diff --git a/lib/kubetruth/template.rb b/lib/kubetruth/template.rb index 284f299..b885cae 100644 --- a/lib/kubetruth/template.rb +++ b/lib/kubetruth/template.rb @@ -105,7 +105,6 @@ def stringify(str) def to_yaml(str, options = {}) options = {} unless options.is_a?(Hash) - p options result = str.to_yaml result = result[4..-1] if options['no_header'] result @@ -204,7 +203,16 @@ def render(*args, **kwargs) msg = "Rendered template:\n" r = result.dup - both_secrets.each {|k, v| r.gsub!(v, "") } + + # Handle multiline secrets that may have had their indentation changed + # (e.g. nindent for a cert) by splitting on whitespace and only + # subbing the non-whitespace parts from the template + both_secrets.each do |k, v| + v.split(/\s+/).delete_if(&:blank?).each do |part| + r.gsub!(part, "") + end + end + r.lines.collect {|l| msg << (INDENT * 2) << l } msg end diff --git a/spec/kubetruth/template_spec.rb b/spec/kubetruth/template_spec.rb index 712e432..e063185 100644 --- a/spec/kubetruth/template_spec.rb +++ b/spec/kubetruth/template_spec.rb @@ -471,6 +471,14 @@ module Kubetruth expect(Logging.contents).to_not include(Base64.strict_encode64("sekret\nsosekret")) expect(Logging.contents).to include("") + Logging.clear + tmpl = described_class.new("secret:{{ secrets.foo | nindent: 2}}\nencoded:{{secrets.foo | encode64 | nindent:2}}") + expect(tmpl.render(secrets: secrets)).to eq("secret: \n sekret\n sosekret\nencoded: \n #{Base64.strict_encode64("sekret\nsosekret")}") + expect(Logging.contents).to_not include("sekret") + expect(Logging.contents).to include("") + expect(Logging.contents).to_not include(Base64.strict_encode64("sekret\nsosekret")) + expect(Logging.contents).to include("") + tmpl = described_class.new("{{fail}}") expect { tmpl.render(secrets: secrets) }.to raise_error(Template::Error) do |error| expect(error.message).to_not include("sekret")