refactor(templates)!: secret now base64 encodes

jgnagy · jgnagy · commit 3d263ec85b9d · 2025-03-28T15:45:44.000-06:00
Previously, the secret template only supported
stringData. This commit refactors the secret to continue
supporting stringData, but also support data. It forces
all values to be base64 encoded, and adds a test to
verify this functionality.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -2,6 +2,7 @@ PATH
   remote: .
   specs:
     metatron (0.10.1)
+      base64
       json (~> 2.6)
       rack (>= 2.2.8, < 4)
 
@@ -10,6 +11,7 @@ GEM
   specs:
     ast (2.4.2)
     backport (1.2.0)
+    base64 (0.2.0)
     benchmark (0.4.0)
     byebug (11.1.3)
     diff-lcs (1.6.0)
diff --git a/lib/metatron.rb b/lib/metatron.rb
@@ -6,6 +6,9 @@
 require "time"
 require "logger"
 
+# external requirements
+require "base64"
+
 # The top-level module for Metatron
 module Metatron
   class Error < StandardError; end
diff --git a/lib/metatron/templates/secret.rb b/lib/metatron/templates/secret.rb
@@ -7,15 +7,38 @@ class Secret < Template
       include Concerns::Annotated
       include Concerns::Namespaced
 
-      attr_accessor :additional_labels, :type, :data
+      attr_accessor :additional_labels, :type, :data, :string_data
 
-      def initialize(name, data = {})
+      alias stringData string_data
+
+      def initialize(name, provided_string_data = nil, string_data: nil, data: nil)
         super(name)
+        @string_data = string_data || provided_string_data
         @data = data
         @additional_labels = {}
         @type = "Opaque"
       end
 
+      def formatted_data
+        data_hash = {}
+
+        # Only include one of data or string_data, preferring data if both are present
+        return data_hash unless data || string_data
+
+        # If string_data is provided, it should be a hash of string values
+        # and will be base64 encoded
+        if string_data
+          data_hash[:data] = string_data.transform_values do |value|
+            Base64.strict_encode64(value.to_s).gsub("\n", "")
+          end
+        end
+
+        # If data is provided, it should be a hash of base64 encoded values
+        data_hash[:data] = data if data
+
+        data_hash
+      end
+
       def render
         {
           apiVersion:,
@@ -24,9 +47,8 @@ def render
             name:,
             labels: base_labels.merge(additional_labels)
           }.merge(formatted_annotations).merge(formatted_namespace).compact,
-          type:,
-          stringData: data
-        }.compact
+          type:
+        }.compact.merge(formatted_data).compact
       end
     end
   end
diff --git a/metatron.gemspec b/metatron.gemspec
@@ -27,6 +27,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = "~> 3.1"
 
+  spec.add_dependency "base64"
   spec.add_dependency "json", "~> 2.6"
   spec.add_dependency "rack", ">= 2.2.8", "< 4"
 
diff --git a/spec/metatron/templates/secret_spec.rb b/spec/metatron/templates/secret_spec.rb
@@ -1,28 +1,142 @@
 # frozen_string_literal: true
 
 RSpec.describe Metatron::Templates::Secret do
-  let(:secret) { described_class.new("test", { "some secret" => "value" }) }
-
-  let(:rendered_secret) do
-    {
-      apiVersion: "v1",
-      kind: "Secret",
-      metadata: {
-        name: "test",
-        labels: { "metatron.therubyist.org/name": "test" }
-      },
-      type: "Opaque",
-      stringData: {
-        "some secret" => "value"
+  describe "using legacy unnamed constructor with string_data" do
+    let(:secret) { described_class.new("test", { "some secret" => "value" }) }
+
+    let(:rendered_secret) do
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: "test",
+          labels: { "metatron.therubyist.org/name": "test" }
+        },
+        type: "Opaque",
+        data: { "some secret" => "dmFsdWU=" } # Base64 encoded "value"
       }
-    }
+    end
+
+    it "produces a hash" do
+      expect(secret.render).to be_a(Hash)
+    end
+
+    it "renders properly" do
+      expect(secret.render).to eq(rendered_secret)
+    end
   end
 
-  it "produces a hash" do
-    expect(secret.render).to be_a(Hash)
+  describe "using named constructor with string_data" do
+    let(:secret) do
+      described_class.new("test", string_data: { "some secret" => "value" })
+    end
+
+    let(:rendered_secret) do
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: "test",
+          labels: { "metatron.therubyist.org/name": "test" }
+        },
+        type: "Opaque",
+        data: { "some secret" => "dmFsdWU=" } # Base64 encoded "value"
+      }
+    end
+
+    it "produces a hash" do
+      expect(secret.render).to be_a(Hash)
+    end
+
+    it "renders properly" do
+      expect(secret.render).to eq(rendered_secret)
+    end
   end
 
-  it "renders properly" do
-    expect(secret.render).to eq(rendered_secret)
+  describe "using named constructor with data" do
+    let(:secret) do
+      described_class.new("test", data: { "some secret" => "b3RoZXIgdmFsdWU=" })
+    end
+
+    let(:rendered_secret) do
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: "test",
+          labels: { "metatron.therubyist.org/name": "test" }
+        },
+        type: "Opaque",
+        data: { "some secret" => "b3RoZXIgdmFsdWU=" } # Base64 encoded "other value"
+      }
+    end
+
+    it "produces a hash" do
+      expect(secret.render).to be_a(Hash)
+    end
+
+    it "renders properly" do
+      expect(secret.render).to eq(rendered_secret)
+    end
+  end
+
+  describe "using named constructor with both string_data and data" do
+    let(:secret) do
+      described_class.new(
+        "test",
+        data: { "some secret" => "b3RoZXIgdmFsdWU=" }, # should prefer this
+        string_data: { "some secret" => "value" }
+      )
+    end
+
+    let(:rendered_secret) do
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: "test",
+          labels: { "metatron.therubyist.org/name": "test" }
+        },
+        type: "Opaque",
+        data: { "some secret" => "b3RoZXIgdmFsdWU=" } # Base64 encoded "other value"
+      }
+    end
+
+    it "produces a hash" do
+      expect(secret.render).to be_a(Hash)
+    end
+
+    it "renders properly" do
+      expect(secret.render).to eq(rendered_secret)
+    end
+  end
+
+  describe "using no data or string_data in constructor, applying string_data later" do
+    let(:secret) do
+      r = described_class.new("test")
+      r.string_data = { "some secret" => "value" }
+      r
+    end
+
+    let(:rendered_secret) do
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: "test",
+          labels: { "metatron.therubyist.org/name": "test" }
+        },
+        type: "Opaque",
+        data: { "some secret" => "dmFsdWU=" } # Base64 encoded "value"
+      }
+    end
+
+    it "produces a hash" do
+      expect(secret.render).to be_a(Hash)
+    end
+
+    it "renders properly" do
+      expect(secret.render).to eq(rendered_secret)
+    end
   end
 end
