(#14 ) Validate secrets fetched from provisioner cluster

This patch validates secrets are synced from the provisioner cluster to a workload cluster. This verifies the eso-creds-refresher job, external secrets operator, etc... Refer to 0ae58858f5 for the corresponding commit on the k2 cluster.
2026-03-19 08:44:58 +00:00 · 2024-02-27 15:55:17 -08:00
4 changed files with 13 additions and 28 deletions
--- a/platform.run.xml
+++ b/platform.run.xml
@@ -1,16 +0,0 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="render platform" type="GoApplicationRunConfiguration" factoryName="Go Application">
-    <module name="holos" />
-    <working_directory value="$PROJECT_DIR$/../holos-infra" />
-    <parameters value="render --cluster-name=k2 $PROJECT_DIR$/docs/examples/platforms/reference/clusters/workload/..." />
-    <envs>
-      <env name="DEBUG" value="1" />
-    </envs>
-    <kind value="DIRECTORY" />
-    <package value="github.com/holos-run/holos" />
-    <directory value="$PROJECT_DIR$/cmd/holos" />
-    <filePath value="$PROJECT_DIR$" />
-    <output_directory value="$PROJECT_DIR$/bin" />
-    <method v="2" />
-  </configuration>
-</component>
--- a/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/validate/component.cue
+++ b/docs/examples/platforms/reference/clusters/workload/projects/secrets/components/validate/component.cue
@@ -13,10 +13,7 @@ package holos

 objects: [
 	#SecretStore,
-	#ExternalSecret & {
-		_name: "validate"
-		spec: data: [{remoteRef: key: _name}]
-	},
+	#ExternalSecret & { _name: "validate" },
 ]

 {} & #KubernetesObjects
--- a/docs/examples/schema.cue
+++ b/docs/examples/schema.cue
@@ -79,10 +79,10 @@ _apiVersion: "holos.run/v1alpha1"
 			kind: string | *"GitRepository"
 			name: string | *"flux-system"
 		}
-		suspend?: bool
+		suspend?:         bool
 		targetNamespace?: string
-		timeout: string | *"3m0s"
-		wait:    bool | *true
+		timeout:          string | *"3m0s"
+		wait:             bool | *true
 	}
 }

@@ -102,6 +102,10 @@ _apiVersion: "holos.run/v1alpha1"
 		target: {
 			creationPolicy: string | *"Owner"
 		}
+		data: [{
+			remoteRef: key: _name
+			secretKey: _name
+		}]
 	}
 }

@@ -115,11 +119,11 @@ _apiVersion: "holos.run/v1alpha1"
 			remoteNamespace: #TargetNamespace
 			auth: token: bearerToken: {
 				name: string | *"eso-reader"
-				key: string | *"token"
+				key:  string | *"token"
 			}
 			server: {
 				caBundle: #InputKeys.provisionerCABundle
-				url: #InputKeys.provisionerURL
+				url:      #InputKeys.provisionerURL
 			}
 		}
 	}
@@ -142,9 +146,9 @@ _apiVersion: "holos.run/v1alpha1"
 	gcpProjectID:     string @tag(gcpProjectID, type=string)
 	gcpProjectNumber: int    @tag(gcpProjectNumber, type=int)

-  // Same as cluster certificate-authority-data field in ~/.holos/kubeconfig.provisioner
+	// Same as cluster certificate-authority-data field in ~/.holos/kubeconfig.provisioner
 	provisionerCABundle: string @tag(provisionerCABundle, type=string)
-  // Same as the cluster server field in ~/.holos/kubeconfig.provisioner
+	// Same as the cluster server field in ~/.holos/kubeconfig.provisioner
 	provisionerURL: string @tag(provisionerURL, type=string)
 }

--- a/pkg/version/embedded/patch
+++ b/pkg/version/embedded/patch
@@ -1 +1 @@
-1
+2