Remove the credential file first to avoid the change of secret conten…

…t messing it up Remove the credential file first to avoid the change of secret content messing it up Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
vmware-tanzu · Nov 6, 2023 · b578eb5 · b578eb5
1 parent 1264c43
commit b578eb5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/changelogs/unreleased/7058-ywk253100 b/changelogs/unreleased/7058-ywk253100
@@ -0,0 +1 @@
+Remove the credential file first to avoid the change of secret content messing it up
diff --git a/internal/credentials/file_store.go b/internal/credentials/file_store.go
@@ -18,7 +18,6 @@ package credentials
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 
 	"github.com/pkg/errors"
@@ -71,9 +70,16 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
 
 	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
 
-	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE, 0644)
+	// remove the file first to aovid the change of secret content messing it up
+	// e.g. if the file content is "key=value" and the secret is updated to "a=b",
+	// the file is messed up to "a=b=value" without removing the file first
+	if err = n.fs.RemoveAll(keyFilePath); err != nil {
+		return "", errors.Wrapf(err, "unable to remove the credentials file: %s", keyFilePath)
+	}
+
+	file, err := n.fs.Create(keyFilePath)
 	if err != nil {
-		return "", errors.Wrap(err, "unable to open credentials file for writing")
+		return "", errors.Wrap(err, "unable to create credentials file for writing")
 	}
 
 	if _, err := file.Write(creds); err != nil {