From 8835e933de82e210e4924d5cf76a2fe4968f2627 Mon Sep 17 00:00:00 2001 From: Vladimir Lazarenko Date: Fri, 28 May 2021 00:15:19 +0200 Subject: [PATCH] Datasource: `kubernetes_secret`: add `binary_data` attribute (#1285) In case where we're dealing with secrets that contain, for instance, SSL certificates in PFX format - binary value of the secret becomes corrupted on retrieval. This additional attribute encodes only the values in base64, allowing us to consume binary data as is. --- kubernetes/data_source_kubernetes_secret.go | 7 +++++++ .../data_source_kubernetes_secret_test.go | 10 ++++++++++ website/docs/d/secret.html.markdown | 17 +++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/kubernetes/data_source_kubernetes_secret.go b/kubernetes/data_source_kubernetes_secret.go index 5e3093ad55..6959ac037b 100644 --- a/kubernetes/data_source_kubernetes_secret.go +++ b/kubernetes/data_source_kubernetes_secret.go @@ -2,6 +2,7 @@ package kubernetes import ( "context" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -19,6 +20,12 @@ func dataSourceKubernetesSecret() *schema.Resource { Computed: true, Sensitive: true, }, + "binary_data": { + Type: schema.TypeMap, + Description: "A map of the secret data with values encoded in base64 format", + Optional: true, + Sensitive: true, + }, "type": { Type: schema.TypeString, Description: "Type of secret", diff --git a/kubernetes/data_source_kubernetes_secret_test.go b/kubernetes/data_source_kubernetes_secret_test.go index 849381839b..da044d6f4b 100644 --- a/kubernetes/data_source_kubernetes_secret_test.go +++ b/kubernetes/data_source_kubernetes_secret_test.go @@ -32,6 +32,7 @@ func TestAccKubernetesDataSourceSecret_basic(t *testing.T) { resource.TestCheckResourceAttr("kubernetes_secret.test", "data.one", "first"), resource.TestCheckResourceAttr("kubernetes_secret.test", "data.two", "second"), resource.TestCheckResourceAttr("kubernetes_secret.test", "type", "Opaque"), + resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"), ), }, { @@ -52,6 +53,7 @@ func TestAccKubernetesDataSourceSecret_basic(t *testing.T) { resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.one", "first"), resource.TestCheckResourceAttr("data.kubernetes_secret.test", "data.two", "second"), resource.TestCheckResourceAttr("data.kubernetes_secret.test", "type", "Opaque"), + resource.TestCheckResourceAttr("data.kubernetes_secret.test", "binary_data.raw", "UmF3IGRhdGEgc2hvdWxkIGNvbWUgYmFjayBhcyBpcyBpbiB0aGUgcG9k"), ), }, }, @@ -79,6 +81,10 @@ func testAccKubernetesDataSourceSecretConfig_basic(name string) string { one = "first" two = "second" } + + binary_data = { + raw = "${base64encode("Raw data should come back as is in the pod")}" + } } `, name) } @@ -88,6 +94,10 @@ func testAccKubernetesDataSourceSecretConfig_read() string { metadata { name = "${kubernetes_secret.test.metadata.0.name}" } + + binary_data = { + raw = "" + } } `) } diff --git a/website/docs/d/secret.html.markdown b/website/docs/d/secret.html.markdown index 80c27fe4ee..092bc88cbe 100644 --- a/website/docs/d/secret.html.markdown +++ b/website/docs/d/secret.html.markdown @@ -49,4 +49,21 @@ The following arguments are supported: ## Attribute Reference * `data` - A map of the secret data. +* `binary_data` - A map of the secret data with values encoded in base64 format. + +~> In case the secret has been created outside terraform in order to retrieve binary data from the secret in base64 format you need to define a `binary_data` map with data to retrieve as key and an empty string as a value + +```hcl +data "kubernetes_secret" "example" { + metadata { + name = "example-secret" + namespace = "kube-system" + } + binary_data = { + "keystore.p12" = "" + another_field = "" + } +} +``` + * `type` - The secret type. Defaults to `Opaque`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/c7151dd8dd7e487e96e5ce34c6a416bb3b037609/contributors/design-proposals/auth/secrets.md#proposed-design)