-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.1] Bug 1734622: resourceapply: don't log secret data #472
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -196,6 +196,10 @@ func ApplyConfigMap(client coreclientv1.ConfigMapsGetter, recorder events.Record | |
|
||
// ApplySecret merges objectmeta, requires data | ||
func ApplySecret(client coreclientv1.SecretsGetter, recorder events.Recorder, required *corev1.Secret) (*corev1.Secret, bool, error) { | ||
if len(required.StringData) > 0 { | ||
return nil, false, fmt.Errorf("Secret.stringData is not supported") | ||
} | ||
|
||
existing, err := client.Secrets(required.Namespace).Get(required.Name, metav1.GetOptions{}) | ||
if apierrors.IsNotFound(err) { | ||
actual, err := client.Secrets(required.Namespace).Create(required) | ||
|
@@ -210,14 +214,31 @@ func ApplySecret(client coreclientv1.SecretsGetter, recorder events.Recorder, re | |
existingCopy := existing.DeepCopy() | ||
|
||
resourcemerge.EnsureObjectMeta(modified, &existingCopy.ObjectMeta, required.ObjectMeta) | ||
|
||
dataSame := equality.Semantic.DeepEqual(existingCopy.Data, required.Data) | ||
if dataSame && !*modified { | ||
return existingCopy, false, nil | ||
} | ||
existingCopy.Data = required.Data | ||
|
||
if klog.V(4) { | ||
klog.Infof("Secret %q changes: %v", required.Namespace+"/"+required.Name, JSONPatch(existing, required)) | ||
safeRequired := required.DeepCopy() | ||
safeExisting := existing.DeepCopy() | ||
|
||
for s := range safeExisting.Data { | ||
safeExisting.Data[s] = []byte("OLD") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. maybe we want There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what do you mean with 3 states? We only have two. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ic what you mean. But note that we create a patch below. We cannot have OLD and NEW for all fields, only those which changed. |
||
} | ||
for s := range safeRequired.Data { | ||
if _, preexisting := existing.Data[s]; !preexisting { | ||
safeRequired.Data[s] = []byte("NEW") | ||
} else if !equality.Semantic.DeepEqual(existing.Data[s], safeRequired.Data[s]) { | ||
safeRequired.Data[s] = []byte("MODIFIED") | ||
} else { | ||
safeRequired.Data[s] = []byte("OLD") | ||
} | ||
} | ||
|
||
klog.Infof("Secret %q changes: %v", required.Namespace+"/"+required.Name, JSONPatch(safeExisting, safeRequired)) | ||
} | ||
actual, err := client.Secrets(required.Namespace).Update(existingCopy) | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it's normalized by the server to
Data
, and we would have to add that normalization here before the DeepEqual. Not impossible, just not done.