Merge pull request #314 from aramase/add-label

k8s-ci-robot · web-flow · commit a48a899ffc1e · 2020-09-16T17:44:46.000-07:00
feat: add managed label to secret created by driver
diff --git a/controllers/secretproviderclasspodstatus_controller.go b/controllers/secretproviderclasspodstatus_controller.go
@@ -45,6 +45,8 @@ import (
 const (
 	certType       = "CERTIFICATE"
 	privateKeyType = "RSA PRIVATE KEY"
+
+	secretManagedLabel = "secrets-store.csi.k8s.io/managed"
 )
 
 // SecretProviderClassPodStatusReconciler reconciles a SecretProviderClassPodStatus object
@@ -173,8 +175,17 @@ func (r *SecretProviderClassPodStatusReconciler) Reconcile(req ctrl.Request) (ct
 				}
 			}
 
+			labelsMap := make(map[string]string)
+			if secretObj.Labels != nil {
+				labelsMap = secretObj.Labels
+			}
+			// Set secrets-store.csi.k8s.io/managed=true label on the secret that's created and managed
+			// by the secrets-store-csi-driver. This label will be used to perform a filtered list watch
+			// only on secrets created and managed by the driver
+			labelsMap[secretManagedLabel] = "true"
+
 			createFn := func() (bool, error) {
-				if err := r.createK8sSecret(ctx, secretObj.SecretName, req.Namespace, datamap, secretObj.Labels, secretType); err != nil {
+				if err := r.createK8sSecret(ctx, secretObj.SecretName, req.Namespace, datamap, labelsMap, secretType); err != nil {
 					logger.Errorf("failed createK8sSecret, err: %v for secret: %s", err, secretObj.SecretName)
 					return false, nil
 				}
diff --git a/test/bats/azure.bats b/test/bats/azure.bats
@@ -130,6 +130,9 @@ setup() {
   result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")
   [[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]
 
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")
+  [[ "${result//$'\r'}" == "true" ]]
+
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
   [[ "$result" -eq 4 ]]
 }
diff --git a/test/bats/vault.bats b/test/bats/vault.bats
@@ -190,6 +190,9 @@ EOF
   result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")
   [[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]
 
+  result=$(kubectl get secret foosecret  -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")
+  [[ "${result//$'\r'}" == "true" ]]
+
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
   [[ "$result" -eq 4 ]]
 }

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,9 @@ setup() {`
`130`	`130`	`result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")`
`131`	`131`	`[[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]`
`132`	`132`
	`133`	`+ result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")`
	`134`	`+ [[ "${result//$'\r'}" == "true" ]]`
	`135`	`+`
`133`	`136`	`result=$(kubectl get secret foosecret -o json \| jq '.metadata.ownerReferences \| length')`
`134`	`137`	`[[ "$result" -eq 4 ]]`
`135`	`138`	`}`
Original file line number	Diff line number	Diff line change
`@@ -190,6 +190,9 @@ EOF`
`190`	`190`	`result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")`
`191`	`191`	`[[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]`
`192`	`192`
	`193`	`+ result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")`
	`194`	`+ [[ "${result//$'\r'}" == "true" ]]`
	`195`	`+`
`193`	`196`	`result=$(kubectl get secret foosecret -o json \| jq '.metadata.ownerReferences \| length')`
`194`	`197`	`[[ "$result" -eq 4 ]]`
`195`	`198`	`}`