diff --git a/.changelog/15670.txt b/.changelog/15670.txt new file mode 100644 index 000000000000..3d227f937cfd --- /dev/null +++ b/.changelog/15670.txt @@ -0,0 +1,3 @@ +```release-note:bug +csi: Fixed a bug where secrets that include '=' were incorrectly rejected +``` diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go index fd0f6926658b..fb71bfd95768 100644 --- a/command/agent/csi_endpoint.go +++ b/command/agent/csi_endpoint.go @@ -409,9 +409,8 @@ func parseCSISecrets(req *http.Request) structs.CSISecrets { secrets := map[string]string{} secretkvs := strings.Split(secretsHeader, ",") for _, secretkv := range secretkvs { - kv := strings.Split(secretkv, "=") - if len(kv) == 2 { - secrets[kv[0]] = kv[1] + if key, value, found := strings.Cut(secretkv, "="); found { + secrets[key] = value } } if len(secrets) == 0 { diff --git a/command/agent/csi_endpoint_test.go b/command/agent/csi_endpoint_test.go index 9805a8228813..f8187fa9a7c5 100644 --- a/command/agent/csi_endpoint_test.go +++ b/command/agent/csi_endpoint_test.go @@ -59,6 +59,8 @@ func TestHTTP_CSIParseSecrets(t *testing.T) { structs.CSISecrets(map[string]string{"one": "overwrite"})}, {"one=value_one,two=value_two", structs.CSISecrets(map[string]string{"one": "value_one", "two": "value_two"})}, + {"one=value_one=two,two=value_two", + structs.CSISecrets(map[string]string{"one": "value_one=two", "two": "value_two"})}, } for _, tc := range testCases { req, _ := http.NewRequest("GET", "/v1/plugin/csi/foo", nil) diff --git a/command/volume_delete.go b/command/volume_delete.go index 6b37d419bf97..12e8c832a0b0 100644 --- a/command/volume_delete.go +++ b/command/volume_delete.go @@ -104,9 +104,8 @@ func (c *VolumeDeleteCommand) Run(args []string) int { secrets := api.CSISecrets{} for _, kv := range secretsArgs { - s := strings.Split(kv, "=") - if len(s) == 2 { - secrets[s[0]] = s[1] + if key, value, found := strings.Cut(kv, "="); found { + secrets[key] = value } else { c.Ui.Error("Secret must be in the format: -secret key=value") return 1 diff --git a/command/volume_snapshot_create.go b/command/volume_snapshot_create.go index 013b285c0e42..c145bb85b9a3 100644 --- a/command/volume_snapshot_create.go +++ b/command/volume_snapshot_create.go @@ -117,9 +117,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int { secrets := api.CSISecrets{} for _, kv := range secretsArgs { - s := strings.Split(kv, "=") - if len(s) == 2 { - secrets[s[0]] = s[1] + if key, value, found := strings.Cut(kv, "="); found { + secrets[key] = value } else { c.Ui.Error("Secret must be in the format: -secret key=value") return 1 @@ -128,9 +127,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int { params := map[string]string{} for _, kv := range parametersArgs { - p := strings.Split(kv, "=") - if len(p) == 2 { - params[p[0]] = p[1] + if key, value, found := strings.Cut(kv, "="); found { + params[key] = value } } diff --git a/command/volume_snapshot_delete.go b/command/volume_snapshot_delete.go index d6eaccc1cd80..63cad502f367 100644 --- a/command/volume_snapshot_delete.go +++ b/command/volume_snapshot_delete.go @@ -94,9 +94,8 @@ func (c *VolumeSnapshotDeleteCommand) Run(args []string) int { secrets := api.CSISecrets{} for _, kv := range secretsArgs { - s := strings.Split(kv, "=") - if len(s) == 2 { - secrets[s[0]] = s[1] + if key, value, found := strings.Cut(kv, "="); found { + secrets[key] = value } else { c.Ui.Error("Secret must be in the format: -secret key=value") return 1 diff --git a/command/volume_snapshot_list.go b/command/volume_snapshot_list.go index 9d42968bfa45..bef018b1daee 100644 --- a/command/volume_snapshot_list.go +++ b/command/volume_snapshot_list.go @@ -140,9 +140,8 @@ func (c *VolumeSnapshotListCommand) Run(args []string) int { secrets := api.CSISecrets{} for _, kv := range secretsArgs { - s := strings.Split(kv, "=") - if len(s) == 2 { - secrets[s[0]] = s[1] + if key, value, found := strings.Cut(kv, "="); found { + secrets[key] = value } else { c.Ui.Error("Secret must be in the format: -secret key=value") return 1