replace commands/envcommand by DataSource in SecretGenerator

Author: Liujingfang1

docs/kustomization.yaml

@@ -85,35 +85,23 @@ configMapGenerator:
 
 # Each entry in this list results in the creation of
 # one Secret resource (it's a generator of n secrets).
-# A command can do anything to get a secret,
-# e.g. prompt the user directly, start a webserver to
-# initate an oauth dance, etc.
 secretGenerator:
 - name: app-tls
-  commands:
-    tls.crt: "cat secret/tls.cert"
-    tls.key: "cat secret/tls.key"
+  files:
+    - secret/tls.cert
+    - secret/tls.key
   type: "kubernetes.io/tls"
 - name: app-tls-namespaced
   # you can define a namespace to generate secret in, defaults to: "default"
   namespace: apps
-  commands:
-    tls.crt: "cat secret/tls.cert"
-    tls.key: "cat secret/tls.key"
+  files:
+    - tls.crt=catsecret/tls.cert
+    - tls.key=secret/tls.key
   type: "kubernetes.io/tls"
-- name: downloaded_secret
-  # timeoutSeconds specifies the number of seconds to
-  # wait for the commands below. It defaults to 5 seconds.
-  timeoutSeconds: 30
-  commands:
-    username: "curl -s https://path/to/secrets/username.yaml"
-    password: "curl -s https://path/to/secrets/password.yaml"
-  type: Opaque
 - name: env_file_secret
-  # envCommand is similar to command but outputs lines of key=val pairs
-  # i.e. a Docker .env file or a .ini file.
-  # you can only specify one envCommand per secret.
-  envCommand: printf \"DB_USERNAME=admin\nDB_PASSWORD=somepw\"
+  # env is a path to a file to read lines of key=val
+  # you can only specify one env file per secret.
+  env: env.txt
   type: Opaque
 
 # generatorOptions modify behavior of all ConfigMap and Secret generators
@@ -124,11 +112,6 @@ generatorOptions:
   # annotations to add to all generated resources
   annotations:
     kustomize.generated.resource: somevalue
-  # timeoutSeconds specifies the timeout for commands
-  timeoutSeconds: 30
-  # shell and arguments to use as a context for commands used in resource
-  # generation. Default at time of writing: ["sh", "-c"]
-  shell: ["sh", "-c"]
   # disableNameSuffixHash is true disables the default behavior of adding a
   # suffix to the names of generated resources that is a hash of
   # the resource contents.

examples/combineConfigs.md

@@ -92,9 +92,9 @@ secret holding them (not covering that here).
 <!--
 secretGenerator:
 - name: app-tls
-  commands:
-    tls.crt: "cat tls.cert"
-    tls.key: "cat tls.key"
+  files:
+    tls.crt=tls.cert
+    tls.key=tls.key
   type: "kubernetes.io/tls"
 EOF
 -->

examples/generatorOptions.md

@@ -5,8 +5,6 @@ Kustomize provides options to modify the behavior of ConfigMap and Secret genera
  - disable appending a content hash suffix to the names of generated resources
  - adding labels to generated resources
  - adding annotations to generated resources
- - changing shell and arguments for getting data from commands
- - changing timeout for executing commands
 
 This demo shows how to use these options. First create a workspace.
 ```

k8sdeps/configmapandsecret/secretfactory.go

@@ -17,34 +17,26 @@ limitations under the License.
 package configmapandsecret
 
 import (
-	"context"
 	"fmt"
-	"log"
-	"os/exec"
-	"path/filepath"
 	"strings"
-	"time"
 
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/ifc"
 	"sigs.k8s.io/kustomize/pkg/types"
 )
 
-const (
-	defaultCommandTimeout = 5 * time.Second
-)
-
 // SecretFactory makes Secrets.
 type SecretFactory struct {
 	fSys fs.FileSystem
-	wd   string
+	ldr  ifc.Loader
 }
 
 // NewSecretFactory returns a new SecretFactory.
-func NewSecretFactory(fSys fs.FileSystem, wd string) *SecretFactory {
-	return &SecretFactory{fSys: fSys, wd: wd}
+func NewSecretFactory(fSys fs.FileSystem, ldr ifc.Loader) *SecretFactory {
+	return &SecretFactory{fSys: fSys, ldr: ldr}
 }
 
 func (f *SecretFactory) makeFreshSecret(args *types.SecretArgs) *corev1.Secret {
@@ -67,28 +59,28 @@ func (f *SecretFactory) MakeSecret(args *types.SecretArgs, options *types.Genera
 	var err error
 	s := f.makeFreshSecret(args)
 
-	timeout := defaultCommandTimeout
-	if args.TimeoutSeconds != nil {
-		log.Println("SecretArgs.TimeoutSeconds will be deprected in next release. Please use GeneratorOptions.TimeoutSeconds instread.")
-		timeout = time.Duration(*args.TimeoutSeconds) * time.Second
+	pairs, err := keyValuesFromEnvFile(f.ldr, args.EnvSource)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"env source file: %s",
+			args.EnvSource))
 	}
-	if args.EnvCommand != "" {
-		pairs, err := f.keyValuesFromEnvFileCommand(args.EnvCommand, timeout, options)
-		if err != nil {
-			return nil, errors.Wrap(err, fmt.Sprintf(
-				"env source file: %s",
-				args.EnvCommand))
-		}
-		all = append(all, pairs...)
+	all = append(all, pairs...)
+
+	pairs, err = keyValuesFromLiteralSources(args.LiteralSources)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"literal sources %v", args.LiteralSources))
 	}
-	if len(args.Commands) != 0 {
-		pairs, err := f.keyValuesFromCommands(args.Commands, timeout, options)
-		if err != nil {
-			return nil, errors.Wrap(err, fmt.Sprintf(
-				"commands %v", args.Commands))
-		}
-		all = append(all, pairs...)
+	all = append(all, pairs...)
+
+	pairs, err = keyValuesFromFileSources(f.ldr, args.FileSources)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"file sources: %v", args.FileSources))
 	}
+	all = append(all, pairs...)
+
 	for _, kv := range all {
 		err = addKvToSecret(s, kv.key, kv.value)
 		if err != nil {
@@ -113,52 +105,3 @@ func addKvToSecret(secret *corev1.Secret, keyName, data string) error {
 	secret.Data[keyName] = []byte(data)
 	return nil
 }
-
-func (f *SecretFactory) keyValuesFromEnvFileCommand(cmd string, timeout time.Duration, options *types.GeneratorOptions) ([]kvPair, error) {
-	content, err := f.createSecretKey(cmd, timeout, options)
-	if err != nil {
-		return nil, err
-	}
-	return keyValuesFromLines(content)
-}
-
-func (f *SecretFactory) keyValuesFromCommands(sources map[string]string, timeout time.Duration, options *types.GeneratorOptions) ([]kvPair, error) {
-	var kvs []kvPair
-	for k, cmd := range sources {
-		content, err := f.createSecretKey(cmd, timeout, options)
-		if err != nil {
-			return nil, err
-		}
-		kvs = append(kvs, kvPair{key: k, value: string(content)})
-	}
-	return kvs, nil
-}
-
-// Run a command, return its output as the secret.
-func (f *SecretFactory) createSecretKey(command string, timeout time.Duration, options *types.GeneratorOptions) ([]byte, error) {
-	if !f.fSys.IsDir(f.wd) {
-		f.wd = filepath.Dir(f.wd)
-		if !f.fSys.IsDir(f.wd) {
-			return nil, errors.New("not a directory: " + f.wd)
-		}
-	}
-
-	if options != nil && options.TimeoutSeconds != nil {
-		t := time.Duration(*options.TimeoutSeconds) * time.Second
-		if t > timeout {
-			timeout = t
-		}
-	}
-
-	var commands []string
-	if options == nil || len(options.Shell) == 0 {
-		commands = []string{"sh", "-c", command}
-	} else {
-		commands = append(options.Shell, command)
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-	cmd := exec.CommandContext(ctx, commands[0], commands[1:]...)
-	cmd.Dir = f.wd
-	return cmd.Output()
-}