fix: prune old duplicate keys from configmap/secret when overriding

stealthybox · stealthybox · commit e95e85414fc1 · 2025-07-24T13:18:49.000-06:00
diff --git a/api/krusty/configmaps_test.go b/api/krusty/configmaps_test.go
@@ -118,9 +118,7 @@ metadata:
 `)
 }
 
-func TestGeneratorOverrideDataWithBinaryDataInvalidAtKubeAPI(t *testing.T) {
-	// the resulting ConfigMap will fail Kubernetes API validation:
-	//   The ConfigMap "test-configmap-b6h9d5bfmt" is invalid: data[CHANGING]: Invalid value: "CHANGING": duplicate of key present in binaryData
+func TestGeneratorOverrideDataWithBinaryData(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)
 	th.WriteK("base", `
 configMapGenerator:
@@ -159,17 +157,14 @@ binaryData:
     hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv
 data:
   BASE: red
-  CHANGING: data-before
   OVERLAY: blue
 kind: ConfigMap
 metadata:
-  name: test-configmap-b6h9d5bfmt
+  name: test-configmap-7d7tc96hhk
 `)
 }
 
-func TestGeneratorOverrideBinaryDataWithDataInvalidAtKubeAPI(t *testing.T) {
-	// the resulting ConfigMap will fail Kubernetes API validation:
-	//   The ConfigMap "test-configmap-kt6d6mk694" is invalid: data[CHANGING]: Invalid value: "CHANGING": duplicate of key present in binaryData
+func TestGeneratorOverrideBinaryDataWithData(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)
 	th.WriteK("base", `
 configMapGenerator:
@@ -200,19 +195,13 @@ OVERLAY=blue
 	m := th.Run("overlay", th.MakeDefaultOptions())
 	th.AssertActualEqualsExpected(m, `
 apiVersion: v1
-binaryData:
-  CHANGING: |
-    /2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbG
-    xv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hl
-    bGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv/2
-    hlbGxv/2hlbGxv/2hlbGxv/2hlbGxv
 data:
   BASE: red
   CHANGING: data-after
   OVERLAY: blue
 kind: ConfigMap
 metadata:
-  name: test-configmap-kt6d6mk694
+  name: test-configmap-6kt4k5b8cf
 `)
 }
 
diff --git a/api/krusty/secrets_test.go b/api/krusty/secrets_test.go
@@ -201,9 +201,7 @@ type: Opaque
 `)
 }
 
-func TestSecretGeneratorOverrideDataWithStringDataWorksAtKubeAPI(t *testing.T) {
-	// The resulting Secret will have a duplicate key in both data and stringData
-	// The stringData override will work, because the kube API considers stringData authoritative and write-only
+func TestSecretGeneratorOverrideDataWithStringData(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)
 	th.WriteK("base", `
 secretGenerator:
@@ -235,20 +233,17 @@ OVERLAY=blue
 apiVersion: v1
 data:
   BASE: cmVk
-  CHANGING: ZGF0YS1iZWZvcmU=
 kind: Secret
 metadata:
-  name: test-secret-c4g4kdc558
+  name: test-secret-27cgc8d5f9
 stringData:
   CHANGING: stringData-after
   OVERLAY: blue
 type: Opaque
 `)
 }
 
-func TestSecretGeneratorOverrideStringDataWithDataSilentlyFailsAtKubeAPI(t *testing.T) {
-	// The resulting Secret will have a duplicate key in both data and stringData
-	// The data override will fail, because the kube API considers the older value in stringData authoritative and write-only
+func TestSecretGeneratorOverrideStringDataWithData(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)
 	th.WriteK("base", `
 secretGenerator:
@@ -284,10 +279,9 @@ data:
   OVERLAY: Ymx1ZQ==
 kind: Secret
 metadata:
-  name: test-secret-b65ktgckfh
+  name: test-secret-dm4hm4t2hb
 stringData:
   BASE: red
-  CHANGING: stringData-before
 type: Opaque
 `)
 }
diff --git a/api/resource/resource.go b/api/resource/resource.go
@@ -190,15 +190,24 @@ func (r *Resource) copyKustomizeSpecificFields(other *Resource) {
 }
 
 func (r *Resource) MergeDataMapFrom(o *Resource) {
-	r.SetDataMap(mergeStringMaps(o.GetDataMap(), r.GetDataMap()))
+	r.SetDataMap(
+		mergeStringMaps(
+			pruneStringMap(o.GetDataMap(), r.GetBinaryDataMap(), r.GetStringDataMap()),
+			r.GetDataMap()))
 }
 
 func (r *Resource) MergeBinaryDataMapFrom(o *Resource) {
-	r.SetBinaryDataMap(mergeStringMaps(o.GetBinaryDataMap(), r.GetBinaryDataMap()))
+	r.SetBinaryDataMap(
+		mergeStringMaps(
+			pruneStringMap(o.GetBinaryDataMap(), r.GetDataMap()),
+			r.GetBinaryDataMap()))
 }
 
 func (r *Resource) MergeStringDataMapFrom(o *Resource) {
-	r.SetStringDataMap(mergeStringMaps(o.GetStringDataMap(), r.GetStringDataMap()))
+	r.SetStringDataMap(
+		mergeStringMaps(
+			pruneStringMap(o.GetStringDataMap(), r.GetDataMap()),
+			r.GetStringDataMap()))
 }
 
 func (r *Resource) ErrIfNotEquals(o *Resource) error {
@@ -549,3 +558,20 @@ func mergeStringMapsWithBuildAnnotations(maps ...map[string]string) map[string]s
 	}
 	return result
 }
+
+// pruneStringMap returns a copy of orig with any shared keys from maps[] removed
+func pruneStringMap(orig map[string]string, maps ...map[string]string) map[string]string {
+	if orig == nil {
+		return nil
+	}
+	result := map[string]string{}
+	for key, value := range orig {
+		result[key] = value
+	}
+	for _, m := range maps {
+		for key := range m {
+			delete(result, key)
+		}
+	}
+	return result
+}
