From 4620f7dfa1476e2a6cdff002ede0ba642b3704ce Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Wed, 24 Sep 2025 11:50:52 +0300 Subject: [PATCH] [platform] Add secret selectors to CozyRDs This patch populates existing CozystackResourceDefinitions with minimal working examples of secret selectors to take advantage of the newest revision of the ancestor tracking webhook. ```release-note [platform] Specify secret selectors for existing managed apps in their respective CozystackResourceDefinitions, which provides the last bit of information necessary for the lineage webhook to correctly mark secrets as user-facing or not. ``` Signed-off-by: Timofei Larkin --- packages/apps/postgres/templates/db.yaml | 4 +- .../cozystack-resource-definitions.yaml | 117 ++++++++++++++++++ 2 files changed, 119 insertions(+), 2 deletions(-) diff --git a/packages/apps/postgres/templates/db.yaml b/packages/apps/postgres/templates/db.yaml index 516077bd..de4f51a3 100644 --- a/packages/apps/postgres/templates/db.yaml +++ b/packages/apps/postgres/templates/db.yaml @@ -78,7 +78,7 @@ spec: labels: policy.cozystack.io/allow-to-apiserver: "true" app.kubernetes.io/name: postgres.apps.cozystack.io - app.kubernets.io/instance: {{ $.Release.Name }} + app.kubernetes.io/instance: {{ $.Release.Name }} --- apiVersion: cozystack.io/v1alpha1 kind: WorkloadMonitor @@ -91,5 +91,5 @@ spec: type: postgres selector: app.kubernetes.io/name: postgres.apps.cozystack.io - app.kubernets.io/instance: {{ $.Release.Name }} + app.kubernetes.io/instance: {{ $.Release.Name }} version: {{ $.Chart.Version }} diff --git a/packages/system/cozystack-api/templates/cozystack-resource-definitions.yaml b/packages/system/cozystack-api/templates/cozystack-resource-definitions.yaml index 90d3f629..4526532f 100644 --- a/packages/system/cozystack-api/templates/cozystack-resource-definitions.yaml +++ b/packages/system/cozystack-api/templates/cozystack-resource-definitions.yaml @@ -19,6 +19,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -41,6 +46,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -63,6 +73,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -85,6 +100,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -107,6 +127,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -129,6 +154,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -151,6 +181,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -173,6 +208,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -195,6 +235,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -217,6 +262,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -239,6 +289,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -261,6 +316,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -283,6 +343,13 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + - matchLabels: + cnpg.io/userType: superuser + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -305,6 +372,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -327,6 +399,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -349,6 +426,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -371,6 +453,11 @@ spec: kind: HelmRepository name: cozystack-apps namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -393,6 +480,11 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -415,6 +507,11 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -437,6 +534,11 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -459,6 +561,11 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -481,6 +588,11 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}] --- apiVersion: cozystack.io/v1alpha1 kind: CozystackResourceDefinition @@ -503,3 +615,8 @@ spec: kind: HelmRepository name: cozystack-extra namespace: cozy-public + secrets: + exclude: + - matchLabels: + apps.cozystack.io/tenantresource: "false" + include: [{}]