`kubeseal` appends extra document separator `---` when format is YAML

Question

`kubeseal` appends extra document separator `---` when format is YAML

armingerten opened this issue 8 months ago · comments

Which component:
kubeseal (v0.24.0)

Describe the bug
When sealing a secret with kubeseal, an extra YAML document separator (---) is added to the output (since version v0.24.0). This causes YAML parsers to fail or parse an extra empty document.

To Reproduce

Create a simple secret file secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
type: Opaque
stringData:
  foo: bar

Run kubeseal --format yaml --secret-file secret.yaml --cert cert.pem

The resulting YAML document will contain an extra document separator at the end:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
[..]
spec:
  [..]
  template:
    [..]
    type: Opaque
---

Expected behavior
The resulting YAML document MAY contain a document separator before each document. The resulting YAML document MUST NOT contain a trailing document seperator.

Additional context
This was most likely caused by #1304 , specifically https://github.com/bitnami-labs/sealed-secrets/pull/1304/files#diff-92f00e9d744fba4dee224973d289d4a24568a3b50a98996622e5928e86dfca04R409 .

This could be solved by putting the document separator in front of every document (instead of the end).

Tim Heurich · Answer 1 · Thu Sep 21 2023 20:33:44 GMT+0800 (China Standard Time)

@armingerten I am going to work on that issue. My contribution introduced that behavior 😓

Andreas Lindhé · Answer 2 · Wed Sep 27 2023 16:22:36 GMT+0800 (China Standard Time)

Note that --- is document start and ... is document end. Starting documents with --- is pretty common, but I've rarely seen ... been used.

https://yaml.org/spec/1.1/current.html#document%20boundary%20marker/

The third party tool yamllint has a default rule set where --- is considered required and ... is explicitly not required.