Fix stringData Secret issue

This commit migrate to the last version of pkg/ssa v0.14.1 that contains a fix for stringData secrets. The test case was changed accordingly to validate a stringData drift. A progress-bar flag option has also been added in order to be able to disable it. Signed-off-by: Soule BA <soule@weave.works>
2026-02-06 19:05:55 +00:00 · 2022-02-18 16:41:16 +01:00
parent 1ff8c2806c
commit 32ad462ebe
11 changed files with 302 additions and 135 deletions
--- a/internal/build/build.go
+++ b/internal/build/build.go
@@ -28,6 +28,7 @@ import (
 	"github.com/fluxcd/flux2/internal/utils"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/kustomize"
+	"github.com/theckman/yacspin"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -66,6 +67,7 @@ type Builder struct {
 	action        kustomize.Action
 	kustomization *kustomizev1.Kustomization
 	timeout       time.Duration
+	spinner       *yacspin.Spinner
 }

 type BuilderOptionFunc func(b *Builder) error
@@ -77,6 +79,28 @@ func WithTimeout(timeout time.Duration) BuilderOptionFunc {
 	}
 }

+func WithProgressBar() BuilderOptionFunc {
+	return func(b *Builder) error {
+		// Add a spiner
+		cfg := yacspin.Config{
+			Frequency:       100 * time.Millisecond,
+			CharSet:         yacspin.CharSets[59],
+			Suffix:          "Kustomization diffing...",
+			SuffixAutoColon: true,
+			Message:         "running dry-run",
+			StopCharacter:   "✓",
+			StopColors:      []string{"fgGreen"},
+		}
+		spinner, err := yacspin.New(cfg)
+		if err != nil {
+			return fmt.Errorf("failed to create spinner: %w", err)
+		}
+		b.spinner = spinner
+
+		return nil
+	}
+}
+
 // NewBuilder returns a new Builder
 // to dp : create functional options
 func NewBuilder(rcg *genericclioptions.ConfigFlags, name, resources string, opts ...BuilderOptionFunc) (*Builder, error) {
@@ -288,12 +312,12 @@ func maskSopsData(res *resource.Resource) error {

 			if v, ok := secretType.(string); ok && v == dockercfgSecretType {
 				// if the secret is a json docker config secret, we need to mask the data with a json object
-				err := maskDockerconfigjsonSopsData(dataMap)
+				err := maskDockerconfigjsonSopsData(dataMap, true)
 				if err != nil {
 					return fmt.Errorf("failed to mask secret %s sops data: %w", res.GetName(), err)
 				}

-				err = maskDockerconfigjsonSopsData(stringDataMap)
+				err = maskDockerconfigjsonSopsData(stringDataMap, false)
 				if err != nil {
 					return fmt.Errorf("failed to mask secret %s sops data: %w", res.GetName(), err)
 				}
@@ -304,7 +328,7 @@ func maskSopsData(res *resource.Resource) error {
 				}

 				for k := range stringDataMap {
-					stringDataMap[k] = sopsMess
+					stringDataMap[k] = mask
 				}
 			}
 		} else {
@@ -346,7 +370,7 @@ func getStringDataMap(rn *resource.Resource) map[string]string {
 	return result
 }

-func maskDockerconfigjsonSopsData(dataMap map[string]string) error {
+func maskDockerconfigjsonSopsData(dataMap map[string]string, encode bool) error {
 	sopsMess := struct {
 		Mask string `json:"mask"`
 	}{
@@ -358,8 +382,15 @@ func maskDockerconfigjsonSopsData(dataMap map[string]string) error {
 		return err
 	}

+	if encode {
+		for k := range dataMap {
+			dataMap[k] = base64.StdEncoding.EncodeToString(maskJson)
+		}
+		return nil
+	}
+
 	for k := range dataMap {
-		dataMap[k] = base64.StdEncoding.EncodeToString(maskJson)
+		dataMap[k] = string(maskJson)
 	}

 	return nil
--- a/internal/build/diff.go
+++ b/internal/build/diff.go
@@ -26,7 +26,6 @@ import (
 	"path/filepath"
 	"sort"
 	"strings"
-	"time"

 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/ssa"
@@ -36,7 +35,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/homeport/dyff/pkg/dyff"
 	"github.com/lucasb-eyer/go-colorful"
-	"github.com/theckman/yacspin"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
@@ -45,7 +43,7 @@ import (
 )

 func (b *Builder) Manager() (*ssa.ResourceManager, error) {
-	statusPoller := polling.NewStatusPoller(b.client, b.restMapper, nil)
+	statusPoller := polling.NewStatusPoller(b.client, b.restMapper, polling.Options{})
 	owner := ssa.Owner{
 		Field: controllerName,
 		Group: controllerGroup,
@@ -55,21 +53,6 @@ func (b *Builder) Manager() (*ssa.ResourceManager, error) {
 }

 func (b *Builder) Diff() (string, bool, error) {
-	// Add a spiner
-	cfg := yacspin.Config{
-		Frequency:       100 * time.Millisecond,
-		CharSet:         yacspin.CharSets[59],
-		Suffix:          "Kustomization diffing...",
-		SuffixAutoColon: true,
-		Message:         "running dry-run",
-		StopCharacter:   "✓",
-		StopColors:      []string{"fgGreen"},
-	}
-	spinner, err := yacspin.New(cfg)
-	if err != nil {
-		return "", false, fmt.Errorf("failed to create spinner: %w", err)
-	}
-
 	output := strings.Builder{}
 	createdOrDrifted := false
 	res, err := b.Build()
@@ -94,9 +77,11 @@ func (b *Builder) Diff() (string, bool, error) {
 		return "", createdOrDrifted, err
 	}

-	err = spinner.Start()
-	if err != nil {
-		return "", false, fmt.Errorf("failed to start spinner: %w", err)
+	if b.spinner != nil {
+		err = b.spinner.Start()
+		if err != nil {
+			return "", false, fmt.Errorf("failed to start spinner: %w", err)
+		}
 	}

 	var diffErrs error
@@ -145,7 +130,9 @@ func (b *Builder) Diff() (string, bool, error) {
 		addObjectsToInventory(newInventory, change)
 	}

-	spinner.Message("processing inventory")
+	if b.spinner != nil {
+		b.spinner.Message("processing inventory")
+	}

 	if b.kustomization.Spec.Prune && diffErrs == nil {
 		oldStatus := b.kustomization.Status.DeepCopy()
@@ -160,9 +147,11 @@ func (b *Builder) Diff() (string, bool, error) {
 		}
 	}

-	err = spinner.Stop()
-	if err != nil {
-		return "", createdOrDrifted, fmt.Errorf("failed to stop spinner: %w", err)
+	if b.spinner != nil {
+		err = b.spinner.Stop()
+		if err != nil {
+			return "", createdOrDrifted, fmt.Errorf("failed to stop spinner: %w", err)
+		}
 	}

 	return output.String(), createdOrDrifted, diffErrs
@@ -230,15 +219,10 @@ func diff(liveFile, mergedFile string, output io.Writer) error {
 func diffSopsSecret(obj, liveObject, mergedObject *unstructured.Unstructured, change *ssa.ChangeSetEntry) {
 	// get both data and stringdata maps
 	data := obj.Object[dataField]
-	stringData := obj.Object[stringDataField]

 	if m, ok := data.(map[string]interface{}); ok && m != nil {
 		applySopsDiff(m, liveObject, mergedObject, change)
 	}
-
-	if m, ok := stringData.(map[string]interface{}); ok && m != nil {
-		applySopsDiff(m, liveObject, mergedObject, change)
-	}
 }

 func applySopsDiff(data map[string]interface{}, liveObject, mergedObject *unstructured.Unstructured, change *ssa.ChangeSetEntry) {
@@ -251,9 +235,8 @@ func applySopsDiff(data map[string]interface{}, liveObject, mergedObject *unstru
 		if bytes.Contains(v, []byte(mask)) {
 			if liveObject != nil && mergedObject != nil {
 				change.Action = string(ssa.UnchangedAction)
-				dataLive := liveObject.Object[dataField].(map[string]interface{})
-				dataMerged := mergedObject.Object[dataField].(map[string]interface{})
-				if cmp.Diff(keys(dataLive), keys(dataMerged)) != "" {
+				liveKeys, mergedKeys := sopsComparableByKeys(liveObject), sopsComparableByKeys(mergedObject)
+				if cmp.Diff(liveKeys, mergedKeys) != "" {
 					change.Action = string(ssa.ConfiguredAction)
 				}
 			}
@@ -261,13 +244,21 @@ func applySopsDiff(data map[string]interface{}, liveObject, mergedObject *unstru
 	}
 }

-func keys(m map[string]interface{}) []string {
+func sopsComparableByKeys(object *unstructured.Unstructured) []string {
+	m := object.Object[dataField].(map[string]interface{})
 	keys := make([]string, len(m))
 	i := 0
 	for k := range m {
+		// make sure we can compare only on keys
+		m[k] = "*****"
 		keys[i] = k
 		i++
 	}
+
+	object.Object[dataField] = m
+
+	sort.Strings(keys)
+
 	return keys
 }