fix(install): require --render-sensitive when using --template

clebs · clebs · commit c41aeae3d554 · 2026-05-06T12:00:13.000+02:00
The hypershift install render --template command still leaks secrets
after introducing the --render-sensitive flag.
This makes it required to have the flag set to true to acknowledge that
the template contains sensitive data.

Signed-off-by: Borja Clemente &lt;bclement@redhat.com&gt;
diff --git a/cmd/install/install_render.go b/cmd/install/install_render.go
@@ -105,6 +105,10 @@ func RenderHyperShiftOperator(ctx context.Context, cmdOut io.Writer, opts *Optio
 		return err
 	}
 
+	if opts.Template && !opts.RenderSensitive {
+		return fmt.Errorf("--template requires --render-sensitive=true because Template output can embed Secret objects")
+	}
+
 	var crds []crclient.Object
 	var objects []crclient.Object
 
diff --git a/cmd/install/install_render_test.go b/cmd/install/install_render_test.go
@@ -65,7 +65,7 @@ func TestMultiDocYamlRendering(t *testing.T) {
 }
 
 func TestTemplateYamlRendering(t *testing.T) {
-	template, err := ExecuteTemplateYamlGenerationCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "yaml", "--template"})
+	template, err := ExecuteTemplateYamlGenerationCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "yaml", "--template", "--render-sensitive"})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -104,6 +104,17 @@ func ExecuteJsonGenerationCommand(args []string) (map[string]interface{}, error)
 	return doc, nil
 }
 
+func TestWhenTemplateWithoutRenderSensitiveItShouldFail(t *testing.T) {
+	_, err := ExecuteTestCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "yaml", "--template"})
+	if err == nil {
+		t.Fatal("expected error when using --template without --render-sensitive")
+	}
+	expectedMsg := "--template requires --render-sensitive=true because Template output can embed Secret objects"
+	if err.Error() != expectedMsg {
+		t.Fatalf("expected error message %q, got %q", expectedMsg, err.Error())
+	}
+}
+
 func TestJsonListRendering(t *testing.T) {
 	doc, err := ExecuteJsonGenerationCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "json"})
 	if err != nil {
@@ -120,7 +131,7 @@ func TestJsonListRendering(t *testing.T) {
 }
 
 func TestJsonTemplateRendering(t *testing.T) {
-	doc, err := ExecuteJsonGenerationCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "json", "--template"})
+	doc, err := ExecuteJsonGenerationCommand([]string{"--oidc-storage-provider-s3-bucket-name", "bucket", "--oidc-storage-provider-s3-region", "us-east-1", "--oidc-storage-provider-s3-secret", "secret", "render", "--format", "json", "--template", "--render-sensitive"})
 	if err != nil {
 		t.Fatal(err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,10 @@ func RenderHyperShiftOperator(ctx context.Context, cmdOut io.Writer, opts *Optio`
`105`	`105`	`return err`
`106`	`106`	`}`
`107`	`107`
	`108`	`+ if opts.Template && !opts.RenderSensitive {`
	`109`	`+ return fmt.Errorf("--template requires --render-sensitive=true because Template output can embed Secret objects")`
	`110`	`+ }`
	`111`	`+`
`108`	`112`	`var crds []crclient.Object`
`109`	`113`	`var objects []crclient.Object`
`110`	`114`