Add labelsToRemove in AgeSecret Spec (#59)

* add labels to remove in agesecret spec

* reduce memory usage

* test

* fix multiple things

* fix readme, and update suspend field

* update checkout action to v4 to fix node12 deprecation warnings

* make suspend field optional

---------

Co-authored-by: navid.shariaty <navid.shariaty@snapp.cab>

.github/workflows/ci.yaml

@@ -12,25 +12,33 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.7.0
         with:
           version: latest
           args: --timeout 5m
-  test:
-    name: test
+  test-api:
+    name: test-api
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: run tests using make
-        run: make test
+      - uses: actions/checkout@v4
+      - name: run api tests using make
+        run: make test-api
+  test-controller:
+    name: test-controller
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: run controller tests using make
+        run: make test-controller
   docker:
     name: docker
     runs-on: ubuntu-latest
     needs:
       - lint
-      - test
+      - test-api
+      - test-controller
     steps:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3

Makefile

@@ -122,7 +122,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v4.5.5
-CONTROLLER_TOOLS_VERSION ?= v0.8.0
+CONTROLLER_TOOLS_VERSION ?= v0.12.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

README.md

@@ -128,6 +128,9 @@ metadata:
     annotations:
         ... {fill annotations}
 spec:
+    labelsToRemove:
+      - {label1}
+      - {label2}
     suspend: {fill suspend}
     ageKeyRef: {fill ref name}
     stringData:
@@ -147,6 +150,9 @@ spec:
 - <h5>annotations</h5>
   A set of "key:value" that will be <b>copied inside the generated secret</b>.
 
+- <h5>labelsToRemove</h5>
+  An array of labels to remove while creating the child secret, and not to inherit them. Sample use-case is inside CD on k8s, when you want a label selector to track "AgeSecret" but not the child secret.
+
 - <h5>suspend</h5>
   It's boolean. The default value is <b>false</b>. It determines whether the controller should reconcile on changes and apply changes to secret or you are just testing and the controller should not change anything.
 

api/v1alpha1/agekey_webhook_test.go

@@ -1,7 +1,7 @@
 package v1alpha1
 
 import (
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

api/v1alpha1/agesecret_types.go

@@ -22,11 +22,10 @@ import (
 
 // AgeSecretSpec defines the desired state of AgeSecret
 type AgeSecretSpec struct {
-	// +kubebuilder:validation:Required
-	AgeKeyRef  string `json:"ageKeyRef"`
-	StringData string `json:"stringData"`
-	// +kubebuilder:validation:Optional
-	Suspend bool `json:"suspend"`
+	AgeKeyRef      string   `json:"ageKeyRef"`
+	StringData     string   `json:"stringData"`
+	Suspend        bool     `json:"suspend,omitempty"`
+	LabelsToRemove []string `json:"labelsToRemove,omitempty"`
 }
 
 // AgeSecretStatus defines the observed state of AgeSecret
@@ -43,7 +42,7 @@ type AgeSecretStatus struct {
 //+kubebuilder:printcolumn:name="AgeKey",type=string,JSONPath=`.spec.ageKeyRef`
 //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
-// AgeSecret is the Schema for the agesecrets API
+// AgeSecret is the Schema for the AgeSecrets API
 type AgeSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

api/v1alpha1/agesecret_webhook_test.go

@@ -1,7 +1,7 @@
 package v1alpha1
 
 import (
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

api/v1alpha1/webhook_suite_test.go

@@ -26,7 +26,7 @@ import (
 	"testing"
 	"time"
 
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
@@ -51,7 +51,7 @@ var cancel context.CancelFunc
 
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecsWithDefaultAndCustomReporters(t, "Webhook Suite", []Reporter{})
+	RunSpecs(t, "Webhook Suite")
 }
 
 var _ = BeforeSuite(func() {
@@ -127,7 +127,7 @@ var _ = BeforeSuite(func() {
 		return nil
 	}).Should(Succeed())
 
-}, 60)
+})
 
 var _ = AfterSuite(func() {
 	cancel()

config/crd/bases/gitopssecret.snappcloud.io_agekeys.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: agekeys.gitopssecret.snappcloud.io
 spec:
   group: gitopssecret.snappcloud.io
@@ -60,9 +59,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

config/crd/bases/gitopssecret.snappcloud.io_agesecrets.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: agesecrets.gitopssecret.snappcloud.io
 spec:
   group: gitopssecret.snappcloud.io
@@ -34,7 +33,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AgeSecret is the Schema for the agesecrets API
+        description: AgeSecret is the Schema for the AgeSecrets API
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -53,6 +52,10 @@ spec:
             properties:
               ageKeyRef:
                 type: string
+              labelsToRemove:
+                items:
+                  type: string
+                type: array
               stringData:
                 type: string
               suspend:
@@ -77,9 +80,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

config/manager/manager.yaml

@@ -51,7 +51,7 @@ spec:
         resources:
           limits:
             cpu: 3
-            memory: 4Gi
+            memory: 2Gi
           requests:
             cpu: 1
             memory: 1Gi

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:

config/samples/_v1alpha1_agesecret.yaml

@@ -9,6 +9,8 @@ metadata:
   annotations:
     key_annotation: value_annotation
 spec:
+  labelsToRemove:
+    - app.kubernetes.io/instance
   ageKeyRef: agekey-sample
   stringData: |
     YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbXlPYUxHRTVMRGxBdkxr

config/webhook/manifests.yaml

@@ -2,7 +2,6 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: mutating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
@@ -49,7 +48,6 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:

consts/consts.go

@@ -4,7 +4,4 @@ var (
 	ExcessAnnotations = []string{
 		"kubectl.kubernetes.io/last-applied-configuration",
 	}
-	ExcessLabels = []string{
-		"app.kubernetes.io/instance",
-	}
 )

controllers/agekey_controller_test.go

@@ -2,7 +2,7 @@ package controllers
 
 import (
 	"context"
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/snapp-incubator/age-operator/api/v1alpha1"
 	"github.com/snapp-incubator/age-operator/k8sutils"

controllers/agesecret_controller_test.go

@@ -2,10 +2,9 @@ package controllers
 
 import (
 	"context"
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/snapp-incubator/age-operator/api/v1alpha1"
-	"github.com/snapp-incubator/age-operator/consts"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -22,7 +21,7 @@ var (
 	fooValidAgeSecretPath = filepath.Join("..", "config", "samples", "_v1alpha1_agesecret.yaml")
 )
 
-var _ = Describe("", func() {
+var _ = Describe("", Serial, func() {
 	ctx := context.Background()
 	validAgeKeyObj := &v1alpha1.AgeKey{}
 	invalidAgeKeyObj := &v1alpha1.AgeKey{}
@@ -81,7 +80,7 @@ var _ = Describe("", func() {
 			unwantedLabelExists := false
 			secretLabels := fooSecretObj.GetLabels()
 			for _, label := range secretLabels {
-				for _, unwantedLabel := range consts.ExcessLabels {
+				for _, unwantedLabel := range validAgeSecretObj.Spec.LabelsToRemove {
 					if label == unwantedLabel {
 						unwantedLabelExists = true
 						break

controllers/suite_test.go

@@ -22,7 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"testing"
 
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -44,7 +44,7 @@ var testEnv *envtest.Environment
 
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecsWithDefaultAndCustomReporters(t, "Controller Suite", []Reporter{})
+	RunSpecs(t, "Controller Suite")
 }
 
 var _ = BeforeSuite(func() {
@@ -96,10 +96,11 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 
 	go func() {
+		defer GinkgoRecover()
 		err = k8sManager.Start(ctrl.SetupSignalHandler())
 		Expect(err).ToNot(HaveOccurred())
 	}()
-}, 60)
+})
 
 var _ = AfterSuite(func() {
 	By("tearing down the test environment")

go.mod

@@ -5,7 +5,7 @@ go 1.20
 require (
 	filippo.io/age v1.1.1
 	github.com/go-logr/logr v1.2.4
-	github.com/onsi/ginkgo v1.16.5
+	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.10
 	k8s.io/api v0.28.3
 	k8s.io/apimachinery v0.28.3
@@ -24,12 +24,14 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -39,7 +41,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
@@ -56,11 +57,11 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.28.3 // indirect