",
+			},
+		},
+	}
+
+	secretWithCreationTimestampUnstructured = &unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "v1",
+			"kind":       "Secret",
+			"metadata": map[string]any{
+				"creationTimestamp": "2023-07-20T23:54:21Z",
+				"name":              "foo",
+			},
+			"stringData": map[string]any{
+				"foo": "bar",
+			},
+		},
+	}
+
+	secretNormalizedUnstructured = &unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "v1",
+			"kind":       "Secret",
+			"metadata": map[string]any{
+				"name": "foo",
+			},
+			"data": map[string]any{
+				"foo": "YmFy",
+			},
+		},
+	}
 )
 
 func TestFromUnstructured(t *testing.T) {
@@ -249,6 +288,9 @@ func TestNormalize(t *testing.T) {
 	}{
 		{"unregistered GVK", args{uns: unregisteredGVK}, unregisteredGVK, false},
 		{"CRD with preserveUnknownFields", args{uns: crdPreserveUnknownFieldsUnstructured}, crdUnstructured, false},
+		{"Secret with stringData input", args{uns: secretUnstructured}, secretNormalizedUnstructured, false},
+		{"Secret with data input", args{uns: secretNormalizedUnstructured}, secretNormalizedUnstructured, false},
+		{"Secret with creationTimestamp set on input", args{uns: secretWithCreationTimestampUnstructured}, secretNormalizedUnstructured, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

tests/sdk/nodejs/nodejs_test.go

@@ -1051,8 +1051,7 @@ func TestSecrets(t *testing.T) {
 				Path:  true,
 			},
 		},
-		ExpectRefreshChanges: true,
-		Quick:                true,
+		Quick: true,
 		ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
 			assert.NotNil(t, stackInfo.Deployment)
 			state, err := json.Marshal(stackInfo.Deployment)