Merge pull request #3028 from chrischdi/pr-fix-templates-escaping

🌱 flavorgen: enforce VSPHERE_USERNAME and VSPHERE_PASSWORD variables to be set as string in templates
kubernetes-sigs · Jun 11, 2024 · fb6f462 · fb6f462
2 parents f237a0f + dcc1dd1
commit fb6f462
Show file tree

Hide file tree

Showing 11 changed files with 106 additions and 100 deletions.
diff --git a/packaging/flavorgen/flavors/crs/cpi.go b/packaging/flavorgen/flavors/crs/cpi.go
@@ -71,7 +71,7 @@ func CreateCrsResourceObjectsCPI(crs *addonsv1.ClusterResourceSet) []runtime.Obj
 	cpiObjects = append(cpiObjects, cloudConfigConfigMap)
 
 	manifestsCm := newConfigMapManifests("cpi-manifests", cpiObjects)
-	manifestsCm.Data["data"] = cpiManifests + manifestsCm.Data["data"]
+	manifestsCm.Data["data"] = cpiManifests + "---\n" + manifestsCm.Data["data"]
 
 	appendConfigMapToCrsResource(crs, manifestsCm)
 	// Define the kubeconfig secret for the target cluster.

diff --git a/packaging/flavorgen/flavors/util/helpers.go b/packaging/flavorgen/flavors/util/helpers.go
@@ -20,11 +20,11 @@ package util
 import (
 	"reflect"
 	"regexp"
-	"strings"
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/yaml"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilyaml "sigs.k8s.io/cluster-api/util/yaml"
 
 	"sigs.k8s.io/cluster-api-provider-vsphere/packaging/flavorgen/flavors/env"
 )
@@ -85,9 +85,13 @@ var (
 		regexVar(env.VSphereServerVar),
 		regexVar(env.VSphereTemplateVar),
 		regexVar(env.VSphereStoragePolicyVar),
-		// TODO: Why was thumbprint not here?
 		regexVar(env.VSphereThumbprint),
 	}
+
+	stringVarsDouble = []string{
+		regexVar(env.VSphereUsername),
+		regexVar(env.VSpherePassword),
+	}
 )
 
 func regexVar(str string) string {
@@ -134,19 +138,11 @@ func deleteZeroValues(o map[string]interface{}) map[string]interface{} {
 }
 
 func GenerateObjectYAML(obj runtime.Object, replacements []Replacement) string {
-	bytes, err := yaml.Marshal(obj)
-	if err != nil {
-		panic(err)
-	}
-	json, err := yaml.YAMLToJSONStrict(bytes)
+	data, err := toUnstructured(obj, obj.GetObjectKind().GroupVersionKind())
 	if err != nil {
 		panic(err)
 	}
 
-	data := unstructured.Unstructured{}
-	if err := data.UnmarshalJSON(json); err != nil {
-		panic(err)
-	}
 	data.Object = deleteZeroValues(data.Object)
 
 	for _, v := range replacements {
@@ -167,7 +163,8 @@ func GenerateObjectYAML(obj runtime.Object, replacements []Replacement) string {
 			_ = unstructured.SetNestedSlice(data.Object, slice, path...)
 		}
 	}
-	bytes, err = yaml.Marshal(data.Object)
+
+	bytes, err := utilyaml.FromUnstructured([]unstructured.Unstructured{*data})
 	if err != nil {
 		panic(err)
 	}
@@ -182,21 +179,46 @@ func GenerateObjectYAML(obj runtime.Object, replacements []Replacement) string {
 		}
 		str = regex.ReplaceAllString(str, "'$1'")
 	}
+	for _, s := range stringVarsDouble {
+		s := s
+		regex := regexp.MustCompile(s)
+		if err != nil {
+			panic(err)
+		}
+		str = regex.ReplaceAllString(str, "\"$1\"")
+	}
 
 	return str
 }
 
 func GenerateManifestYaml(objs []runtime.Object, replacements []Replacement) string {
-	var sb strings.Builder
-
+	bytes := [][]byte{}
 	for _, o := range objs {
-		sb.WriteString("---\n")
-		sb.WriteString(GenerateObjectYAML(o, replacements))
+		bytes = append(bytes, []byte(GenerateObjectYAML(o, replacements)))
 	}
 
-	return sb.String()
+	return string(utilyaml.JoinYaml(bytes...))
 }
 
 func TypeToKind(i interface{}) string {
 	return reflect.ValueOf(i).Elem().Type().Name()
 }
+
+// toUnstructured converts an object to Unstructured.
+// We have to pass in a gvk as we can't rely on GVK being set in a runtime.Object.
+func toUnstructured(obj runtime.Object, gvk schema.GroupVersionKind) (*unstructured.Unstructured, error) {
+	// If the incoming object is already unstructured, perform a deep copy first
+	// otherwise DefaultUnstructuredConverter ends up returning the inner map without
+	// making a copy.
+	if _, ok := obj.(runtime.Unstructured); ok {
+		obj = obj.DeepCopyObject()
+	}
+	rawMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+	if err != nil {
+		return nil, err
+	}
+	u := &unstructured.Unstructured{Object: rawMap}
+	u.SetGroupVersionKind(gvk)
+
+	return u, nil
+}
diff --git a/templates/cluster-template-external-loadbalancer.yaml b/templates/cluster-template-external-loadbalancer.yaml
@@ -1,4 +1,3 @@
----
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
 metadata:
@@ -222,16 +221,16 @@ metadata:
   name: '${CLUSTER_NAME}'
   namespace: '${NAMESPACE}'
 stringData:
-  password: ${VSPHERE_PASSWORD}
-  username: ${VSPHERE_USERNAME}
+  password: "${VSPHERE_PASSWORD}"
+  username: "${VSPHERE_USERNAME}"
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: vsphere-config-secret
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -255,8 +254,7 @@ type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
-    ---
+  data: |-
     apiVersion: v1
     kind: Namespace
     metadata:
@@ -1114,7 +1112,7 @@ metadata:
   name: cloud-provider-vsphere-credentials
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -1124,14 +1122,14 @@ stringData:
       name: cloud-provider-vsphere-credentials
       namespace: kube-system
     stringData:
-      ${VSPHERE_SERVER}.password: ${VSPHERE_PASSWORD}
-      ${VSPHERE_SERVER}.username: ${VSPHERE_USERNAME}
+      ${VSPHERE_SERVER}.password: "${VSPHERE_PASSWORD}"
+      ${VSPHERE_SERVER}.username: "${VSPHERE_USERNAME}"
     type: Opaque
 type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
+  data: |-
     ---
     # Source: vsphere-cpi/templates/service-account.yaml
     apiVersion: v1
@@ -1375,4 +1373,4 @@ data:
 kind: ConfigMap
 metadata:
   name: cpi-manifests
-  namespace: '${NAMESPACE}'
+  namespace: '${NAMESPACE}'
diff --git a/templates/cluster-template-ignition.yaml b/templates/cluster-template-ignition.yaml
@@ -1,4 +1,3 @@
----
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
 metadata:
@@ -436,16 +435,16 @@ metadata:
   name: '${CLUSTER_NAME}'
   namespace: '${NAMESPACE}'
 stringData:
-  password: ${VSPHERE_PASSWORD}
-  username: ${VSPHERE_USERNAME}
+  password: "${VSPHERE_PASSWORD}"
+  username: "${VSPHERE_USERNAME}"
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: vsphere-config-secret
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -469,8 +468,7 @@ type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
-    ---
+  data: |-
     apiVersion: v1
     kind: Namespace
     metadata:
@@ -1328,7 +1326,7 @@ metadata:
   name: cloud-provider-vsphere-credentials
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -1338,14 +1336,14 @@ stringData:
       name: cloud-provider-vsphere-credentials
       namespace: kube-system
     stringData:
-      ${VSPHERE_SERVER}.password: ${VSPHERE_PASSWORD}
-      ${VSPHERE_SERVER}.username: ${VSPHERE_USERNAME}
+      ${VSPHERE_SERVER}.password: "${VSPHERE_PASSWORD}"
+      ${VSPHERE_SERVER}.username: "${VSPHERE_USERNAME}"
     type: Opaque
 type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
+  data: |-
     ---
     # Source: vsphere-cpi/templates/service-account.yaml
     apiVersion: v1
@@ -1589,4 +1587,4 @@ data:
 kind: ConfigMap
 metadata:
   name: cpi-manifests
-  namespace: '${NAMESPACE}'
+  namespace: '${NAMESPACE}'
diff --git a/templates/cluster-template-node-ipam.yaml b/templates/cluster-template-node-ipam.yaml
@@ -1,4 +1,3 @@
----
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
 metadata:
@@ -357,16 +356,16 @@ metadata:
   name: '${CLUSTER_NAME}'
   namespace: '${NAMESPACE}'
 stringData:
-  password: ${VSPHERE_PASSWORD}
-  username: ${VSPHERE_USERNAME}
+  password: "${VSPHERE_PASSWORD}"
+  username: "${VSPHERE_USERNAME}"
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: vsphere-config-secret
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -390,8 +389,7 @@ type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
-    ---
+  data: |-
     apiVersion: v1
     kind: Namespace
     metadata:
@@ -1249,7 +1247,7 @@ metadata:
   name: cloud-provider-vsphere-credentials
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -1259,14 +1257,14 @@ stringData:
       name: cloud-provider-vsphere-credentials
       namespace: kube-system
     stringData:
-      ${VSPHERE_SERVER}.password: ${VSPHERE_PASSWORD}
-      ${VSPHERE_SERVER}.username: ${VSPHERE_USERNAME}
+      ${VSPHERE_SERVER}.password: "${VSPHERE_PASSWORD}"
+      ${VSPHERE_SERVER}.username: "${VSPHERE_USERNAME}"
     type: Opaque
 type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
+  data: |-
     ---
     # Source: vsphere-cpi/templates/service-account.yaml
     apiVersion: v1
@@ -1510,4 +1508,4 @@ data:
 kind: ConfigMap
 metadata:
   name: cpi-manifests
-  namespace: '${NAMESPACE}'
+  namespace: '${NAMESPACE}'
diff --git a/templates/cluster-template-supervisor.yaml b/templates/cluster-template-supervisor.yaml
@@ -1,4 +1,3 @@
----
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
 metadata:
@@ -316,16 +315,16 @@ metadata:
   name: '${CLUSTER_NAME}'
   namespace: '${NAMESPACE}'
 stringData:
-  password: ${VSPHERE_PASSWORD}
-  username: ${VSPHERE_USERNAME}
+  password: "${VSPHERE_PASSWORD}"
+  username: "${VSPHERE_USERNAME}"
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: vsphere-config-secret
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -349,8 +348,7 @@ type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
-    ---
+  data: |-
     apiVersion: v1
     kind: Namespace
     metadata:
@@ -1208,7 +1206,7 @@ metadata:
   name: cloud-provider-vsphere-credentials
   namespace: '${NAMESPACE}'
 stringData:
-  data: |
+  data: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -1218,14 +1216,14 @@ stringData:
       name: cloud-provider-vsphere-credentials
       namespace: kube-system
     stringData:
-      ${VSPHERE_SERVER}.password: ${VSPHERE_PASSWORD}
-      ${VSPHERE_SERVER}.username: ${VSPHERE_USERNAME}
+      ${VSPHERE_SERVER}.password: "${VSPHERE_PASSWORD}"
+      ${VSPHERE_SERVER}.username: "${VSPHERE_USERNAME}"
     type: Opaque
 type: addons.cluster.x-k8s.io/resource-set
 ---
 apiVersion: v1
 data:
-  data: |
+  data: |-
     ---
     # Source: vsphere-cpi/templates/service-account.yaml
     apiVersion: v1
@@ -1469,4 +1467,4 @@ data:
 kind: ConfigMap
 metadata:
   name: cpi-manifests
-  namespace: '${NAMESPACE}'
+  namespace: '${NAMESPACE}'