kustomize
kustomize copied to clipboard
kubernetes-sigs
Generating secret from file containing certificate does not wrap encoded certificate string
What happened?
Kustomize version:
{Version:kustomize/v4.5.5 GitCommit:daa3e5e2c2d3a4b8c94021a7384bfb06734bcd26 BuildDate:2022-05-20T20:21:22Z GoOs:darwin GoArch:arm64}
I am trying to generate a k8s secret from files which contain certificate and key. Kustomize will automatically encode the certificate/key using base64 encoding. However it does not wrap it which could easily be done when using GNU base64 via base64 -w 0.
This is also raised in issue https://github.com/kubernetes-sigs/kustomize/issues/4484 which unfortunately got closed without any suggestion or fix or even an acknowledgment. I hope this issue is noticed and this gets fixed or an alternative is provided.
What did you expect to happen?
Secret encoding should ideally wrap the encoded text into a single line. This is already possible with GNU base64 -w 0 options.
How can we reproduce it (as minimally and precisely as possible)?
Just create or use any certificate or key and try and create a secret from it using secretGenerator
Example CA certificate:
-----BEGIN CERTIFICATE-----
MIIDmDCCAoCgAwIBAgIUDcsW/d4rQza5DCkbih7V+IFWstEwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkJXMREwDwYDVQQHEwhXYWxsZG9y
ZjEMMAoGA1UEChMDazhzMRUwEwYDVQQLEwxldGNkLWNsdXN0ZXIxEDAOBgNVBAMT
B2V0Y2QtY2EwHhcNMjMwNTIzMTczMjAwWhcNMjgwNTIxMTczMjAwWjBkMQswCQYD
VQQGEwJERTELMAkGA1UECBMCQlcxETAPBgNVBAcTCFdhbGxkb3JmMQwwCgYDVQQK
EwNrOHMxFTATBgNVBAsTDGV0Y2QtY2x1c3RlcjEQMA4GA1UEAxMHZXRjZC1jYTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfZBgPSvczkxZ5aRcU5pEma
V5LhxJoEg8AImDhelSue1KI1oDEsnthNyZUQ07BAtK33ij9yagUTtcckLxTJ869p
3wayeY+hS75J7S+XXXF42P0YdpWTD17PKSBgVytv7S564zOFfuu/1G7tlX0LzOyH
8xE7bt3PAcDJzRDo8rAGyLGuhBFgYV7IuJv0ntaRTD1uVZkG15MyGFSGiZ9fVT+E
1Hznt7dU+JJOa5+gLisOpoNwTKywt5yVStZMmRlVD7qOsjH5wacFpeoJP2E5tjO8
SZSMLB7i21wVmp4x3VdLWDL4D+kY2Jixir1S7HXM47YPwbReXYSvQI0mEEwELakC
AwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFE78mW/FGc4Q22JjJ+9W1WRurR76MA0GCSqGSIb3DQEBCwUAA4IBAQAQSb/y
RFfqLInMJs+oAIvj4/UYdGg7gKKvjitaLanaUu+0m4wDqnDjjxIJk1m8eOyuQYU8
9WMW2cZ3lSXCOltjjqyVUb3FsMoY6xWLBmmkiYSOv54gM/Ka0/oNhtqBqCHdAdhT
TXlrYVaHUjSfeO1y7RsGNo8vMAPsvcVhazjugYMVxQg3M19G83aXgFZOPKu1aU4D
krAoal65AvEaeLvlV2sulyc+wLeoklAuEkLai8hO4i5JMegShXmYcr3QvLdihXng
vn0DJXbDu1Vf9ZR8omKrWLS2qeKMcw+AMovjInPW1L5VZSLujA50qUKrYI47l0WV
ZYlo1POJSnciUTff
-----END CERTIFICATE-----
Store this in a file and then use this to create the secret using:
secretGenerator:
- name: ca-bundle
files:
- <path>/ca.pem
type: Opaque
Expected output
apiVersion: v1
kind: Secret
data:
ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVRGNzVy9kNHJRemE1RENrYmloN1YrSUZXc3RFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pERUxNQWtHQTFVRUJoTUNSRVV4Q3pBSkJnTlZCQWdUQWtKWE1SRXdEd1lEVlFRSEV3aFhZV3hzWkc5eQpaakVNTUFvR0ExVUVDaE1EYXpoek1SVXdFd1lEVlFRTEV3eGxkR05rTFdOc2RYTjBaWEl4RURBT0JnTlZCQU1UCkIyVjBZMlF0WTJFd0hoY05Nak13TlRJek1UY3pNakF3V2hjTk1qZ3dOVEl4TVRjek1qQXdXakJrTVFzd0NRWUQKVlFRR0V3SkVSVEVMTUFrR0ExVUVDQk1DUWxjeEVUQVBCZ05WQkFjVENGZGhiR3hrYjNKbU1Rd3dDZ1lEVlFRSwpFd05yT0hNeEZUQVRCZ05WQkFzVERHVjBZMlF0WTJ4MWMzUmxjakVRTUE0R0ExVUVBeE1IWlhSalpDMWpZVENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWZaQmdQU3Zjemt4WjVhUmNVNXBFbWEKVjVMaHhKb0VnOEFJbURoZWxTdWUxS0kxb0RFc250aE55WlVRMDdCQXRLMzNpajl5YWdVVHRjY2tMeFRKODY5cAozd2F5ZVkraFM3NUo3UytYWFhGNDJQMFlkcFdURDE3UEtTQmdWeXR2N1M1NjR6T0ZmdXUvMUc3dGxYMEx6T3lICjh4RTdidDNQQWNESnpSRG84ckFHeUxHdWhCRmdZVjdJdUp2MG50YVJURDF1VlprRzE1TXlHRlNHaVo5ZlZUK0UKMUh6bnQ3ZFUrSkpPYTUrZ0xpc09wb053VEt5d3Q1eVZTdFpNbVJsVkQ3cU9zakg1d2FjRnBlb0pQMkU1dGpPOApTWlNNTEI3aTIxd1ZtcDR4M1ZkTFdETDREK2tZMkppeGlyMVM3SFhNNDdZUHdiUmVYWVN2UUkwbUVFd0VMYWtDCkF3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZFNzhtVy9GR2M0UTIySmpKKzlXMVdSdXJSNzZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFRU2IveQpSRmZxTEluTUpzK29BSXZqNC9VWWRHZzdnS0t2aml0YUxhbmFVdSswbTR3RHFuRGpqeElKazFtOGVPeXVRWVU4CjlXTVcyY1ozbFNYQ09sdGpqcXlWVWIzRnNNb1k2eFdMQm1ta2lZU092NTRnTS9LYTAvb05odHFCcUNIZEFkaFQKVFhscllWYUhValNmZU8xeTdSc0dObzh2TUFQc3ZjVmhhemp1Z1lNVnhRZzNNMTlHODNhWGdGWk9QS3UxYVU0RAprckFvYWw2NUF2RWFlTHZsVjJzdWx5Yyt3TGVva2xBdUVrTGFpOGhPNGk1Sk1lZ1NoWG1ZY3IzUXZMZGloWG5nCnZuMERKWGJEdTFWZjlaUjhvbUtyV0xTMnFlS01jdytBTW92akluUFcxTDVWWlNMdWpBNTBxVUtyWUk0N2wwV1YKWllsbzFQT0pTbmNpVVRmZgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
labels:
app: myapp
name: ca-bundle-97t69dk6t4
namespace: default
type: Opaque
Actual output
apiVersion: v1
data:
ca.pem: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVRGNzVy
9kNHJRemE1RENrYmloN1YrSUZXc3RFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pERUxNQWtH
QTFVRUJoTUNSRVV4Q3pBSkJnTlZCQWdUQWtKWE1SRXdEd1lEVlFRSEV3aFhZV3hzWkc5eQ
paakVNTUFvR0ExVUVDaE1EYXpoek1SVXdFd1lEVlFRTEV3eGxkR05rTFdOc2RYTjBaWEl4
RURBT0JnTlZCQU1UCkIyVjBZMlF0WTJFd0hoY05Nak13TlRJek1UY3pNakF3V2hjTk1qZ3
dOVEl4TVRjek1qQXdXakJrTVFzd0NRWUQKVlFRR0V3SkVSVEVMTUFrR0ExVUVDQk1DUWxj
eEVUQVBCZ05WQkFjVENGZGhiR3hrYjNKbU1Rd3dDZ1lEVlFRSwpFd05yT0hNeEZUQVRCZ0
5WQkFzVERHVjBZMlF0WTJ4MWMzUmxjakVRTUE0R0ExVUVBeE1IWlhSalpDMWpZVENDCkFT
SXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWZaQmdQU3Zjemt4Wj
VhUmNVNXBFbWEKVjVMaHhKb0VnOEFJbURoZWxTdWUxS0kxb0RFc250aE55WlVRMDdCQXRL
MzNpajl5YWdVVHRjY2tMeFRKODY5cAozd2F5ZVkraFM3NUo3UytYWFhGNDJQMFlkcFdURD
E3UEtTQmdWeXR2N1M1NjR6T0ZmdXUvMUc3dGxYMEx6T3lICjh4RTdidDNQQWNESnpSRG84
ckFHeUxHdWhCRmdZVjdJdUp2MG50YVJURDF1VlprRzE1TXlHRlNHaVo5ZlZUK0UKMUh6bn
Q3ZFUrSkpPYTUrZ0xpc09wb053VEt5d3Q1eVZTdFpNbVJsVkQ3cU9zakg1d2FjRnBlb0pQ
MkU1dGpPOApTWlNNTEI3aTIxd1ZtcDR4M1ZkTFdETDREK2tZMkppeGlyMVM3SFhNNDdZUH
diUmVYWVN2UUkwbUVFd0VMYWtDCkF3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0VH
TUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZFNzhtVy9GR2M0UTIySm
pKKzlXMVdSdXJSNzZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFRU2IveQpSRmZxTElu
TUpzK29BSXZqNC9VWWRHZzdnS0t2aml0YUxhbmFVdSswbTR3RHFuRGpqeElKazFtOGVPeX
VRWVU4CjlXTVcyY1ozbFNYQ09sdGpqcXlWVWIzRnNNb1k2eFdMQm1ta2lZU092NTRnTS9L
YTAvb05odHFCcUNIZEFkaFQKVFhscllWYUhValNmZU8xeTdSc0dObzh2TUFQc3ZjVmhhem
p1Z1lNVnhRZzNNMTlHODNhWGdGWk9QS3UxYVU0RAprckFvYWw2NUF2RWFlTHZsVjJzdWx5
Yyt3TGVva2xBdUVrTGFpOGhPNGk1Sk1lZ1NoWG1ZY3IzUXZMZGloWG5nCnZuMERKWGJEdT
FWZjlaUjhvbUtyV0xTMnFlS01jdytBTW92akluUFcxTDVWWlNMdWpBNTBxVUtyWUk0N2ww
V1YKWllsbzFQT0pTbmNpVVRmZgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
labels:
app: myapp
name: ca-bundle-97t69dk6t4
namespace: default
type: Opaque
Kustomize version
v4.5.5
Operating system
MacOS
Hi @unmarshall, thank you for filing this issue.
It seems that the two Secrets that you've provided in the issue description are semantically equivalent when applied to a kubernetes cluster, so I'm curious to understand the motivation for this request? We can consider adding an option to the kustomize secret generator to control the wrapping, but I'd like to understand the use case for it first.
/triage needs-information /kind feature
Hi @natasha41575
The Kubernetes documents for secrets explicitly say that base64 encoded strings must not contain newline characters
https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-config-file/#create-the-config-file
Note: The serialized JSON and YAML values of Secret data are encoded as base64 strings. Newlines are not valid within these strings and must be omitted. When using the base64 utility on Darwin/macOS, users should avoid using the -b option to split long lines. Conversely, Linux users should add the option -w 0 to base64 commands or the pipeline base64 | tr -d '\n' if the -w option is not available.
For example, take the root Certificate for Google GSR4
-----BEGIN CERTIFICATE-----
MIIB3DCCAYOgAwIBAgINAgPlfvU/k/2lCSGypjAKBggqhkjOPQQDAjBQMSQwIgYD
VQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2Jh
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTIxMTEzMDAwMDAwWhcNMzgw
MTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0g
UjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5BwkWymOx
uYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV
HQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/
+wpu+74zyTyjhNUwCgYIKoZIzj0EAwIDRwAwRAIgIk90crlgr/HmnKAWBVBfw147
bmF0774BxL4YSFlhgjICICadVGNA3jdgUM/I2O2dgq43mLyjj0xMqTQrbO/7lZsm
-----END CERTIFICATE-----
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: google-root-ca
type: Opaque
files:
- secret/gsr4.pem
kubectl kustomize .
apiVersion: v1
data:
gsr4.pem: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIzRENDQVlPZ0F3SUJBZ0lOQWdQbG
Z2VS9rLzJsQ1NHeXBqQUtCZ2dxaGtqT1BRUURBakJRTVNRd0lnWUQKVlFRTEV4dEhiRzlp
WVd4VGFXZHVJRVZEUXlCU2IyOTBJRU5CSUMwZ1VqUXhFekFSQmdOVkJBb1RDa2RzYjJKaA
piRk5wWjI0eEV6QVJCZ05WQkFNVENrZHNiMkpoYkZOcFoyNHdIaGNOTVRJeE1URXpNREF3
TURBd1doY05Nemd3Ck1URTVNRE14TkRBM1dqQlFNU1F3SWdZRFZRUUxFeHRIYkc5aVlXeF
RhV2R1SUVWRFF5QlNiMjkwSUVOQklDMGcKVWpReEV6QVJCZ05WQkFvVENrZHNiMkpoYkZO
cFoyNHhFekFSQmdOVkJBTVRDa2RzYjJKaGJGTnBaMjR3V1RBVApCZ2NxaGtqT1BRSUJCZ2
dxaGtqT1BRTUJCd05DQUFTNHhublRqMndsRHA4dU9Sa2NBNlN1bXVVNUJ3a1d5bU94CnVZ
YjRpbGZCVjg1QytuT2g5MlZDL3g3QkFMSnVjdzcveHlIbEdLU3EyWEUvcU5TNXpvd2RvME
l3UURBT0JnTlYKSFE4QkFmOEVCQU1DQVlZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJn
TlZIUTRFRmdRVVZMQjdyVVc0NGtCLword3B1Kzc0enlUeWpoTlV3Q2dZSUtvWkl6ajBFQX
dJRFJ3QXdSQUlnSWs5MGNybGdyL0htbktBV0JWQmZ3MTQ3CmJtRjA3NzRCeEw0WVNGbGhn
aklDSUNhZFZHTkEzamRnVU0vSTJPMmRncTQzbUx5amoweE1xVFFyYk8vN2xac20KLS0tLS
1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
kind: Secret
metadata:
name: google-root-ca-dgc5f2h6tf
type: Opaque
Converting to JSON to show the newline characters
kubectl kustomize . | yq --output-format=json
{
"apiVersion": "v1",
"data": {
"gsr4.pem": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIzRENDQVlPZ0F3SUJBZ0lOQWdQbG\nZ2VS9rLzJsQ1NHeXBqQUtCZ2dxaGtqT1BRUURBakJRTVNRd0lnWUQKVlFRTEV4dEhiRzlp\nWVd4VGFXZHVJRVZEUXlCU2IyOTBJRU5CSUMwZ1VqUXhFekFSQmdOVkJBb1RDa2RzYjJKaA\npiRk5wWjI0eEV6QVJCZ05WQkFNVENrZHNiMkpoYkZOcFoyNHdIaGNOTVRJeE1URXpNREF3\nTURBd1doY05Nemd3Ck1URTVNRE14TkRBM1dqQlFNU1F3SWdZRFZRUUxFeHRIYkc5aVlXeF\nRhV2R1SUVWRFF5QlNiMjkwSUVOQklDMGcKVWpReEV6QVJCZ05WQkFvVENrZHNiMkpoYkZO\ncFoyNHhFekFSQmdOVkJBTVRDa2RzYjJKaGJGTnBaMjR3V1RBVApCZ2NxaGtqT1BRSUJCZ2\ndxaGtqT1BRTUJCd05DQUFTNHhublRqMndsRHA4dU9Sa2NBNlN1bXVVNUJ3a1d5bU94CnVZ\nYjRpbGZCVjg1QytuT2g5MlZDL3g3QkFMSnVjdzcveHlIbEdLU3EyWEUvcU5TNXpvd2RvME\nl3UURBT0JnTlYKSFE4QkFmOEVCQU1DQVlZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJn\nTlZIUTRFRmdRVVZMQjdyVVc0NGtCLword3B1Kzc0enlUeWpoTlV3Q2dZSUtvWkl6ajBFQX\ndJRFJ3QXdSQUlnSWs5MGNybGdyL0htbktBV0JWQmZ3MTQ3CmJtRjA3NzRCeEw0WVNGbGhn\naklDSUNhZFZHTkEzamRnVU0vSTJPMmRncTQzbUx5amoweE1xVFFyYk8vN2xac20KLS0tLS\n1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==\n"
},
"kind": "Secret",
"metadata": {
"name": "google-root-ca-dgc5f2h6tf"
},
"type": "Opaque"
}
We then get the secret back and look at the kubectl.kubernetes.io/last-applied-configuration where we can clearly see the newline characters.
{"apiVersion":"v1","data":{"gsr4.pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIzRENDQVlPZ0F3SUJBZ0lOQWdQbG\nZ2VS9rLzJsQ1NHeXBqQUtCZ2dxaGtqT1BRUURBakJRTVNRd0lnWUQKVlFRTEV4dEhiRzlp\nWVd4VGFXZHVJRVZEUXlCU2IyOTBJRU5CSUMwZ1VqUXhFekFSQmdOVkJBb1RDa2RzYjJKaA\npiRk5wWjI0eEV6QVJCZ05WQkFNVENrZHNiMkpoYkZOcFoyNHdIaGNOTVRJeE1URXpNREF3\nTURBd1doY05Nemd3Ck1URTVNRE14TkRBM1dqQlFNU1F3SWdZRFZRUUxFeHRIYkc5aVlXeF\nRhV2R1SUVWRFF5QlNiMjkwSUVOQklDMGcKVWpReEV6QVJCZ05WQkFvVENrZHNiMkpoYkZO\ncFoyNHhFekFSQmdOVkJBTVRDa2RzYjJKaGJGTnBaMjR3V1RBVApCZ2NxaGtqT1BRSUJCZ2\ndxaGtqT1BRTUJCd05DQUFTNHhublRqMndsRHA4dU9Sa2NBNlN1bXVVNUJ3a1d5bU94CnVZ\nYjRpbGZCVjg1QytuT2g5MlZDL3g3QkFMSnVjdzcveHlIbEdLU3EyWEUvcU5TNXpvd2RvME\nl3UURBT0JnTlYKSFE4QkFmOEVCQU1DQVlZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJn\nTlZIUTRFRmdRVVZMQjdyVVc0NGtCLword3B1Kzc0enlUeWpoTlV3Q2dZSUtvWkl6ajBFQX\ndJRFJ3QXdSQUlnSWs5MGNybGdyL0htbktBV0JWQmZ3MTQ3CmJtRjA3NzRCeEw0WVNGbGhn\naklDSUNhZFZHTkEzamRnVU0vSTJPMmRncTQzbUx5amoweE1xVFFyYk8vN2xac20KLS0tLS\n1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==\n"},"kind":"Secret","metadata":{"annotations":{},"name":"google-root-ca-dgc5f2h6tf","namespace":"default"},"type":"Opaque"}
And the data
data:
gsr4.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIzRENDQVlPZ0F3SUJBZ0lOQWdQbGZ2VS9rLzJsQ1NHeXBqQUtCZ2dxaGtqT1BRUURBakJRTVNRd0lnWUQKVlFRTEV4dEhiRzlpWVd4VGFXZHVJRVZEUXlCU2IyOTBJRU5CSUMwZ1VqUXhFekFSQmdOVkJBb1RDa2RzYjJKaApiRk5wWjI0eEV6QVJCZ05WQkFNVENrZHNiMkpoYkZOcFoyNHdIaGNOTVRJeE1URXpNREF3TURBd1doY05Nemd3Ck1URTVNRE14TkRBM1dqQlFNU1F3SWdZRFZRUUxFeHRIYkc5aVlXeFRhV2R1SUVWRFF5QlNiMjkwSUVOQklDMGcKVWpReEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcFoyNHhFekFSQmdOVkJBTVRDa2RzYjJKaGJGTnBaMjR3V1RBVApCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTNHhublRqMndsRHA4dU9Sa2NBNlN1bXVVNUJ3a1d5bU94CnVZYjRpbGZCVjg1QytuT2g5MlZDL3g3QkFMSnVjdzcveHlIbEdLU3EyWEUvcU5TNXpvd2RvMEl3UURBT0JnTlYKSFE4QkFmOEVCQU1DQVlZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVZMQjdyVVc0NGtCLword3B1Kzc0enlUeWpoTlV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnSWs5MGNybGdyL0htbktBV0JWQmZ3MTQ3CmJtRjA3NzRCeEw0WVNGbGhnaklDSUNhZFZHTkEzamRnVU0vSTJPMmRncTQzbUx5amoweE1xVFFyYk8vN2xac20KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
Kustomize is doing atleast two things incorrectly.
-
gsr4.pem: |is using a YAML literal|with no end chomp|-, so there will always be a\nincorrectly added to the end of the stringLQ==\n" - The base64 encoding is also then hard wrapped by kustomize to 70 characters, explicitly what the Kubernetes secret documentation tells us not to do.
Kubernetes is gracefully accepting the incorrect secret object, but which is why the actual object in the API does not contain the newlines.
@unmarshall you are correct this is a bug.
This has been incorrectly dismissed in https://github.com/kubernetes-sigs/kustomize/issues/5191, https://github.com/kubernetes-sigs/kustomize/issues/4653
We should not be creating yaml explicitly violates the Kubernetes documentation.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
