-
-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Kubernetes PushSecret metadata #3600
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Signed-off-by: Moritz Johner <[email protected]>
Do you plan to eventually upgrade #2600 to be consistent with this enhanced approach to managing pushsecret metadata? |
Oh, i see. It's actually the same thing i'm using here, it's just documented wrong 😞 its |
This PR introduces a more sophisticated schema that moves the annotations and labels fields below the new spec field and defines new merge policy fields. Will the other provider be eventually upgraded to support this new schema? |
Signed-off-by: Moritz Johner <[email protected]>
|
This is up to discussion if we want such a "convoluted" structure for metadata parameters. We could also keep it simple and unversioned. Though that will bite us in the future. |
Hi @moolen, is there a plan/timeframe for approving the linked PushSecret metadata proposal and subsequently moving this PR forward? Thanks! |
This seem a bit overcomplication of things, however, we need the feature that adds labels and annotations to the pushed secrets. Getting rid of the |
Towards #3443. This PR enhances the Kubernetes provider to support both
.spec.template.metadata
and.spec.data[0].metadata
. It allows users to define bothlabels
andannotations
on the target secret.targetMergePolicy=Ignore
.👆 this is up for discussion. My point is that it should push the metadata by default, as expected by users described in #3443.
TODOs:
PushSecretMetadata
spec.targetMergePolicy
to control the behaviour when writing the metadata to the target secret, e.g.Merge
orOverride
spec.metadataMergePolicy
to control if the source secret metadata (that includes the template metadata) and the.data[].metadata
is merged or replaced.PushSecret Metadata
The Kubernetes provider is able to manage both
metadata.labels
andmetadata.annotations
of the secret on the target cluster.Users have different preferences on what metadata should be pushed. ESO by default pushes both labels and annotations to the target secret and merges them with the existing metadata.
You can specify the metadata in the
spec.template.metadata
section if you want to decouple it from the existing secret.Further, you can leverage the
.data[].metadata
section to fine-tine the behaviour of the metadata merge strategy. The metadata section is a versioned custom-resource alike structure, the behaviour is detailed below.Merge
,Replace
Merge
will merge the metadata of the source secret with the metadata defined in.data[].metadata
. WithReplace
, the metadata in.data[].metadata
replaces the source metadata.Merge
,Replace
,Ignore
Merge
, the source metadata is merged with the existing metadata from the target secret.Replace
will replace the target metadata with the metadata defined in the source.Ignore
leaves the target metadata as is.map[string]string
map[string]string