From 48919c0cfe827d8f2a778697e696ab3abf882e97 Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Tue, 23 Sep 2025 17:37:23 +0300 Subject: [PATCH] [platform] Add secret selectors to app definitions This patch expands the CozystackResourceDefinitions with new label selector fields to include and exclude secrets by their labelsets. This will enable application developers to selectively show or hide application secrets to and from end-users. ```release-note [platform] Add selectors for application secrets, offering developers an API to control secret visibility for end users. ``` Signed-off-by: Timofei Larkin --- .../cozystackresourcedefinitions_types.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/api/v1alpha1/cozystackresourcedefinitions_types.go b/api/v1alpha1/cozystackresourcedefinitions_types.go index ea7c5d51..91a6e62b 100644 --- a/api/v1alpha1/cozystackresourcedefinitions_types.go +++ b/api/v1alpha1/cozystackresourcedefinitions_types.go @@ -32,7 +32,7 @@ type CozystackResourceDefinition struct { // +kubebuilder:object:root=true -// CozystackResourceDefinitionList contains a list of CozystackResourceDefinition +// CozystackResourceDefinitionList contains a list of CozystackResourceDefinitions type CozystackResourceDefinitionList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` @@ -48,6 +48,8 @@ type CozystackResourceDefinitionSpec struct { Application CozystackResourceDefinitionApplication `json:"application"` // Release configuration Release CozystackResourceDefinitionRelease `json:"release"` + // Secret selectors + Secrets CozystackResourceDefinitionSecrets `json:"secrets,omitempty"` } type CozystackResourceDefinitionChart struct { @@ -87,3 +89,15 @@ type CozystackResourceDefinitionRelease struct { // Prefix for the release name Prefix string `json:"prefix"` } + +type CozystackResourceDefinitionSecrets struct { + // Exclude contains an array of label selectors that target secrets. + // If a secret matches the selector in any of the elements in the array, it is + // hidden from the user, regardless of the matches in the include array. + Exclude []*metav1.LabelSelector `json:"exclude,omitempty"` + // Include contains an array of label selectors that target secrets. + // If a secret matches the selector in any of the elements in the array, and + // matches none of the selectors in the exclude array that secret is marked + // as a tenant secret and is visible to users. + Include []*metav1.LabelSelector `json:"include,omitempty"` +}