Fix double-encoding of Kubernetes secrets #6541
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes: #6540 This change removes manual encoding from our interactions with `secret.Data`, which should address the double-encoding issue. The problem here was a wrong assumption about the way `secret.Data` works in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secrets I had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the **decoded** value in `secret.Data`. Therefore the fix is to remove all of the places we encode data before storing it.
willdavsmith
approved these changes
Oct 20, 2023
ytimocin
approved these changes
Oct 20, 2023
|
/ok-to-test |
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
lakshmimsft
approved these changes
Oct 20, 2023
Test Results3 022 tests ±0 3 010 ✔️ ±0 3m 8s ⏱️ -27s Results for commit 3b17f90. ± Comparison against base commit ecfaaf3. This pull request removes 2 and adds 2 tests. Note that renamed tests count towards both. |
|
For the detailed report, please go to
|
|
Functional test failure was the known S3 issue. |
willdavsmith
pushed a commit
that referenced
this pull request
Oct 23, 2023
# Description This change removes manual encoding from our interactions with `secret.Data`, which should address the double-encoding issue. The problem here was a wrong assumption about the way `secret.Data` works in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secrets I had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the **decoded** value in `secret.Data`. Therefore the fix is to remove all of the places we encode data before storing it. ## Type of change - This pull request fixes a bug in Radius and has an approved issue (issue link required). Fixes: #6540 ## Auto-generated summary <!-- GitHub Copilot for docs will auto-generate a summary of the PR --> <!-- copilot:all --> ### <samp>🤖 Generated by Copilot at 359f241</samp> ### Summary 🐛🧹🚀 <!-- 1. 🐛 - This emoji represents a bug fix, which is the main purpose of the first pull request. It shows that the test failure was resolved and the unused import was removed. 2. 🧹 - This emoji represents a code cleanup or refactoring, which is the main purpose of the second pull request. It shows that the code was simplified, commented, and improved. 3. 🚀 - This emoji represents a performance improvement or optimization, which is the main purpose of the third pull request. It shows that the secret handling logic was made more efficient and correct. --> This pull request refactors and fixes the `reconciler` package, which handles the creation and update of Kubernetes deployments and secrets based on recipes. It removes unnecessary imports, encoding, and complexity from the code and the tests. > _Sing, O Muse, of the valiant code warriors who strove_ > _To mend the broken tests and reconcile the secrets_ > _That vexed the deployment function with double encoding_ > _And cluttered the package with imports that served no purpose_ ### Walkthrough * Remove unused imports of `encoding/base64` package from `reconciler` package in `deployment_reconciler.go`, `deployment_reconciler_test.go`, `recipe_reconciler.go`, and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL20), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL20)) * Simplify logic of `updateDeployment` and `updateSecret` functions by removing unnecessary encoding of secret values using `base64` package in `deployment_reconciler.go` and `recipe_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L556-R558), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L506-R505), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L517-R515)) * Add comment to explain why `updateDeployment` function uses `Data` field of `Secret` object instead of `StringData` field in `deployment_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195R519-R520)) * Update expected secret data in tests to match new logic of `updateDeployment` and `updateSecret` functions in `deployment_reconciler_test.go` and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL369-R371), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL415-R415), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL306-R306)) (cherry picked from commit bf4e6bb)
willdavsmith
pushed a commit
that referenced
this pull request
Oct 23, 2023
# Description This change removes manual encoding from our interactions with `secret.Data`, which should address the double-encoding issue. The problem here was a wrong assumption about the way `secret.Data` works in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secrets I had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the **decoded** value in `secret.Data`. Therefore the fix is to remove all of the places we encode data before storing it. ## Type of change - This pull request fixes a bug in Radius and has an approved issue (issue link required). Fixes: #6540 ## Auto-generated summary <!-- GitHub Copilot for docs will auto-generate a summary of the PR --> <!-- copilot:all --> ### <samp>🤖 Generated by Copilot at 359f241</samp> ### Summary 🐛🧹🚀 <!-- 1. 🐛 - This emoji represents a bug fix, which is the main purpose of the first pull request. It shows that the test failure was resolved and the unused import was removed. 2. 🧹 - This emoji represents a code cleanup or refactoring, which is the main purpose of the second pull request. It shows that the code was simplified, commented, and improved. 3. 🚀 - This emoji represents a performance improvement or optimization, which is the main purpose of the third pull request. It shows that the secret handling logic was made more efficient and correct. --> This pull request refactors and fixes the `reconciler` package, which handles the creation and update of Kubernetes deployments and secrets based on recipes. It removes unnecessary imports, encoding, and complexity from the code and the tests. > _Sing, O Muse, of the valiant code warriors who strove_ > _To mend the broken tests and reconcile the secrets_ > _That vexed the deployment function with double encoding_ > _And cluttered the package with imports that served no purpose_ ### Walkthrough * Remove unused imports of `encoding/base64` package from `reconciler` package in `deployment_reconciler.go`, `deployment_reconciler_test.go`, `recipe_reconciler.go`, and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL20), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL20)) * Simplify logic of `updateDeployment` and `updateSecret` functions by removing unnecessary encoding of secret values using `base64` package in `deployment_reconciler.go` and `recipe_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L556-R558), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L506-R505), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L517-R515)) * Add comment to explain why `updateDeployment` function uses `Data` field of `Secret` object instead of `StringData` field in `deployment_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195R519-R520)) * Update expected secret data in tests to match new logic of `updateDeployment` and `updateSecret` functions in `deployment_reconciler_test.go` and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL369-R371), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL415-R415), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL306-R306)) (cherry picked from commit bf4e6bb)
willdavsmith
pushed a commit
to willdavsmith/radius
that referenced
this pull request
Nov 3, 2023
# Description This change removes manual encoding from our interactions with `secret.Data`, which should address the double-encoding issue. The problem here was a wrong assumption about the way `secret.Data` works in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secrets I had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the **decoded** value in `secret.Data`. Therefore the fix is to remove all of the places we encode data before storing it. ## Type of change - This pull request fixes a bug in Radius and has an approved issue (issue link required). Fixes: radius-project#6540 ## Auto-generated summary <!-- GitHub Copilot for docs will auto-generate a summary of the PR --> <!-- copilot:all --> ### <samp>🤖 Generated by Copilot at 359f241</samp> ### Summary 🐛🧹🚀 <!-- 1. 🐛 - This emoji represents a bug fix, which is the main purpose of the first pull request. It shows that the test failure was resolved and the unused import was removed. 2. 🧹 - This emoji represents a code cleanup or refactoring, which is the main purpose of the second pull request. It shows that the code was simplified, commented, and improved. 3. 🚀 - This emoji represents a performance improvement or optimization, which is the main purpose of the third pull request. It shows that the secret handling logic was made more efficient and correct. --> This pull request refactors and fixes the `reconciler` package, which handles the creation and update of Kubernetes deployments and secrets based on recipes. It removes unnecessary imports, encoding, and complexity from the code and the tests. > _Sing, O Muse, of the valiant code warriors who strove_ > _To mend the broken tests and reconcile the secrets_ > _That vexed the deployment function with double encoding_ > _And cluttered the package with imports that served no purpose_ ### Walkthrough * Remove unused imports of `encoding/base64` package from `reconciler` package in `deployment_reconciler.go`, `deployment_reconciler_test.go`, `recipe_reconciler.go`, and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL20), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL20)) * Simplify logic of `updateDeployment` and `updateSecret` functions by removing unnecessary encoding of secret values using `base64` package in `deployment_reconciler.go` and `recipe_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L556-R558), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L506-R505), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L517-R515)) * Add comment to explain why `updateDeployment` function uses `Data` field of `Secret` object instead of `StringData` field in `deployment_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195R519-R520)) * Update expected secret data in tests to match new logic of `updateDeployment` and `updateSecret` functions in `deployment_reconciler_test.go` and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL369-R371), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL415-R415), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL306-R306)) Signed-off-by: willdavsmith <[email protected]>
willdavsmith
pushed a commit
that referenced
this pull request
Nov 6, 2023
# Description This change removes manual encoding from our interactions with `secret.Data`, which should address the double-encoding issue. The problem here was a wrong assumption about the way `secret.Data` works in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secrets I had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the **decoded** value in `secret.Data`. Therefore the fix is to remove all of the places we encode data before storing it. ## Type of change - This pull request fixes a bug in Radius and has an approved issue (issue link required). Fixes: #6540 ## Auto-generated summary <!-- GitHub Copilot for docs will auto-generate a summary of the PR --> <!-- copilot:all --> ### <samp>🤖 Generated by Copilot at 359f241</samp> ### Summary 🐛🧹🚀 <!-- 1. 🐛 - This emoji represents a bug fix, which is the main purpose of the first pull request. It shows that the test failure was resolved and the unused import was removed. 2. 🧹 - This emoji represents a code cleanup or refactoring, which is the main purpose of the second pull request. It shows that the code was simplified, commented, and improved. 3. 🚀 - This emoji represents a performance improvement or optimization, which is the main purpose of the third pull request. It shows that the secret handling logic was made more efficient and correct. --> This pull request refactors and fixes the `reconciler` package, which handles the creation and update of Kubernetes deployments and secrets based on recipes. It removes unnecessary imports, encoding, and complexity from the code and the tests. > _Sing, O Muse, of the valiant code warriors who strove_ > _To mend the broken tests and reconcile the secrets_ > _That vexed the deployment function with double encoding_ > _And cluttered the package with imports that served no purpose_ ### Walkthrough * Remove unused imports of `encoding/base64` package from `reconciler` package in `deployment_reconciler.go`, `deployment_reconciler_test.go`, `recipe_reconciler.go`, and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL20), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L21), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL20)) * Simplify logic of `updateDeployment` and `updateSecret` functions by removing unnecessary encoding of secret values using `base64` package in `deployment_reconciler.go` and `recipe_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195L556-R558), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L506-R505), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-565f9bf43f08d107a3218cdeb8b17eab13363d0661a65535e80ec4ef114f09e5L517-R515)) * Add comment to explain why `updateDeployment` function uses `Data` field of `Secret` object instead of `StringData` field in `deployment_reconciler.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-87a7dfa06c174a6b41b671b2cfffb84c81e481881baec866a026e7dd00db8195R519-R520)) * Update expected secret data in tests to match new logic of `updateDeployment` and `updateSecret` functions in `deployment_reconciler_test.go` and `recipe_reconciler_test.go` ([link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL369-R371), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-9d66db7eb311e875d019923b0892c9b51b9520295624cc0b6a0197cdbd04527cL415-R415), [link](https://github.com/radius-project/radius/pull/6541/files?diff=unified&w=0#diff-2b3aa3c5be32be791c9069d44213d653090aed157026f3d37f187ccded049cacL306-R306)) Signed-off-by: willdavsmith <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change removes manual encoding from our interactions with
secret.Data, which should address the double-encoding issue.The problem here was a wrong assumption about the way
secret.Dataworks in the Go Kubernetes client. This link documents the actual behavior: https://github.com/weibeld/kubernetes-client-go-examples/blob/master/README.md#ex5-secretsI had a hint that something was wrong here while I was writing the code, but I wrongly assumed it was a quirk of the envtest library. The right behavior is to store the decoded value in
secret.Data. Therefore the fix is to remove all of the places we encode data before storing it.Type of change
Fixes: #6540
Auto-generated summary
🤖 Generated by Copilot at 359f241
Summary
🐛🧹🚀
This pull request refactors and fixes the
reconcilerpackage, which handles the creation and update of Kubernetes deployments and secrets based on recipes. It removes unnecessary imports, encoding, and complexity from the code and the tests.Walkthrough
encoding/base64package fromreconcilerpackage indeployment_reconciler.go,deployment_reconciler_test.go,recipe_reconciler.go, andrecipe_reconciler_test.go(link, link, link, link)updateDeploymentandupdateSecretfunctions by removing unnecessary encoding of secret values usingbase64package indeployment_reconciler.goandrecipe_reconciler.go(link, link, link)updateDeploymentfunction usesDatafield ofSecretobject instead ofStringDatafield indeployment_reconciler.go(link)updateDeploymentandupdateSecretfunctions indeployment_reconciler_test.goandrecipe_reconciler_test.go(link, link, link)