diff --git a/cmd/helm/get_manifest.go b/cmd/helm/get_manifest.go index 8ffeb3676..bae2385ce 100644 --- a/cmd/helm/get_manifest.go +++ b/cmd/helm/get_manifest.go @@ -21,6 +21,8 @@ import ( "io" "log" + "helm.sh/helm/v3/pkg/cli/sanitize" + "github.com/spf13/cobra" "helm.sh/helm/v3/cmd/helm/require" @@ -54,6 +56,13 @@ func newGetManifestCmd(cfg *action.Configuration, out io.Writer) *cobra.Command if err != nil { return err } + if settings.HideSecrets { + err := sanitize.HideManifestSecrets(res) + if err != nil { + return err + } + } + fmt.Fprintln(out, res.Manifest) return nil }, diff --git a/cmd/helm/install_test.go b/cmd/helm/install_test.go index 0fae79534..6e99bb20b 100644 --- a/cmd/helm/install_test.go +++ b/cmd/helm/install_test.go @@ -207,6 +207,12 @@ func TestInstall(t *testing.T) { name: "install chart with only crds", cmd: "install crd-test testdata/testcharts/chart-with-only-crds --namespace default", }, + // Install hiding secret values + { + name: "install chart hiding secret values", + cmd: "install with-secrets testdata/testcharts/chart-with-secrets --namespace default --debug --hide-secrets", + golden: "output/install-hide-secrets.txt", + }, } runTestActionCmd(t, tests) diff --git a/cmd/helm/status.go b/cmd/helm/status.go index 0d225d597..7b87edbb9 100644 --- a/cmd/helm/status.go +++ b/cmd/helm/status.go @@ -71,7 +71,7 @@ func newStatusCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { // strip chart metadata from the output rel.Chart = nil - return outfmt.Write(out, &statusPrinter{rel, false, client.ShowDescription, false}) + return outfmt.Write(out, &statusPrinter{rel, false, client.ShowDescription, settings.HideSecrets}) }, } diff --git a/cmd/helm/template_test.go b/cmd/helm/template_test.go index 9e6a0c434..811cc2c9e 100644 --- a/cmd/helm/template_test.go +++ b/cmd/helm/template_test.go @@ -126,6 +126,11 @@ func TestTemplateCmd(t *testing.T) { cmd: fmt.Sprintf(`template '%s' --skip-tests`, chartPath), golden: "output/template-skip-tests.txt", }, + { + name: "template hide-secrets", + cmd: fmt.Sprintf(`template '%s' --hide-secrets`, "testdata/testcharts/chart-with-secrets"), + golden: "output/template-hide-secrets.txt", + }, } runTestCmd(t, tests) } diff --git a/cmd/helm/testdata/output/install-hide-secrets.txt b/cmd/helm/testdata/output/install-hide-secrets.txt new file mode 100644 index 000000000..3e7cc8266 --- /dev/null +++ b/cmd/helm/testdata/output/install-hide-secrets.txt @@ -0,0 +1,131 @@ +NAME: with-secrets +LAST DEPLOYED: Fri Sep 2 22:04:05 1977 +NAMESPACE: default +STATUS: deployed +REVISION: 1 +TEST SUITE: None +USER-SUPPLIED VALUES: +{} + +COMPUTED VALUES: +{} + +HOOKS: +MANIFEST: +--- +# Source: secrets-test/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: build-robot +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret-sample +data: + test: '[HIDDEN]' + password: '[HIDDEN]' + complex.key: '[HIDDEN]' + fromFile.json: '[HIDDEN]' +stringData: + string: '[HIDDEN]' + string.complex: '[HIDDEN]' + stringFile.json: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: empty-secret +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: empty-data-secret +data: +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: different-indent-secret +data: + password: '[HIDDEN]' +stringData: + stringPassword: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + # This is name + name: secret-with-comments +data: + # Comment + password: '[HIDDEN]' + # Multi + # Line + # Comment + anotherPassword: '[HIDDEN]' # Inline comment + # End comment +stringData: # Contains string data + stringPassword: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +stringData: + stringPassword: '[HIDDEN]' +data: + password: '[HIDDEN]' +metadata: + name: different-order-secret +--- +# Source: secrets-test/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-config + namespace: default +data: + secretData: abcd + simple: value + game.properties: | + enemies=aliens + lives=3 + file.json: | + { + "my-config-key": "my value", + "age": 24, + "array": ["value", "value2"], + "object": { + "key": "value" + } + } +--- +# Source: secrets-test/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + diff --git a/cmd/helm/testdata/output/template-hide-secrets.txt b/cmd/helm/testdata/output/template-hide-secrets.txt new file mode 100644 index 000000000..f7b7cd9b6 --- /dev/null +++ b/cmd/helm/testdata/output/template-hide-secrets.txt @@ -0,0 +1,116 @@ +--- +# Source: secrets-test/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: build-robot +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret-sample +data: + test: '[HIDDEN]' + password: '[HIDDEN]' + complex.key: '[HIDDEN]' + fromFile.json: '[HIDDEN]' +stringData: + string: '[HIDDEN]' + string.complex: '[HIDDEN]' + stringFile.json: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: empty-secret +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: empty-data-secret +data: +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: different-indent-secret +data: + password: '[HIDDEN]' +stringData: + stringPassword: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + # This is name + name: secret-with-comments +data: + # Comment + password: '[HIDDEN]' + # Multi + # Line + # Comment + anotherPassword: '[HIDDEN]' # Inline comment + # End comment +stringData: # Contains string data + stringPassword: '[HIDDEN]' +--- +# Source: secrets-test/templates/secrets.yaml +apiVersion: v1 +kind: Secret +stringData: + stringPassword: '[HIDDEN]' +data: + password: '[HIDDEN]' +metadata: + name: different-order-secret +--- +# Source: secrets-test/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-config + namespace: default +data: + secretData: abcd + simple: value + game.properties: | + enemies=aliens + lives=3 + file.json: | + { + "my-config-key": "my value", + "age": 24, + "array": ["value", "value2"], + "object": { + "key": "value" + } + } +--- +# Source: secrets-test/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/.helmignore b/cmd/helm/testdata/testcharts/chart-with-secrets/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/Chart.yaml b/cmd/helm/testdata/testcharts/chart-with-secrets/Chart.yaml new file mode 100644 index 000000000..108c3a4e5 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: secrets-test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application and it is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/templates/configmap.yaml b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/configmap.yaml new file mode 100644 index 000000000..3770a2178 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-config + namespace: default +data: + secretData: abcd + simple: value + game.properties: | + enemies=aliens + lives=3 + file.json: | + { + "my-config-key": "my value", + "age": 24, + "array": ["value", "value2"], + "object": { + "key": "value" + } + } diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/templates/deployment.yaml b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/deployment.yaml new file mode 100644 index 000000000..685c17aa6 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/templates/secrets.yaml b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/secrets.yaml new file mode 100644 index 000000000..819244373 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/secrets.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret-sample +data: + test: YmFyCg== + password: bXktcGFzc3dvcmQ= + complex.key: Y29tcGxleAo= + fromFile.json: | + ewogICJteS1jb25maWcta2V5IjogIm15IHZhbHVlIiwgCiAgImFnZSI6IDI0LAogICJhcnJheSI6IFsidmFsdWUiLCAidmFsdWUyIl0sCiAgIm9iamVjdCI6IHsKICAgICJrZXkiOiAidmFsdWUiCiAgfQp9Cg== +stringData: + string: super-secret + string.complex: complex + stringFile.json: | + { + "my-config-key": "my value", + "age": 24, + "array": ["value", "value2"], + "object": { + "key": "value" + } + } + +--- +apiVersion: v1 +kind: Secret +metadata: + name: empty-secret + +--- +apiVersion: v1 +kind: Secret +metadata: + name: empty-data-secret +data: + +--- +apiVersion: v1 +kind: Secret +metadata: + name: different-indent-secret +data: + password: cGFzc3dvcmQK +stringData: + stringPassword: password + +--- +apiVersion: v1 +kind: Secret +metadata: + # This is name + name: secret-with-comments +data: + # Comment + password: cGFzc3dvcmQK + # Multi + # Line + # Comment + anotherPassword: cGFzc3dvcmQK # Inline comment + # End comment +stringData: # Contains string data + stringPassword: password + +--- +apiVersion: v1 +kind: Secret +stringData: + stringPassword: password +data: + password: cGFzc3dvcmQK +metadata: + name: different-order-secret diff --git a/cmd/helm/testdata/testcharts/chart-with-secrets/templates/serviceaccount.yaml b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/serviceaccount.yaml new file mode 100644 index 000000000..d452a2727 --- /dev/null +++ b/cmd/helm/testdata/testcharts/chart-with-secrets/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: build-robot \ No newline at end of file