Revisit usages of secret.StringData #3125
Labels
Comments
danail-branekov
added a commit
that referenced
this issue
Feb 23, 2024
According to the [docs](https://github.com/kubernetes/api/blob/48ed98046a81320c5ec6681f614e31892035edef/core/v1/types.go#L6841): ``` stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. ``` This means that it is not always safe to use StringData, since existing keys will never be removed fixes #3125 Co-authored-by: Danail Branekov <danailster@gmail.com>
danail-branekov
added a commit
that referenced
this issue
Feb 26, 2024
According to the [docs](https://github.com/kubernetes/api/blob/48ed98046a81320c5ec6681f614e31892035edef/core/v1/types.go#L6841): ``` stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. ``` This means that it is not always safe to use StringData, since existing keys will never be removed fixes #3125 Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
danail-branekov
added a commit
that referenced
this issue
Feb 26, 2024
According to the [docs](https://github.com/kubernetes/api/blob/48ed98046a81320c5ec6681f614e31892035edef/core/v1/types.go#L6841): ``` stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. ``` This means that it is not always safe to use StringData, since existing keys will never be removed fixes #3125 Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
github-project-automation
bot
moved this from 🔄 In progress
to ✅ Done
in Korifi - Backlog
marsteg
pushed a commit
to marsteg/korifi
that referenced
this issue
Mar 19, 2024
According to the [docs](https://github.com/kubernetes/api/blob/48ed98046a81320c5ec6681f614e31892035edef/core/v1/types.go#L6841): ``` stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. ``` This means that it is not always safe to use StringData, since existing keys will never be removed fixes cloudfoundry#3125 Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
We have noticed that using
secret.StringDatacan be dangerous in controllers context, especially inCreateOrPatch.Usually , when we
CreateOrPatcha secret, we are modifying an already existing secret that has itsDatapopulated. According to the k8s docs values fromsecret.StringDataare merged into the existingsecret.Data. This is dangerous when we want to replace the whole secret data (e.g. we want to remove a key by applying all other keys).Action to take
It is worth going through all usages of StringData in Korifi and re-evaluating if we are really doing the right thing, filling any test gaps.
The text was updated successfully, but these errors were encountered: