Datasource: kubernetes_secret: add binary_data attribute (#1285)

In case where we're dealing with secrets that contain, for instance, SSL certificates in PFX format - binary value of the secret becomes corrupted on retrieval. This additional attribute encodes only the values in base64, allowing us to consume binary data as is.
hashicorp · May 27, 2021 · 8835e93 · 8835e93
1 parent 6a9f9f5
commit 8835e93
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/kubernetes/data_source_kubernetes_secret.go b/kubernetes/data_source_kubernetes_secret.go
@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"context"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -19,6 +20,12 @@ func dataSourceKubernetesSecret() *schema.Resource {
 				Computed:    true,
 				Sensitive:   true,
 			},
+			"binary_data": {
+				Type:        schema.TypeMap,
+				Description: "A map of the secret data with values encoded in base64 format",
+				Optional:    true,
+				Sensitive:   true,
+			},
 			"type": {
 				Type:        schema.TypeString,
 				Description: "Type of secret",

diff --git a/kubernetes/data_source_kubernetes_secret_test.go b/kubernetes/data_source_kubernetes_secret_test.go
@@ -32,6 +32,7 @@ func TestAccKubernetesDataSourceSecret_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.one", "first"),
 					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.two", "second"),
 					resource.TestCheckResourceAttr("kubernetes_secret.test", "type", "Opaque"),
+					resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"),
 				),
 			},
 			{
@@ -52,6 +53,7 @@ func TestAccKubernetesDataSourceSecret_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.one", "first"),
 					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.two", "second"),
 					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "type", "Opaque"),
+					resource.TestCheckResourceAttr("data.kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"),
 				),
 			},
 		},
@@ -79,6 +81,10 @@ func testAccKubernetesDataSourceSecretConfig_basic(name string) string {
     one = "first"
     two = "second"
   }
+
+  binary_data = {
+    raw = "${base64encode("Raw data should come back as is in the pod")}"
+  }
 }
 `, name)
 }
@@ -88,6 +94,10 @@ func testAccKubernetesDataSourceSecretConfig_read() string {
   metadata {
     name = "${kubernetes_secret.test.metadata.0.name}"
   }
+
+  binary_data = {
+    raw = ""
+  }
 }
 `)
 }
diff --git a/website/docs/d/secret.html.markdown b/website/docs/d/secret.html.markdown
@@ -49,4 +49,21 @@ The following arguments are supported:
 ## Attribute Reference
 
 * `data` - A map of the secret data.
+* `binary_data` - A map of the secret data with values encoded in base64 format.
+
+~> In case the secret has been created outside terraform in order to retrieve binary data from the secret in base64 format you need to define a `binary_data` map with data to retrieve as key and an empty string as a value
+
+```hcl
+data "kubernetes_secret" "example" {
+  metadata {
+    name      = "example-secret"
+    namespace = "kube-system"
+  }
+  binary_data = {
+    "keystore.p12" = ""
+    another_field  = ""
+  }
+}
+```
+
 * `type` - The secret type. Defaults to `Opaque`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/c7151dd8dd7e487e96e5ce34c6a416bb3b037609/contributors/design-proposals/auth/secrets.md#proposed-design)