(#16) Add create secret --append-hash=false

So we can easily create secrets for use with ExternalSecret resources.

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso-creds-refresher/component.cue

@@ -15,6 +15,10 @@ objects: #CredsRefresherService.objects
 
 #TargetNamespace: #CredsRefresher.namespace
 
+#Kustomization: spec: {
+	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
+}
+
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"
 let MOUNT = "/var/run/service-account"

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/eso.cue

@@ -1,3 +1,30 @@
 package holos
 
+// Manages the External Secrets Operator from the official upstream Helm chart.
+
+#TargetNamespace: "external-secrets"
+
 #InputKeys: component: "eso"
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}
+
+#Kustomization: spec: {
+	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
+	targetNamespace: #TargetNamespace
+}
+
+#HelmChart & {
+	values: installCrds: true
+	namespace: #TargetNamespace
+	chart: {
+		name:    "external-secrets"
+		version: "0.9.12"
+		repository: {
+			name: "external-secrets"
+			url:  "https://charts.external-secrets.io"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/inputkeys.cue

@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "external-secrets"
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/output.cue

@@ -1,16 +0,0 @@
-package holos
-
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-
-#HelmChart & {
-	values: installCrds: true
-	namespace: #TargetNamespace
-	chart: {
-		name:    "external-secrets"
-		version: "0.9.12"
-		repository: {
-			name: "external-secrets"
-			url:  "https://charts.external-secrets.io"
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/validate/component.cue

@@ -1,11 +1,21 @@
 package holos
 
+// Validate ESO by syncing a secret with a SecretStore.
+
+#TargetNamespace: "holos-system"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "validate"
+}
+
 #Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]
 
 objects: [
 	#SecretStore,
 	#ExternalSecret & {
 		_name: "validate"
+		metadata: namespace: #TargetNamespace
 		spec: dataFrom: [{extract: key: "ns/" + #TargetNamespace + "/test"}]
 	},
 ]

docs/examples/platforms/reference/namespaces.cue

@@ -1,6 +1,7 @@
 package holos
 
 #PlatformNamespaces: [
+	{name: "external-secrets"},
 	{name: "holos-system"},
 	{name: "flux-system"},
 	{name: "ceph-system"},

docs/examples/platforms/reference/projects/secrets/components/validate/inputkeys.cue

@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "default"
-
-#InputKeys: {
-	project:   "secrets"
-	component: "validate"
-}

docs/examples/schema.cue

@@ -79,6 +79,8 @@ _apiVersion: "holos.run/v1alpha1"
 			kind: string | *"GitRepository"
 			name: string | *"flux-system"
 		}
+		suspend?: bool
+		targetNamespace?: string
 		timeout: string | *"3m0s"
 		wait:    bool | *true
 	}
@@ -88,7 +90,7 @@ _apiVersion: "holos.run/v1alpha1"
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
 	metadata: {
-		namespace: string | *"default"
+		namespace: string
 		name:      _name
 	}
 	spec: {

pkg/cli/secret/create.go

@@ -26,6 +26,7 @@ func NewCreateCmd(hc *holos.Config) *cobra.Command {
 	cfg, flagSet := newConfig()
 	flagSet.Var(&cfg.files, "from-file", "store files as keys in the secret")
 	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
+	cfg.appendHash = flagSet.Bool("append-hash", true, "append hash to kubernetes secret name")
 
 	cmd.Flags().SortFlags = false
 	cmd.Flags().AddGoFlagSet(flagSet)
@@ -72,10 +73,12 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 			secret.Labels[ClusterLabel] = *cfg.cluster
 		}
 
-		if secretHash, err := hash.SecretHash(secret); err != nil {
-			return wrapper.Wrap(err)
-		} else {
-			secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+		if *cfg.appendHash {
+			if secretHash, err := hash.SecretHash(secret); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+			}
 		}
 
 		if *cfg.dryRun {

pkg/cli/secret/secret.go

@@ -12,13 +12,14 @@ const ClusterLabel = "holos.run/cluster.name"
 type secretData map[string][]byte
 
 type config struct {
-	files     holos.StringSlice
-	printFile *string
-	extract   *bool
-	dryRun    *bool
-	cluster   *string
-	namespace *string
-	extractTo *string
+	files      holos.StringSlice
+	printFile  *string
+	extract    *bool
+	dryRun     *bool
+	appendHash *bool
+	cluster    *string
+	namespace  *string
+	extractTo  *string
 }
 
 func newConfig() (*config, *flag.FlagSet) {

pkg/cli/secret/testdata/create_secret_no_hash.txt

@@ -0,0 +1,7 @@
+# Want no hash appended
+holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false
+stderr ' created: test '
+stderr ' secret=test '
+
+-- test --
+sekret

pkg/cli/secret/testdata/create_secret_no_hash_dry_run.txt

@@ -0,0 +1,6 @@
+# Want no hash appended
+holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false --dry-run
+stdout 'name: test$'
+
+-- test --
+sekret

pkg/version/embedded/minor

@@ -1 +1 @@
-45
+46

pkg/version/embedded/patch

@@ -1 +1 @@
-2
+0