openshift
diff --git a/‎cmd/ci-secret-bootstrap/main_test.go‎
Lines changed: 71 additions & 48 deletions b/‎cmd/ci-secret-bootstrap/main_test.go‎
Lines changed: 71 additions & 48 deletions
diff --git a/‎pkg/api/secretbootstrap/secretboostrap.go‎
Lines changed: 77 additions & 36 deletions b/‎pkg/api/secretbootstrap/secretboostrap.go‎
Lines changed: 77 additions & 36 deletions
@@ -176,36 +176,61 @@ var (
 	}
 
 	defaultConfig = secretbootstrap.Config{
+		ClusterGroups: map[string][]string{},
 		Secrets: []secretbootstrap.SecretConfig{
+			{
+				From: map[string]secretbootstrap.ItemContext{
+					".dockerconfigjson": {
+						Item:                 "quay.io",
+						Field:                "pull-credentials",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
+					},
+				},
+				To: []secretbootstrap.SecretContext{
+					{
+						Cluster:   "default",
+						Namespace: "ci",
+						Name:      "ci-pull-credentials",
+						Type:      "kubernetes.io/dockerconfigjson",
+					},
+				},
+			},
 			{
 				From: map[string]secretbootstrap.ItemContext{
 					"key-name-1": {
-						Item:  "item-name-1",
-						Field: "field-name-1",
+						Item:                 "item-name-1",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-2": {
-						Item:  "item-name-1",
-						Field: "field-name-2",
+						Item:                 "item-name-1",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-3": {
-						Item:  "item-name-1",
-						Field: "field-name-3",
+						Item:                 "item-name-1",
+						Field:                "field-name-3",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-4": {
-						Item:  "item-name-2",
-						Field: "field-name-1",
+						Item:                 "item-name-2",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-5": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-6": {
-						Item:  "item-name-3",
-						Field: "field-name-1",
+						Item:                 "item-name-3",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-7": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 				},
 				To: []secretbootstrap.SecretContext{
@@ -221,55 +246,47 @@ var (
 					},
 				},
 			},
-			{
-				From: map[string]secretbootstrap.ItemContext{
-					".dockerconfigjson": {
-						Item:  "quay.io",
-						Field: "pull-credentials",
-					},
-				},
-				To: []secretbootstrap.SecretContext{
-					{
-						Cluster:   "default",
-						Namespace: "ci",
-						Name:      "ci-pull-credentials",
-						Type:      "kubernetes.io/dockerconfigjson",
-					},
-				},
-			},
 		},
 	}
 	defaultConfigWithoutDefaultCluster = secretbootstrap.Config{
+		ClusterGroups: map[string][]string{},
 		Secrets: []secretbootstrap.SecretConfig{
 			{
 				From: map[string]secretbootstrap.ItemContext{
 					"key-name-1": {
-						Item:  "item-name-1",
-						Field: "field-name-1",
+						Item:                 "item-name-1",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-2": {
-						Item:  "item-name-1",
-						Field: "field-name-2",
+						Item:                 "item-name-1",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-3": {
-						Item:  "item-name-1",
-						Field: "field-name-3",
+						Item:                 "item-name-1",
+						Field:                "field-name-3",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-4": {
-						Item:  "item-name-2",
-						Field: "field-name-1",
+						Item:                 "item-name-2",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-5": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-6": {
-						Item:  "item-name-3",
-						Field: "field-name-1",
+						Item:                 "item-name-3",
+						Field:                "field-name-1",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 					"key-name-7": {
-						Item:  "item-name-2",
-						Field: "field-name-2",
+						Item:                 "item-name-2",
+						Field:                "field-name-2",
+						DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
 					},
 				},
 				To: []secretbootstrap.SecretContext{
@@ -375,8 +392,14 @@ func TestCompleteOptions(t *testing.T) {
 			expectedConfig: secretbootstrap.Config{
 				ClusterGroups: map[string][]string{"group-a": {"default"}},
 				Secrets: []secretbootstrap.SecretConfig{{
-					From: map[string]secretbootstrap.ItemContext{"key-name-1": {Item: "item-name-1", Field: "field-name-1"}},
-					To:   []secretbootstrap.SecretContext{{ClusterGroups: []string{"group-a"}, Cluster: "default", Namespace: "ns", Name: "name"}},
+					From: map[string]secretbootstrap.ItemContext{
+						"key-name-1": {
+							Item:                 "item-name-1",
+							Field:                "field-name-1",
+							DockerConfigJSONData: []secretbootstrap.DockerConfigJSONData{},
+						},
+					},
+					To: []secretbootstrap.SecretContext{{ClusterGroups: []string{"group-a"}, Cluster: "default", Namespace: "ns", Name: "name"}},
 				}},
 			},
 			expectedClusters: []string{"default"},
@@ -997,12 +1020,12 @@ func TestConstructSecrets(t *testing.T) {
 					},
 				},
 			},
-			expectedError: `[config.0."key-name-1": item at path "prefix/item-name-1" has no key "field-name-1", config.1.".dockerconfigjson": Error making API request.
+			expectedError: `[config.0.".dockerconfigjson": Error making API request.
 
 URL: GET fakeVaultClient.GetKV
 Code: 404. Errors:
 
-* no data at path prefix/quay.io]`,
+* no data at path prefix/quay.io, config.1."key-name-1": item at path "prefix/item-name-1" has no key "field-name-1"]`,
 			expected: map[string][]*coreapi.Secret{},
 		},
 		{
 
@@ -1,10 +1,10 @@
 package secretbootstrap
 
 import (
-	"encoding/json"
 	"fmt"
 	"os"
 	"reflect"
+	"sort"
 	"strings"
 
 	"github.com/getlantern/deepcopy"
@@ -71,14 +71,89 @@ func LoadConfigFromFile(file string, config *Config) error {
 }
 
 // SaveConfigToFile serializes a Config object to the given file
+// It orders a copy of the config for deterministic output before saving
 func SaveConfigToFile(file string, config *Config) error {
-	bytes, err := yaml.Marshal(config)
+	// Create a deep copy to avoid mutating the original config
+	var configCopy Config
+	if err := deepcopy.Copy(&configCopy, config); err != nil {
+		return fmt.Errorf("failed to copy config: %w", err)
+	}
+	// Order the copy for deterministic output
+	configCopy.orderConfig()
+	bytes, err := yaml.Marshal(&configCopy)
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(file, bytes, 0644)
 }
 
+// orderConfig sorts the Config data structures for deterministic ordering
+func (c *Config) orderConfig() {
+	// Sort ClusterGroups map keys
+	sortedClusterGroups := make(map[string][]string)
+	clusterGroupKeys := make([]string, 0, len(c.ClusterGroups))
+	for k := range c.ClusterGroups {
+		clusterGroupKeys = append(clusterGroupKeys, k)
+	}
+	sort.Strings(clusterGroupKeys)
+	for _, k := range clusterGroupKeys {
+		clusters := make([]string, len(c.ClusterGroups[k]))
+		copy(clusters, c.ClusterGroups[k])
+		sort.Strings(clusters)
+		sortedClusterGroups[k] = clusters
+	}
+	c.ClusterGroups = sortedClusterGroups
+
+	// Sort Secrets slice
+	sort.Slice(c.Secrets, func(i, j int) bool {
+		// Sort by first To entry's Cluster, then Namespace, then Name
+		// This groups secrets by cluster, making the output more organized
+		if len(c.Secrets[i].To) == 0 && len(c.Secrets[j].To) == 0 {
+			return false
+		}
+		if len(c.Secrets[i].To) == 0 {
+			return true
+		}
+		if len(c.Secrets[j].To) == 0 {
+			return false
+		}
+		toI := c.Secrets[i].To[0]
+		toJ := c.Secrets[j].To[0]
+		if toI.Cluster != toJ.Cluster {
+			return toI.Cluster < toJ.Cluster
+		}
+		if toI.Namespace != toJ.Namespace {
+			return toI.Namespace < toJ.Namespace
+		}
+		return toI.Name < toJ.Name
+	})
+
+	// Sort UserSecretsTargetClusters
+	sort.Strings(c.UserSecretsTargetClusters)
+
+	// Order each SecretConfig's DockerConfigJSONData slices for deterministic ordering
+	// (YAML marshaler already sorts map keys, so we only need to sort slices)
+	for i := range c.Secrets {
+		for k, itemCtx := range c.Secrets[i].From {
+			if len(itemCtx.DockerConfigJSONData) > 0 {
+				sortedData := make([]DockerConfigJSONData, len(itemCtx.DockerConfigJSONData))
+				copy(sortedData, itemCtx.DockerConfigJSONData)
+				sort.Slice(sortedData, func(i, j int) bool {
+					if sortedData[i].RegistryURL != sortedData[j].RegistryURL {
+						return sortedData[i].RegistryURL < sortedData[j].RegistryURL
+					}
+					if sortedData[i].Item != sortedData[j].Item {
+						return sortedData[i].Item < sortedData[j].Item
+					}
+					return sortedData[i].AuthField < sortedData[j].AuthField
+				})
+				itemCtx.DockerConfigJSONData = sortedData
+				c.Secrets[i].From[k] = itemCtx
+			}
+		}
+	}
+}
+
 // Config is what we version in our repository
 type Config struct {
 	VaultDPTPPrefix           string              `json:"vault_dptp_prefix,omitempty"`
@@ -87,40 +162,6 @@ type Config struct {
 	UserSecretsTargetClusters []string            `json:"user_secrets_target_clusters,omitempty"`
 }
 
-type configWithoutUnmarshaler Config
-
-func (c *Config) UnmarshalJSON(d []byte) error {
-	var target configWithoutUnmarshaler
-	if err := json.Unmarshal(d, &target); err != nil {
-		return err
-	}
-
-	*c = Config(target)
-	return c.resolve()
-}
-
-func (c *Config) MarshalJSON() ([]byte, error) {
-	target := &configWithoutUnmarshaler{
-		VaultDPTPPrefix:           c.VaultDPTPPrefix,
-		ClusterGroups:             c.ClusterGroups,
-		UserSecretsTargetClusters: c.UserSecretsTargetClusters,
-	}
-	pre := c.VaultDPTPPrefix + "/"
-	var secrets []SecretConfig
-	for _, s := range c.Secrets {
-		var secret SecretConfig
-		if err := deepcopy.Copy(&secret, s); err != nil {
-			return nil, err
-		}
-		stripVaultPrefix(&secret, pre)
-		secret.groupClusters()
-		secrets = append(secrets, secret)
-	}
-
-	target.Secrets = secrets
-	return json.Marshal(target)
-}
-
 func (s *SecretConfig) groupClusters() {
 	var secrets []SecretContext
 	for _, to := range s.To {