`kubeseal` appends extra document separator `---` when format is YAML
armingerten opened this issue · comments
Which component:
kubeseal (v0.24.0)
Describe the bug
When sealing a secret with kubeseal
, an extra YAML document separator (---
) is added to the output (since version v0.24.0
). This causes YAML parsers to fail or parse an extra empty document.
To Reproduce
- Create a simple secret file
secret.yml
apiVersion: v1
kind: Secret
metadata:
name: test-secret
type: Opaque
stringData:
foo: bar
- Run
kubeseal --format yaml --secret-file secret.yaml --cert cert.pem
The resulting YAML document will contain an extra document separator at the end:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
[..]
spec:
[..]
template:
[..]
type: Opaque
---
Expected behavior
The resulting YAML document MAY contain a document separator before each document. The resulting YAML document MUST NOT contain a trailing document seperator.
Additional context
This was most likely caused by #1304 , specifically https://github.com/bitnami-labs/sealed-secrets/pull/1304/files#diff-92f00e9d744fba4dee224973d289d4a24568a3b50a98996622e5928e86dfca04R409 .
This could be solved by putting the document separator in front of every document (instead of the end).
@armingerten I am going to work on that issue. My contribution introduced that behavior 😓
Note that ---
is document start and ...
is document end. Starting documents with ---
is pretty common, but I've rarely seen ...
been used.
https://yaml.org/spec/1.1/current.html#document%20boundary%20marker/
The third party tool yamllint has a default rule set where ---
is considered required and ...
is explicitly not required.