sanitize the secret key

operator/internal/controller/auto/update_controller.go

@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -485,8 +486,13 @@ func outputsToSecret(owner *autov1alpha1.Update, outputs map[string]*agentpb.Out
 	}})
 
 	secrets := []string{}
-	for k, v := range outputs {
-		// v.Value is already JSON-encoded bytes,
+	for outputName, v := range outputs {
+		// note: v.Value is already JSON-encoded bytes
+		k := outputName
+		if strings.Contains(k, " ") {
+			// sanitize the outputName to be a valid secret key
+			k = strings.ReplaceAll(k, " ", "_")
+		}
 		s.Data[k] = v.Value
 		if v.Secret {
 			secrets = append(secrets, k)

operator/internal/controller/auto/update_controller_test.go

@@ -119,8 +119,9 @@ func TestUpdate(t *testing.T) {
 				result := &agentpb.UpStream_Result{Result: &agentpb.UpResult{
 					Summary: &agentpb.UpdateSummary{Result: "succeeded"},
 					Outputs: map[string]*agentpb.OutputValue{
-						"username": {Value: []byte("username")},
-						"password": {Value: []byte("hunter2"), Secret: true},
+						"username":        {Value: []byte("username")},
+						"password":        {Value: []byte("hunter2"), Secret: true},
+						"with whitespace": {Value: []byte("with whitespace"), Secret: true},
 					},
 				}}
 
@@ -141,13 +142,14 @@ func TestUpdate(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "foo-stack-outputs",
 						Annotations: map[string]string{
-							"pulumi.com/secrets": `["password"]`,
+							"pulumi.com/secrets": `["password","with_whitespace"]`,
 						},
 						OwnerReferences: []metav1.OwnerReference{{UID: "uid", Name: "foo"}},
 					},
 					Data: map[string][]byte{
-						"username": []byte("username"),
-						"password": []byte("hunter2"),
+						"username":        []byte("username"),
+						"password":        []byte("hunter2"),
+						"with_whitespace": []byte("with whitespace"),
 					},
 					Immutable: ptr.To(true),
 				}