[controller,api] Refactor tenant resource label

This patch refactors the secret selectors to use the
`internal.cozystack.io/tenantresource` label for managing secret
visibility and removes any selectors based on it or the previous
`apps.cozystack.io/tenantresource` label, the idea being that this label
will only ever be set by the controller.

```
[controller,api] Refactor labels for the secret selector.
```

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>

internal/lineagecontrollerwebhook/webhook.go

@@ -18,6 +18,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	corev1alpha1 "github.com/cozystack/cozystack/pkg/apis/core/v1alpha1"
 )
 
 var (
@@ -132,7 +134,7 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 		"apps.cozystack.io/application.name": obj.GetName(),
 	}
 	templateLabels := map[string]string{
-		"kind":  strings.ToLower(obj.GetKind()),
+		"kind": strings.ToLower(obj.GetKind()),
 		"name": obj.GetName(),
 	}
 	if o.GetAPIVersion() != "v1" || o.GetKind() != "Secret" {
@@ -142,9 +144,9 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 	crd := cfg.appCRDMap[appRef{gv.Group, obj.GetKind()}]
 
 	// TODO: expand this to work with other resources than Secrets
-	labels["apps.cozystack.io/tenantresource"] = func(b bool) string {
+	labels[corev1alpha1.TenantResourceLabelKey] = func(b bool) string {
 		if b {
-			return "true"
+			return corev1alpha1.TenantResourceLabelValue
 		}
 		return "false"
 	}(matchResourceToExcludeInclude(o.GetName(), templateLabels, o.GetLabels(), crd.Spec.Secrets.Exclude, crd.Spec.Secrets.Include))

packages/apps/clickhouse/templates/backup-script.yaml

@@ -4,8 +4,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-backup-script
-  labels:
-    apps.cozystack.io/tenantresource: "false"
 stringData:
   backup.sh: |
     #!/bin/sh

packages/apps/mysql/templates/backup-script.yaml

@@ -4,8 +4,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-backup-script
-  labels:
-    apps.cozystack.io/tenantresource: "false"
 stringData:
   backup.sh: |
     #!/bin/sh

packages/apps/postgres/templates/init-script.yaml

@@ -20,8 +20,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-credentials
-labels:
-  internal.cozystack.io/tenantsecret: "true"
 stringData:
   {{- range $user, $u := .Values.users }}
   {{ quote $user }}: {{ quote (index $passwords $user) }}
@@ -32,8 +30,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-init-script
-  labels:
-    apps.cozystack.io/tenantresource: "false"
 stringData:
   init.sh: |
     #!/bin/bash

packages/apps/vpn/templates/secret.yaml

@@ -22,8 +22,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-vpn
-  labels:
-    apps.cozystack.io/tenantresource: "false"
 type: Opaque
 stringData:
   shadowbox_server_config.json: |

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -192,8 +192,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: alertmanager
-  labels:
-    apps.cozystack.io/tenantresource: "false"
 type: Opaque
 stringData:
   alertmanager.yaml: |

packages/system/cozystack-api/cozyrds/postgres.yaml

@@ -41,3 +41,4 @@ spec:
     include:
       - resourceNames:
           - postgres-{{ .name }}-app
+          - postgres-{{ .name }}-credentials

pkg/apis/core/v1alpha1/tenantresource_types.go

@@ -0,0 +1,4 @@
+package v1alpha1
+
+const TenantResourceLabelKey = "internal.cozystack.io/tenantresource"
+const TenantResourceLabelValue = "true"

pkg/registry/core/tenantmodule/rest.go

@@ -55,7 +55,7 @@ var (
 
 // Define constants for label filtering
 const (
-	TenantModuleLabelKey   = "apps.cozystack.io/tenantmodule"
+	TenantModuleLabelKey   = "internal.cozystack.io/tenantmodule"
 	TenantModuleLabelValue = "true"
 	singularName           = "tenantmodule"
 )

pkg/registry/core/tenantsecret/rest.go

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 // TenantSecret registry – namespaced view over Secrets labelled
-// "internal.cozystack.io/tenantsecret=true".  Internal tenant secret labels are hidden.
+// "internal.cozystack.io/tenantresource=true".  Internal tenant secret labels are hidden.
 
 package tenantsecret
 
@@ -35,8 +35,8 @@ import (
 // -----------------------------------------------------------------------------
 
 const (
-	tsLabelKey           = "apps.cozystack.io/tenantresource"
-	tsLabelValue         = "true"
+	tsLabelKey           = corev1alpha1.TenantResourceLabelKey
+	tsLabelValue         = corev1alpha1.TenantResourceLabelValue
 	singularName         = "tenantsecret"
 	kindTenantSecret     = "TenantSecret"
 	kindTenantSecretList = "TenantSecretList"

pkg/registry/core/tenantsecretstable/rest.go

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 // TenantSecretsTable registry – namespaced, read-only flattened view over
-// Secrets labelled "internal.cozystack.io/tenantsecret=true". Each data key is a separate object.
+// Secrets labelled "internal.cozystack.io/tenantresource=true". Each data key is a separate object.
 
 package tenantsecretstable
 
@@ -29,8 +29,8 @@ import (
 )
 
 const (
-	tsLabelKey     = "apps.cozystack.io/tenantresource"
-	tsLabelValue   = "true"
+	tsLabelKey     = corev1alpha1.TenantResourceLabelKey
+	tsLabelValue   = corev1alpha1.TenantResourceLabelValue
 	kindObj        = "TenantSecretsTable"
 	kindObjList    = "TenantSecretsTableList"
 	singularName   = "tenantsecretstable"