(#16 ) Add create secret --append-hash=false

So we can easily create secrets for use with ExternalSecret resources.
(#14 ) Validate SecretStore works
2026-03-20 01:04:59 +00:00 · 2024-02-27 12:04:00 -08:00 · 2024-02-27 11:25:00 -08:00
12 changed files with 56 additions and 32 deletions
--- a/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso-creds-refresher/component.cue
+++ b/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso-creds-refresher/component.cue
@@ -15,6 +15,10 @@ objects: #CredsRefresherService.objects

 #TargetNamespace: #CredsRefresher.namespace

+#Kustomization: spec: {
+	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
+}
+
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"
 let MOUNT = "/var/run/service-account"
--- a/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/output.cue
+++ b/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/output.cue
@@ -1,5 +1,16 @@
 package holos

+// Manages the External Secrets Operator from the official upstream Helm chart.
+
+#TargetNamespace: "external-secrets"
+
+#InputKeys: component: "eso"
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}
+
 #Kustomization: spec: {
 	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
 	targetNamespace: #TargetNamespace
--- a/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/inputkeys.cue
+++ b/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/inputkeys.cue
@@ -1,10 +0,0 @@
-package holos
-
-#TargetNamespace: "external-secrets"
-
-#InputKeys: component: "eso"
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}
--- a/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/validate/component.cue
+++ b/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/validate/component.cue
@@ -1,11 +1,21 @@
 package holos

+// Validate ESO by syncing a secret with a SecretStore.
+
+#TargetNamespace: "holos-system"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "validate"
+}
+
 #Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]

 objects: [
 	#SecretStore,
 	#ExternalSecret & {
 		_name: "validate"
+		metadata: namespace: #TargetNamespace
 		spec: dataFrom: [{extract: key: "ns/" + #TargetNamespace + "/test"}]
 	},
 ]
--- a/docs/examples/platforms/reference/projects/secrets/components/validate/inputkeys.cue
+++ b/docs/examples/platforms/reference/projects/secrets/components/validate/inputkeys.cue
@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "default"
-
-#InputKeys: {
-	project:   "secrets"
-	component: "validate"
-}
--- a/docs/examples/schema.cue
+++ b/docs/examples/schema.cue
@@ -90,7 +90,7 @@ _apiVersion: "holos.run/v1alpha1"
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
 	metadata: {
-		namespace: string | *"default"
+		namespace: string
 		name:      _name
 	}
 	spec: {
--- a/pkg/cli/secret/create.go
+++ b/pkg/cli/secret/create.go
@@ -26,6 +26,7 @@ func NewCreateCmd(hc *holos.Config) *cobra.Command {
 	cfg, flagSet := newConfig()
 	flagSet.Var(&cfg.files, "from-file", "store files as keys in the secret")
 	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
+	cfg.appendHash = flagSet.Bool("append-hash", true, "append hash to kubernetes secret name")

 	cmd.Flags().SortFlags = false
 	cmd.Flags().AddGoFlagSet(flagSet)
@@ -72,10 +73,12 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 			secret.Labels[ClusterLabel] = *cfg.cluster
 		}

-		if secretHash, err := hash.SecretHash(secret); err != nil {
-			return wrapper.Wrap(err)
-		} else {
-			secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+		if *cfg.appendHash {
+			if secretHash, err := hash.SecretHash(secret); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+			}
 		}

 		if *cfg.dryRun {
--- a/pkg/cli/secret/secret.go
+++ b/pkg/cli/secret/secret.go
@@ -12,13 +12,14 @@ const ClusterLabel = "holos.run/cluster.name"
 type secretData map[string][]byte

 type config struct {
-	files     holos.StringSlice
-	printFile *string
-	extract   *bool
-	dryRun    *bool
-	cluster   *string
-	namespace *string
-	extractTo *string
+	files      holos.StringSlice
+	printFile  *string
+	extract    *bool
+	dryRun     *bool
+	appendHash *bool
+	cluster    *string
+	namespace  *string
+	extractTo  *string
 }

 func newConfig() (*config, *flag.FlagSet) {
--- a/pkg/cli/secret/testdata/create_secret_no_hash.txt
+++ b/pkg/cli/secret/testdata/create_secret_no_hash.txt
@@ -0,0 +1,7 @@
+# Want no hash appended
+holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false
+stderr ' created: test '
+stderr ' secret=test '
+
+-- test --
+sekret
--- a/pkg/cli/secret/testdata/create_secret_no_hash_dry_run.txt
+++ b/pkg/cli/secret/testdata/create_secret_no_hash_dry_run.txt
@@ -0,0 +1,6 @@
+# Want no hash appended
+holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false --dry-run
+stdout 'name: test$'
+
+-- test --
+sekret
--- a/pkg/version/embedded/minor
+++ b/pkg/version/embedded/minor
@@ -1 +1 @@
-45
+46
--- a/pkg/version/embedded/patch
+++ b/pkg/version/embedded/patch
@@ -1 +1 @@
-3
+0
Author	SHA1	Message	Date
Jeff McCune	40ac705f0d	(#16 ) Add create secret --append-hash=false So we can easily create secrets for use with ExternalSecret resources.	2024-02-27 12:04:00 -08:00
Jeff McCune	b4ad6425e5	(#14 ) Validate SecretStore works This patch validates a SecretStore in the holos-system namespace works after provisioner credentials are refreshed.	2024-02-27 11:25:00 -08:00