Cloak outputs with secrets in stack CR (#177)

* Cloak outputs with secrets * Add test * Bump to pulumi v3.10.2 * Add changelog
pulumi · Aug 18, 2021 · a9ae26a · a9ae26a
1 parent 2802098
commit a9ae26a
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ CHANGELOG
 ## HEAD (Unreleased)
 
 - Bump controller-runtime to support graceful shutdown/upgrades [#178](https://github.com/pulumi/pulumi-kubernetes-operator/pull/178)
+- Update to v3.10.2 [#177](https://github.com/pulumi/pulumi-kubernetes-operator/pull/177)
+- Cloak outputs with secrets in stack CR [#177](https://github.com/pulumi/pulumi-kubernetes-operator/pull/177)
 
 ## 0.0.16 (2021-07-29)
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM pulumi/pulumi:v3.9.0
+FROM pulumi/pulumi:v3.10.2
 
 ENV OPERATOR=/usr/local/bin/pulumi-kubernetes-operator
 

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/operator-framework/operator-lib v0.0.0-20200728190837-b76db547798d
 	github.com/operator-framework/operator-sdk v0.19.0
 	github.com/pkg/errors v0.9.1
-	github.com/pulumi/pulumi/sdk/v3 v3.9.0
+	github.com/pulumi/pulumi/sdk/v3 v3.10.2
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/whilp/git-urls v1.0.0

diff --git a/go.sum b/go.sum
@@ -780,8 +780,8 @@ github.com/prometheus/prometheus v0.0.0-20180315085919-58e2a31db8de/go.mod h1:oA
 github.com/prometheus/prometheus v1.8.2-0.20200110114423-1e64d757f711/go.mod h1:7U90zPoLkWjEIQcy/rweQla82OCTUzxVHE51G3OhJbI=
 github.com/prometheus/prometheus v2.3.2+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/pulumi/pulumi/sdk/v3 v3.9.0 h1:CGBEoPwKVv9GCb8wfgej096n9aZ26H1jUZzMw98NNGs=
-github.com/pulumi/pulumi/sdk/v3 v3.9.0/go.mod h1:GBHyQ7awNQSRmiKp/p8kIKrGrMOZeA/k2czoM/GOqds=
+github.com/pulumi/pulumi/sdk/v3 v3.10.2 h1:srvm3HNEHb/A9+XQuGiXrBswHdvQnTVhFx1crz5Z2y8=
+github.com/pulumi/pulumi/sdk/v3 v3.10.2/go.mod h1:GBHyQ7awNQSRmiKp/p8kIKrGrMOZeA/k2czoM/GOqds=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
 github.com/robfig/cron v0.0.0-20170526150127-736158dc09e1/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=

diff --git a/pkg/controller/stack/stack_controller.go b/pkg/controller/stack/stack_controller.go
@@ -543,15 +543,15 @@ func (sess *reconcileStackSession) runCmd(title string, cmd *exec.Cmd, workspace
 		outs := bufio.NewScanner(stdoutR)
 		for outs.Scan() {
 			text := outs.Text()
-			sess.logger.Debug(title, "Path", cmd.Path, "Args", cmd.Args, "Stdout", text)
+			sess.logger.Debug(title, "Dir", cmd.Dir, "Path", cmd.Path, "Args", cmd.Args, "Stdout", text)
 			stdout.WriteString(text + "\n")
 		}
 	}()
 	go func() {
 		errs := bufio.NewScanner(stderrR)
 		for errs.Scan() {
 			text := errs.Text()
-			sess.logger.Debug(title, "Path", cmd.Path, "Args", cmd.Args, "Text", text)
+			sess.logger.Debug(title, "Dir", cmd.Dir, "Path", cmd.Path, "Args", cmd.Args, "Text", text)
 			stderr.WriteString(text + "\n")
 		}
 	}()
@@ -688,6 +688,7 @@ func (sess *reconcileStackSession) InstallProjectDependencies(ctx context.Contex
 	if err != nil {
 		return errors.Wrap(err, "unable to get project runtime")
 	}
+	sess.logger.Debug("InstallProjectDependencies", "workspace", workspace.WorkDir())
 	switch project.Runtime.Name() {
 	case "nodejs":
 		npm, _ := exec.LookPath("npm")
@@ -825,19 +826,24 @@ func (sess *reconcileStackSession) UpdateStack() (pulumiv1alpha1.StackUpdateStat
 	return pulumiv1alpha1.StackUpdateSucceeded, permalink, &result, nil
 }
 
-// GetPulumiOutputs gets the stack outputs and parses them into a map.
+// GetStackOutputs gets the stack outputs and parses them into a map.
 func (sess *reconcileStackSession) GetStackOutputs(outs auto.OutputMap) (pulumiv1alpha1.StackOutputs, error) {
 	o := make(pulumiv1alpha1.StackOutputs)
 	for k, v := range outs {
-		// Marshal the OutputMap value only, to use in unmarshaling to StackOutputs
-		valueBytes, err := json.Marshal(v.Value)
-		if err != nil {
-			return nil, errors.Wrap(err, "marshaling stack output value interface")
-		}
 		var value apiextensionsv1.JSON
-		if err := json.Unmarshal(valueBytes, &value); err != nil {
-			return nil, errors.Wrap(err, "unmarshaling stack output value")
+		if v.Secret {
+			value = apiextensionsv1.JSON{Raw: []byte(`"[secret]"`)}
+		} else {
+			// Marshal the OutputMap value only, to use in unmarshaling to StackOutputs
+			valueBytes, err := json.Marshal(v.Value)
+			if err != nil {
+				return nil, errors.Wrap(err, "marshaling stack output value interface")
+			}
+			if err := json.Unmarshal(valueBytes, &value); err != nil {
+				return nil, errors.Wrap(err, "unmarshaling stack output value")
+			}
 		}
+
 		o[k] = value
 	}
 	return o, nil

diff --git a/test/stack_controller_test.go b/test/stack_controller_test.go
@@ -6,16 +6,18 @@ import (
 	"context"
 	"encoding/base32"
 	"fmt"
-	"gopkg.in/src-d/go-git.v4"
 	"math/rand"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"strings"
 	"time"
 
+	"gopkg.in/src-d/go-git.v4"
+	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
@@ -220,14 +222,21 @@ var _ = Describe("Stack Controller", func() {
 			if err != nil {
 				return false
 			}
+
 			if fetched.Status.LastUpdate != nil {
 				return fetched.Status.LastUpdate.LastSuccessfulCommit != "" &&
 					fetched.Status.LastUpdate.LastAttemptedCommit != "" &&
 					fetched.Status.LastUpdate.LastSuccessfulCommit == fetched.Status.LastUpdate.LastAttemptedCommit &&
 					fetched.Status.LastUpdate.State == pulumiv1alpha1.SucceededStackStateMessage
 			}
+
 			return false
 		}, timeout, interval).Should(BeTrue())
+		// Validate outputs.
+		Expect(fetched.Status.Outputs).Should(BeEquivalentTo(pulumiv1alpha1.StackOutputs{
+			"notSoSecret": v1.JSON{Raw: []byte(`"safe"`)},
+			"secretVal":   v1.JSON{Raw: []byte(`"[secret]"`)},
+		}))
 
 		// Delete the Stack
 		toDelete := &pulumiv1alpha1.Stack{}