Merge pull request #26586 from Craig-Spencer-12/kube-secret-error

Clarifiy error message when using an improperly formatted secret with kube
2025-07-10 17:38:18 +00:00 · 2025-07-10 17:38:18 +00:00 · 9f264850d6
parent cc84e29ddd 5e44c17309
commit 9f264850d6
2 changed files with 32 additions and 3 deletions
--- a/pkg/specgen/generate/kube/volume.go
+++ b/pkg/specgen/generate/kube/volume.go
@ -167,9 +167,8 @@ func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secre

 	secret := &v1.Secret{}

-	err = yaml.Unmarshal(secretByte, secret)
-	if err != nil {
-		return nil, err
+	if err := yaml.Unmarshal(secretByte, secret); err != nil {
+		return nil, fmt.Errorf("only secrets created via the kube yaml file are supported: %w", err)
 	}

 	// If there are Items specified in the volumeSource, that overwrites the Data from the Secret
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@ -48,6 +48,11 @@ data:
  password: NTRmNDFkMTJlOGZh
 `

+var secretTxt = `
+This secret is not a properly formatted yaml
+It will therefore produce an error
+`
+
 var complexSecretYaml = `
 apiVersion: v1
 kind: Secret
@ -5245,6 +5250,31 @@ ENV OPENJ9_JAVA_OPTIONS=%q
 		deleteAndTestSecret(podmanTest, "newsecret")
 	})

+	It("secret as volume support - error on invalid secret format", func() {
+		const secretName = "newsecret"
+
+		// Create text file secret
+		kubeTxt := strings.Replace(kubeYaml, ".yaml", ".txt", 1)
+		err := writeYaml(secretTxt, kubeTxt)
+		Expect(err).ToNot(HaveOccurred())
+
+		createSecret := podmanTest.Podman([]string{"secret", "create", secretName, kubeTxt})
+		createSecret.WaitWithDefaultTimeout()
+		Expect(createSecret).Should(ExitCleanly())
+
+		// Run kube play and expect error
+		err = writeYaml(secretPodYaml, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		kube := podmanTest.Podman([]string{"kube", "play", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(Exit(-1))
+		Expect(kube.ErrorToString()).To(ContainSubstring("only secrets created via the kube yaml file are supported"))
+
+		// Delete secret
+		deleteAndTestSecret(podmanTest, secretName)
+	})
+
 	It("secret as volume support - multiple volumes", func() {
 		yamls := []string{secretYaml, secretPodYaml}
 		err = generateMultiDocKubeYaml(yamls, kubeYaml)