fix multiline secret asking

lib/kubetruth/template.rb

@@ -105,7 +105,6 @@ def stringify(str)
 
       def to_yaml(str, options = {})
         options = {} unless options.is_a?(Hash)
-        p options
         result = str.to_yaml
         result = result[4..-1] if options['no_header']
         result
@@ -204,7 +203,16 @@ def render(*args, **kwargs)
 
           msg = "Rendered template:\n"
           r = result.dup
-          both_secrets.each {|k, v| r.gsub!(v, "<masked:#{k}>") }
+
+          # Handle multiline secrets that may have had their indentation changed
+          # (e.g. nindent for a cert) by splitting on whitespace and only
+          # subbing the non-whitespace parts from the template
+          both_secrets.each do |k, v|
+            v.split(/\s+/).delete_if(&:blank?).each do |part|
+              r.gsub!(part, "<masked:#{k}>")
+            end
+          end
+
           r.lines.collect {|l| msg << (INDENT * 2) << l }
           msg
         end

spec/kubetruth/template_spec.rb

@@ -471,6 +471,14 @@ module Kubetruth
         expect(Logging.contents).to_not include(Base64.strict_encode64("sekret\nsosekret"))
         expect(Logging.contents).to include("<masked:foo_base64>")
 
+        Logging.clear
+        tmpl = described_class.new("secret:{{ secrets.foo | nindent: 2}}\nencoded:{{secrets.foo | encode64 | nindent:2}}")
+        expect(tmpl.render(secrets: secrets)).to eq("secret:  \n  sekret\n  sosekret\nencoded:  \n  #{Base64.strict_encode64("sekret\nsosekret")}")
+        expect(Logging.contents).to_not include("sekret")
+        expect(Logging.contents).to include("<masked:foo>")
+        expect(Logging.contents).to_not include(Base64.strict_encode64("sekret\nsosekret"))
+        expect(Logging.contents).to include("<masked:foo_base64>")
+
         tmpl = described_class.new("{{fail}}")
         expect { tmpl.render(secrets: secrets) }.to raise_error(Template::Error) do |error|
           expect(error.message).to_not include("sekret")