Use k8 API to generate secret resource

Author: versilis

cmd/internal/kube/secret.go

@@ -2,24 +2,26 @@ package kube
 
 import (
 	"bytes"
-	"encoding/base64"
+	"encoding/json"
+	"github.com/akitasoftware/akita-cli/printer"
+	"github.com/akitasoftware/akita-cli/telemetry"
+	"github.com/ghodss/yaml"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	k8_json "k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"os"
 	"path/filepath"
-	"text/template"
-
-	"github.com/akitasoftware/akita-cli/telemetry"
 
 	"github.com/akitasoftware/akita-cli/cmd/internal/cmderr"
-	"github.com/akitasoftware/akita-cli/printer"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
 var (
 	outputFlag    string
 	namespaceFlag string
-	// Store a parsed representation of /template/akita-secret.tmpl
-	secretTemplate *template.Template
 )
 
 var secretCmd = &cobra.Command{
@@ -49,56 +51,92 @@ var secretCmd = &cobra.Command{
 	},
 }
 
-// Represents the input used by secretTemplate
-type secretTemplateInput struct {
-	Namespace string
-	APIKey    string
-	APISecret string
-}
+/*
+XXX: Kuberenetes Go API package currently has issues with valid serialization.
+The ObjectMeta field's CreationTimestamp field is improperly serialized as null when it should be omitted entirely if it is a zero value.
+This shouldn't cause any issues applying the secret, but it does cause issues for any tools that depend on valid yaml objects (such as linting tools)
+See: https://github.com/kubernetes/kubernetes/issues/109427
+
+Here, I've manually filtered out the CreationTimestamp field from the serialized object to work around this issue.
+*/
+func buildSecretConfiguration(namespace, apiKey, apiSecret string) ([]byte, error) {
+	secret := &v1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "akita-secrets",
+			Namespace: namespace,
+		},
+		Type: v1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"akita-api-key":    []byte(apiKey),
+			"akita-api-secret": []byte(apiSecret),
+		},
+	}
 
-func initSecretTemplate() error {
-	var err error
+	unstructuredSecret, err := runtime.DefaultUnstructuredConverter.ToUnstructured(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	unstructuredObj := &unstructured.Unstructured{Object: unstructuredSecret}
+	serializer := k8_json.NewSerializerWithOptions(
+		k8_json.DefaultMetaFactory,
+		nil,
+		nil,
+		k8_json.SerializerOptions{Yaml: false, Pretty: false, Strict: true},
+	)
 
-	secretTemplate, err = template.ParseFS(templateFS, "template/akita-secret.tmpl")
+	buf := bytes.NewBuffer([]byte{})
+	err = serializer.Encode(unstructuredObj, buf)
 	if err != nil {
-		return cmderr.AkitaErr{Err: errors.Wrap(err, "failed to parse secret template")}
+		return nil, err
 	}
 
-	return nil
+	// HACK: Manually filter out the CreationTimestamp field from the serialized object
+	objMap := make(map[string]interface{})
+	err = json.Unmarshal(buf.Bytes(), &objMap)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, ok := objMap["metadata"]; ok {
+		metadataMap := objMap["metadata"].(map[string]interface{})
+		delete(metadataMap, "creationTimestamp")
+	}
+
+	// Re-serialize the object
+	fixedJSON, err := json.Marshal(objMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return yaml.JSONToYAML(fixedJSON)
 }
 
 // Generates a Kubernetes secret config file for Akita
-// On success, the generated output is returned as a string.
-func handleSecretGeneration(namespace, key, secret, output string) (string, error) {
-	if err := initSecretTemplate(); err != nil {
-		return "", err
-	}
+func handleSecretGeneration(namespace, apiKey, apiSecret, output string) (string, error) {
 
-	input := secretTemplateInput{
-		Namespace: namespace,
-		APIKey:    base64.StdEncoding.EncodeToString([]byte(key)),
-		APISecret: base64.StdEncoding.EncodeToString([]byte(secret)),
+	secret, err := buildSecretConfiguration(namespace, apiKey, apiSecret)
+	if err != nil {
+		return "", cmderr.AkitaErr{Err: errors.Wrap(err, "failed to generate Kubernetes secret")}
 	}
 
+	// Serialize the secret to YAML
 	secretFile, err := createSecretFile(output)
 	if err != nil {
 		return "", cmderr.AkitaErr{Err: errors.Wrap(err, "failed to create output file")}
 	}
 	defer secretFile.Close()
 
-	buf := bytes.NewBuffer([]byte{})
-
-	err = secretTemplate.Execute(buf, input)
+	_, err = secretFile.Write(secret)
 	if err != nil {
 		return "", cmderr.AkitaErr{Err: errors.Wrap(err, "failed to generate template")}
 	}
 
-	_, err = secretFile.Write(buf.Bytes())
-	if err != nil {
-		return "", cmderr.AkitaErr{Err: errors.Wrap(err, "failed to read generated secret file")}
-	}
-
-	return buf.String(), nil
+	return string(secret), nil
 }
 
 // Creates a file at the give path to be used for storing of the generated Secret config

cmd/internal/kube/secret_test.go

@@ -2,9 +2,13 @@ package kube
 
 import (
 	_ "embed"
+	"encoding/json"
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"path/filepath"
+	"sigs.k8s.io/yaml"
 	"testing"
 )
 
@@ -23,17 +27,50 @@ func Test_secretGeneration(t *testing.T) {
 	actualOutput := filepath.Join(dir, "akita-secret.yml")
 
 	// WHEN
-	output, err := handleSecretGeneration(namespace, key, secret, actualOutput)
+	result, err := handleSecretGeneration(namespace, key, secret, actualOutput)
 	if err != nil {
 		t.Errorf("Unexpected error: %s", err)
 	}
 
-	generatedFile, err := os.ReadFile(actualOutput)
+	// THEN
+	data, err := os.ReadFile(actualOutput)
 	if err != nil {
-		t.Errorf("Failed to read generated generatedFile: %v", err)
+		t.Errorf("Failed to read generated data: %v", err)
 	}
 
-	// THEN
-	assert.Equal(t, string(testAkitaSecretYAML), string(generatedFile))
-	assert.Equal(t, string(testAkitaSecretYAML), output)
+	convert := func(yamlBytes []byte) (v1.Secret, error) {
+		var result v1.Secret
+
+		jsonData, err := yaml.YAMLToJSONStrict(yamlBytes)
+		if err != nil {
+			return result, err
+		}
+
+		var parsedSecret v1.Secret
+		err = json.Unmarshal(jsonData, &parsedSecret)
+
+		return parsedSecret, err
+	}
+
+	file, err := convert(data)
+	output, err := convert([]byte(result))
+
+	expected := v1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "akita-secrets",
+			Namespace: namespace,
+		},
+		Type: v1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"akita-api-key":    []byte(key),
+			"akita-api-secret": []byte(secret),
+		},
+	}
+
+	assert.Equal(t, expected, file)
+	assert.Equal(t, expected, output)
 }

go.mod

@@ -19,10 +19,11 @@ require (
 	github.com/aws/smithy-go v1.13.4
 	github.com/c9s/goprocinfo v0.0.0-20210130143923-c95fcf8c64a8
 	github.com/gdamore/tcell/v2 v2.1.0
+	github.com/ghodss/yaml v1.0.0
 	github.com/golang/gddo v0.0.0-20210115222349-20d68f94ee1f
 	github.com/golang/mock v1.3.1
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.9
 	github.com/google/gopacket v1.1.19
 	github.com/google/martian/v3 v3.0.1
 	github.com/google/uuid v1.3.0
@@ -38,12 +39,15 @@ require (
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.7.1
-	github.com/stretchr/testify v1.7.1
+	github.com/stretchr/testify v1.8.0
 	github.com/yudai/gojsondiff v1.0.0
 	golang.org/x/exp v0.0.0-20220428152302-39d4317da171
-	golang.org/x/term v0.1.0
-	golang.org/x/text v0.4.0
+	golang.org/x/term v0.5.0
+	golang.org/x/text v0.7.0
 	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.26.3
+	k8s.io/apimachinery v0.26.3
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
@@ -61,13 +65,17 @@ require (
 	github.com/dukex/mixpanel v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/lucasb-eyer/go-colorful v1.0.3 // indirect
 	github.com/magiconair/properties v1.8.1 // indirect
@@ -76,6 +84,8 @@ require (
 	github.com/mattn/go-runewidth v0.0.10 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
@@ -87,11 +97,16 @@ require (
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
-	golang.org/x/net v0.1.0 // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.51.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
 replace (