openshift
diff --git a/‎cmd/ci-secret-bootstrap/main_test.go‎
Lines changed: 71 additions & 48 deletions b/‎cmd/ci-secret-bootstrap/main_test.go‎
Lines changed: 71 additions & 48 deletions
diff --git a/‎pkg/api/secretbootstrap/secretboostrap.go‎
Lines changed: 96 additions & 1 deletion b/‎pkg/api/secretbootstrap/secretboostrap.go‎
Lines changed: 96 additions & 1 deletion
diff --git a/‎pkg/api/secretbootstrap/secretboostrap_test.go‎
Lines changed: 33 additions & 6 deletions b/‎pkg/api/secretbootstrap/secretboostrap_test.go‎
Lines changed: 33 additions & 6 deletions
@@ -176,36 +176,61 @@ var (
 	}
 
 	defaultConfig = secretbootstrap.Config{
+		ClusterGroups: map[string][]string{},
 		Secrets: []secretbootstrap.SecretConfig{
+			{
+				From: map[string]secretbootstrap.ItemContext{
+					".dockerconfigjson": {
+						Item:                 "quay.io",
+						Field:                "pull-credentials",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
+					},
+				},
+				To: []secretbootstrap.SecretContext{
+					{
+						Cluster:   "default",
+						Namespace: "ci",
+						Name:      "ci-pull-credentials",
+						Type:      "kubernetes.io/dockerconfigjson",
+					},
+				},
+			},
 			{
 				From: map[string]secretbootstrap.ItemContext{
 					"key-name-1": {
-						Item:  "item-name-1",
-						Field: "field-name-1",
+						Item:                 "item-name-1",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-2": {
-						Item:  "item-name-1",
-						Field: "field-name-2",
+						Item:                 "item-name-1",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-3": {
-						Item:  "item-name-1",
-						Field: "field-name-3",
+						Item:                 "item-name-1",
+						Field:                "field-name-3",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-4": {
-						Item:  "item-name-2",
-						Field: "field-name-1",
+						Item:                 "item-name-2",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-5": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-6": {
-						Item:  "item-name-3",
-						Field: "field-name-1",
+						Item:                 "item-name-3",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-7": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 				},
 				To: []secretbootstrap.SecretContext{
@@ -221,55 +246,47 @@ var (
 					},
 				},
 			},
-			{
-				From: map[string]secretbootstrap.ItemContext{
-					".dockerconfigjson": {
-						Item:  "quay.io",
-						Field: "pull-credentials",
-					},
-				},
-				To: []secretbootstrap.SecretContext{
-					{
-						Cluster:   "default",
-						Namespace: "ci",
-						Name:      "ci-pull-credentials",
-						Type:      "kubernetes.io/dockerconfigjson",
-					},
-				},
-			},
 		},
 	}
 	defaultConfigWithoutDefaultCluster = secretbootstrap.Config{
+		ClusterGroups: map[string][]string{},
 		Secrets: []secretbootstrap.SecretConfig{
 			{
 				From: map[string]secretbootstrap.ItemContext{
 					"key-name-1": {
-						Item:  "item-name-1",
-						Field: "field-name-1",
+						Item:                 "item-name-1",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-2": {
-						Item:  "item-name-1",
-						Field: "field-name-2",
+						Item:                 "item-name-1",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-3": {
-						Item:  "item-name-1",
-						Field: "field-name-3",
+						Item:                 "item-name-1",
+						Field:                "field-name-3",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-4": {
-						Item:  "item-name-2",
-						Field: "field-name-1",
+						Item:                 "item-name-2",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-5": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-6": {
-						Item:  "item-name-3",
-						Field: "field-name-1",
+						Item:                 "item-name-3",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-7": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 				},
 				To: []secretbootstrap.SecretContext{
@@ -375,8 +392,14 @@ func TestCompleteOptions(t *testing.T) {
 			expectedConfig: secretbootstrap.Config{
 				ClusterGroups: map[string][]string{"group-a": {"default"}},
 				Secrets: []secretbootstrap.SecretConfig{{
-					From: map[string]secretbootstrap.ItemContext{"key-name-1": {Item: "item-name-1", Field: "field-name-1"}},
-					To:   []secretbootstrap.SecretContext{{ClusterGroups: []string{"group-a"}, Cluster: "default", Namespace: "ns", Name: "name"}},
+					From: map[string]secretbootstrap.ItemContext{
+						"key-name-1": {
+							Item:                 "item-name-1",
+							Field:                "field-name-1",
+							DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
+						},
+					},
+					To: []secretbootstrap.SecretContext{{ClusterGroups: []string{"group-a"}, Cluster: "default", Namespace: "ns", Name: "name"}},
 				}},
 			},
 			expectedClusters: []string{"default"},
@@ -997,12 +1020,12 @@ func TestConstructSecrets(t *testing.T) {
 					},
 				},
 			},
-			expectedError: `[config.0."key-name-1": item at path "prefix/item-name-1" has no key "field-name-1", config.1.".dockerconfigjson": Error making API request.
+			expectedError: `[config.0.".dockerconfigjson": Error making API request.
 
 URL: GET fakeVaultClient.GetKV
 Code: 404. Errors:
 
-* no data at path prefix/quay.io]`,
+* no data at path prefix/quay.io, config.1."key-name-1": item at path "prefix/item-name-1" has no key "field-name-1"]`,
 			expected: map[string][]*coreapi.Secret{},
 		},
 		{
 
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"sort"
 	"strings"
 
 	"github.com/getlantern/deepcopy"
@@ -61,6 +62,42 @@ type SecretConfig struct {
 	To   []SecretContext        `json:"to"`
 }
 
+// orderSecretConfig sorts a copy of SecretConfig data structures for deterministic ordering
+// This mutates the SecretConfig in place, so it should only be called on copies
+func (s *SecretConfig) orderSecretConfig() {
+	// Sort From map keys and DockerConfigJSONData slices
+	sortedFrom := make(map[string]ItemContext)
+	keys := make([]string, 0, len(s.From))
+	for k := range s.From {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	for _, k := range keys {
+		itemCtx := s.From[k]
+		// Sort DockerConfigJSONData slice
+		dockerData := make([]DockerConfigJSONData, len(itemCtx.DockerConfigJSONData))
+		copy(dockerData, itemCtx.DockerConfigJSONData)
+		sort.Slice(dockerData, func(i, j int) bool {
+			if dockerData[i].RegistryURL != dockerData[j].RegistryURL {
+				return dockerData[i].RegistryURL < dockerData[j].RegistryURL
+			}
+			if dockerData[i].Item != dockerData[j].Item {
+				return dockerData[i].Item < dockerData[j].Item
+			}
+			return dockerData[i].AuthField < dockerData[j].AuthField
+		})
+
+		sortedFrom[k] = ItemContext{
+			Item:                 itemCtx.Item,
+			Field:                itemCtx.Field,
+			DockerConfigJSONData: dockerData,
+			Base64Decode:         itemCtx.Base64Decode,
+		}
+	}
+	s.From = sortedFrom
+}
+
 // LoadConfigFromFile renders a Config object loaded from the given file
 func LoadConfigFromFile(file string, config *Config) error {
 	bytes, err := gzip.ReadFileMaybeGZIP(file)
@@ -71,14 +108,72 @@ func LoadConfigFromFile(file string, config *Config) error {
 }
 
 // SaveConfigToFile serializes a Config object to the given file
+// It orders a copy of the config for deterministic output before saving
 func SaveConfigToFile(file string, config *Config) error {
-	bytes, err := yaml.Marshal(config)
+	// Create a deep copy to avoid mutating the original config
+	var configCopy Config
+	if err := deepcopy.Copy(&configCopy, config); err != nil {
+		return fmt.Errorf("failed to copy config: %w", err)
+	}
+	// Order the copy for deterministic output
+	configCopy.orderConfig()
+	bytes, err := yaml.Marshal(&configCopy)
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(file, bytes, 0644)
 }
 
+// orderConfig sorts the Config data structures for deterministic ordering
+func (c *Config) orderConfig() {
+	// Sort ClusterGroups map keys
+	sortedClusterGroups := make(map[string][]string)
+	clusterGroupKeys := make([]string, 0, len(c.ClusterGroups))
+	for k := range c.ClusterGroups {
+		clusterGroupKeys = append(clusterGroupKeys, k)
+	}
+	sort.Strings(clusterGroupKeys)
+	for _, k := range clusterGroupKeys {
+		clusters := make([]string, len(c.ClusterGroups[k]))
+		copy(clusters, c.ClusterGroups[k])
+		sort.Strings(clusters)
+		sortedClusterGroups[k] = clusters
+	}
+	c.ClusterGroups = sortedClusterGroups
+
+	// Sort Secrets slice
+	sort.Slice(c.Secrets, func(i, j int) bool {
+		// Sort by first To entry's Cluster, then Namespace, then Name
+		// This groups secrets by cluster, making the output more organized
+		if len(c.Secrets[i].To) == 0 && len(c.Secrets[j].To) == 0 {
+			return false
+		}
+		if len(c.Secrets[i].To) == 0 {
+			return true
+		}
+		if len(c.Secrets[j].To) == 0 {
+			return false
+		}
+		toI := c.Secrets[i].To[0]
+		toJ := c.Secrets[j].To[0]
+		if toI.Cluster != toJ.Cluster {
+			return toI.Cluster < toJ.Cluster
+		}
+		if toI.Namespace != toJ.Namespace {
+			return toI.Namespace < toJ.Namespace
+		}
+		return toI.Name < toJ.Name
+	})
+
+	// Sort UserSecretsTargetClusters
+	sort.Strings(c.UserSecretsTargetClusters)
+
+	// Order each SecretConfig
+	for i := range c.Secrets {
+		c.Secrets[i].orderSecretConfig()
+	}
+}
+
 // Config is what we version in our repository
 type Config struct {
 	VaultDPTPPrefix           string              `json:"vault_dptp_prefix,omitempty"`
 
@@ -49,6 +49,7 @@ func TestResolving(t *testing.T) {
 					"group-b": {"b"},
 				},
 				Secrets: []SecretConfig{{
+					From: nil,
 					To: []SecretContext{
 						{
 							ClusterGroups: []string{"group-a", "group-b"},
@@ -89,8 +90,13 @@ func TestResolving(t *testing.T) {
 			},
 			expectedConfig: Config{
 				VaultDPTPPrefix: "prefix",
+				ClusterGroups:   nil,
 				Secrets: []SecretConfig{{
-					From: map[string]ItemContext{"...": {Item: "prefix/foo", Field: "bar"}},
+					From: map[string]ItemContext{"...": {
+						Item:                 "prefix/foo",
+						Field:                "bar",
+						DockerConfigJSONData: nil,
+					}},
 					To: []SecretContext{{
 						Cluster:   "foo",
 						Namespace: "namspace",
@@ -116,6 +122,7 @@ func TestResolving(t *testing.T) {
 			},
 			expectedConfig: Config{
 				VaultDPTPPrefix: "prefix",
+				ClusterGroups:   nil,
 				Secrets: []SecretConfig{{
 					From: map[string]ItemContext{"...": {DockerConfigJSONData: []DockerConfigJSONData{{Item: "prefix/foo", AuthField: "bar"}}}},
 					To: []SecretContext{{
@@ -168,8 +175,16 @@ func TestLoadConfigFromFile(t *testing.T) {
 				Secrets: []SecretConfig{
 					{
 						From: map[string]ItemContext{
-							"ops-mirror.pem": {Item: "dptp/mirror.openshift.com", Field: "cert-key.pem"},
-							"rh-cdn.pem":     {Item: "dptp/rh-cdn", Field: "rh-cdn.pem"},
+							"ops-mirror.pem": {
+								Item:                 "dptp/mirror.openshift.com",
+								Field:                "cert-key.pem",
+								DockerConfigJSONData: nil,
+							},
+							"rh-cdn.pem": {
+								Item:                 "dptp/rh-cdn",
+								Field:                "rh-cdn.pem",
+								DockerConfigJSONData: nil,
+							},
 						},
 						To: []SecretContext{{
 							ClusterGroups: []string{"build_farm"},
@@ -241,10 +256,22 @@ func TestRoundtripConfig(t *testing.T) {
 				t.Fatalf("error saving config file: %v", err)
 			}
 
+			// Load both input and output files into Config structs and normalize them
+			// This allows comparison regardless of the input file's ordering
 			inFile := filepath.Join("testdata", "zz_fixture_TestRoundtripConfig_basic_base.yaml")
-			in, _ := os.ReadFile(inFile)
-			out, _ := os.ReadFile(outFile)
-			if diff := cmp.Diff(in, out); diff != "" {
+			var inputConfig, outputConfig Config
+			if err := LoadConfigFromFile(inFile, &inputConfig); err != nil {
+				t.Fatalf("error loading input config file: %v", err)
+			}
+			if err := LoadConfigFromFile(outFile, &outputConfig); err != nil {
+				t.Fatalf("error loading output config file: %v", err)
+			}
+
+			// Normalize both configs for comparison
+			inputConfig.orderConfig()
+			outputConfig.orderConfig()
+
+			if diff := cmp.Diff(inputConfig, outputConfig); diff != "" {
 				t.Fatalf("input and output configs are not equal. %s", diff)
 			}
 		})