feat: add metadata fields (#228)

* feat: add metadata field for sopssecrets and globalsopssecrets

Signed-off-by: Oliver Bähler <[email protected]>

* feat(helm): add label and annotation vaules

Signed-off-by: Oliver Bähler <[email protected]>

* fix(helm): correct role binding reference

Signed-off-by: Oliver Bähler <[email protected]>

* feat: add metadata field for sopssecrets and globalsopssecrets

Signed-off-by: Oliver Bähler <[email protected]>

* feat: add metadata field for sopssecrets and globalsopssecrets

Signed-off-by: Oliver Bähler <[email protected]>

* feat: add metadata field for sopssecrets and globalsopssecrets

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

api/v1alpha1/globalsopssecret_types.go

@@ -14,6 +14,8 @@ import (
 type GlobalSopsSecretSpec struct {
 	// Define Secrets to replicate, when secret is decrypted
 	Secrets []*GlobalSopsSecretItem `json:"secrets"`
+	// Define additional Metadata for the generated secrets
+	Metadata SecretMetadata `json:"metadata,omitempty"`
 }
 
 // GlobalSopsSecretItem defines the desired state of GlobalSopsSecret.

api/v1alpha1/secret_metadata.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2024-2025 Peak Scale
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package v1alpha1
+
+// SopsSecretSpec defines the desired state of SopsSecret.
+type SecretMetadata struct {
+	// Prefix added to all generated Secrets names
+	Prefix string `json:"prefix,omitempty"`
+	// Suffix added to all generated Secrets names
+	Suffix string `json:"suffix,omitempty"`
+	// Labels added to all generated Secrets
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations added to all generated Secrets
+	Annotations map[string]string `json:"annotations,omitempty"`
+}

api/v1alpha1/sopssecret_types.go

@@ -13,6 +13,8 @@ import (
 type SopsSecretSpec struct {
 	// Define Secrets to replicate, when secret is decrypted
 	Secrets []*SopsSecretItem `json:"secrets"`
+	// Define additional Metadata for the generated secrets
+	Metadata SecretMetadata `json:"metadata,omitempty"`
 }
 
 // SopsSecretTemplate defines the map of secrets to create

api/v1alpha1/zz_generated.deepcopy.go

@@ -29,12 +29,15 @@ The following Values are available for this chart.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
-| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
+| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the job. |
 | global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
 | global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
+| global.jobs.kubectl.labels | object | `{}` | Labels to add to the job. |
 | global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
+| global.jobs.kubectl.podAnnotations | object | `{}` | Annotations to add to the job pod |
+| global.jobs.kubectl.podLabels | object | `{}` | Labels to add to the job pod |
 | global.jobs.kubectl.podSecurityContext | object | `{"enabled":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
 | global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
 | global.jobs.kubectl.resources | object | `{}` | Job resources |

charts/sops-operator/README.md

@@ -1,3 +1,4 @@
+replicaCount: 2
 image:
   pullPolicy: Never
   tag: "latest"

charts/sops-operator/ci/test-values.yaml

@@ -302,6 +302,26 @@ spec:
           spec:
             description: SopsSecretSpec defines the desired state of SopsSecret.
             properties:
+              metadata:
+                description: Define additional Metadata for the generated secrets
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: Annotations added to all generated Secrets
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels added to all generated Secrets
+                    type: object
+                  prefix:
+                    description: Prefix added to all generated Secrets names
+                    type: string
+                  suffix:
+                    description: Suffix added to all generated Secrets names
+                    type: string
+                type: object
               secrets:
                 description: Define Secrets to replicate, when secret is decrypted
                 items:

charts/sops-operator/crds/addons.projectcapsule.dev_globalsopssecrets.yaml

@@ -302,6 +302,26 @@ spec:
           spec:
             description: SopsSecretSpec defines the desired state of SopsSecret.
             properties:
+              metadata:
+                description: Define additional Metadata for the generated secrets
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: Annotations added to all generated Secrets
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels added to all generated Secrets
+                    type: object
+                  prefix:
+                    description: Prefix added to all generated Secrets names
+                    type: string
+                  suffix:
+                    description: Suffix added to all generated Secrets names
+                    type: string
+                type: object
               secrets:
                 description: Define Secrets to replicate, when secret is decrypted
                 items:

charts/sops-operator/crds/addons.projectcapsule.dev_sopssecrets.yaml

@@ -8,17 +8,36 @@ metadata:
     # create hook dependencies in the right order
     "helm.sh/hook-weight": "-1"
     {{- include "crds.annotations" . | nindent 4 }}
+    {{- with .Values.global.jobs.kubectl.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: {{ include "crds.component" . | quote }}
     {{- include "helm.labels" . | nindent 4 }}
+    {{- with .Values.global.jobs.kubectl.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   ttlSecondsAfterFinished: {{ .Values.global.jobs.kubectl.ttlSecondsAfterFinished }}
   template:
     metadata:
       name: "{{ include "crds.name" . }}"
+      annotations:
+        {{- with .Values.global.jobs.kubectl.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
         app.kubernetes.io/component: {{ include "crds.component" . | quote }}
         {{- include "helm.selectorLabels" . | nindent 8 }}
+        {{- with .Values.global.jobs.kubectl.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       restartPolicy: {{ $.Values.global.jobs.kubectl.restartPolicy }}
       {{- if $.Values.global.jobs.kubectl.podSecurityContext.enabled }}

charts/sops-operator/templates/crd-lifecycle/job.yaml

@@ -60,21 +60,39 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "helm.fullname" . }}-controller
+  name: {{ include "helm.fullname" . }}
   labels:
     {{- include "helm.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-    - "coordination.k8s.io"
+  - ""
   resources:
-    - leases
+  - configmaps
   verbs:
-    - "*"
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "helm.fullname" . }}-controller
+  name: {{ include "helm.fullname" . }}
   labels:
     {{- include "helm.labels" . | nindent 4 }}
   namespace: {{ .Release.Namespace | quote }}