Add metadata:label support to sync secret

apis/v1alpha1/secretproviderclass_types.go

@@ -32,8 +32,10 @@ type SecretObject struct {
 	// name of the K8s secret object
 	SecretName string `json:"secretName,omitempty"`
 	// type of K8s secret object
-	Type string              `json:"type,omitempty"`
-	Data []*SecretObjectData `json:"data,omitempty"`
+	Type string `json:"type,omitempty"`
+	// labels of K8s secret object
+	Labels map[string]string   `json:"labels,omitempty"`
+	Data   []*SecretObjectData `json:"data,omitempty"`
 }
 
 // SecretProviderClassSpec defines the desired state of SecretProviderClass

config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -62,6 +62,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: labels of K8s secret object
+                    type: object
                   secretName:
                     description: name of the K8s secret object
                     type: string

controllers/secretproviderclasspodstatus_controller.go

@@ -175,7 +175,7 @@ func (r *SecretProviderClassPodStatusReconciler) Reconcile(req ctrl.Request) (ct
 			}
 
 			createFn := func() (bool, error) {
-				if err := r.createK8sSecret(ctx, secretObj.SecretName, req.Namespace, datamap, secretType); err != nil {
+				if err := r.createK8sSecret(ctx, secretObj.SecretName, req.Namespace, datamap, secretObj.Labels, secretType); err != nil {
 					logger.Errorf("failed createK8sSecret, err: %v for secret: %s", err, secretObj.SecretName)
 					return false, nil
 				}
@@ -225,11 +225,12 @@ func (r *SecretProviderClassPodStatusReconciler) SetupWithManager(mgr ctrl.Manag
 
 // createK8sSecret creates K8s secret with data from mounted files
 // If a secret with the same name already exists in the namespace of the pod, the error is nil.
-func (r *SecretProviderClassPodStatusReconciler) createK8sSecret(ctx context.Context, name, namespace string, datamap map[string][]byte, secretType corev1.SecretType) error {
+func (r *SecretProviderClassPodStatusReconciler) createK8sSecret(ctx context.Context, name, namespace string, datamap map[string][]byte, labelsmap map[string]string, secretType corev1.SecretType) error {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 			Name:      name,
+			Labels:    labelsmap,
 		},
 		Type: secretType,
 		Data: datamap,

controllers/secretproviderclasspodstatus_controller_test.go

@@ -46,11 +46,12 @@ func setupScheme() (*runtime.Scheme, error) {
 	return scheme, nil
 }
 
-func newSecret(name, namespace string) *v1.Secret {
+func newSecret(name, namespace string, labels map[string]string) *v1.Secret {
 	return &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            name,
 			Namespace:       namespace,
+			Labels:          labels,
 			ResourceVersion: "73659",
 		},
 	}
@@ -90,8 +91,10 @@ func TestSecretExists(t *testing.T) {
 	scheme, err := setupScheme()
 	g.Expect(err).NotTo(HaveOccurred())
 
+	labels := map[string]string{"environment": "test"}
+
 	initObjects := []runtime.Object{
-		newSecret("my-secret", "default"),
+		newSecret("my-secret", "default", labels),
 	}
 
 	client := fake.NewFakeClientWithScheme(scheme, initObjects...)
@@ -114,8 +117,10 @@ func TestPatchSecretWithOwnerRef(t *testing.T) {
 
 	spcPodStatus := newSecretProviderClassPodStatus("my-spcps", "default", "node1")
 
+	labels := map[string]string{"environment": "test"}
+
 	initObjects := []runtime.Object{
-		newSecret("my-secret", "default"),
+		newSecret("my-secret", "default", labels),
 		spcPodStatus,
 	}
 	client := fake.NewFakeClientWithScheme(scheme, initObjects...)
@@ -136,20 +141,25 @@ func TestCreateK8sSecret(t *testing.T) {
 	scheme, err := setupScheme()
 	g.Expect(err).NotTo(HaveOccurred())
 
+	labels := map[string]string{"environment": "test"}
+
 	initObjects := []runtime.Object{
-		newSecret("my-secret", "default"),
+		newSecret("my-secret", "default", labels),
 	}
 	client := fake.NewFakeClientWithScheme(scheme, initObjects...)
 	reconciler := newReconciler(client, scheme)
 
 	// secret already exists
-	err = reconciler.createK8sSecret(context.TODO(), "my-secret", "default", nil, v1.SecretTypeOpaque)
+	err = reconciler.createK8sSecret(context.TODO(), "my-secret", "default", nil, labels, v1.SecretTypeOpaque)
 	g.Expect(err).NotTo(HaveOccurred())
 
-	err = reconciler.createK8sSecret(context.TODO(), "my-secret2", "default", nil, v1.SecretTypeOpaque)
+	err = reconciler.createK8sSecret(context.TODO(), "my-secret2", "default", nil, labels, v1.SecretTypeOpaque)
 	g.Expect(err).NotTo(HaveOccurred())
 	secret := &v1.Secret{}
 	err = client.Get(context.TODO(), types.NamespacedName{Name: "my-secret2", Namespace: "default"}, secret)
 	g.Expect(err).NotTo(HaveOccurred())
+
+	g.Expect(secret.Labels).To(Equal(labels))
+
 	g.Expect(secret.Name).To(Equal("my-secret2"))
 }

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -62,6 +62,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: labels of K8s secret object
+                    type: object
                   secretName:
                     description: name of the K8s secret object
                     type: string

manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -62,6 +62,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: labels of K8s secret object
+                    type: object
                   secretName:
                     description: name of the K8s secret object
                     type: string

test/bats/azure.bats

@@ -29,6 +29,7 @@ export KEY_NAME=${KEYVAULT_KEY_NAME:-key1}
 export KEY_VERSION=${KEYVAULT_KEY_VERSION:-7cc095105411491b84fe1b92ebbcf01a}
 export KEY_VALUE_CONTAINS=${KEYVAULT_KEY_VALUE:-"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4K2FadlhJN2FldG5DbzI3akVScgpheklaQ2QxUlBCQVZuQU1XcDhqY05TQk5MOXVuOVJrenJHOFd1SFBXUXNqQTA2RXRIOFNSNWtTNlQvaGQwMFNRCk1aODBMTlNxYkkwTzBMcWMzMHNLUjhTQ0R1cEt5dkpkb01LSVlNWHQzUlk5R2Ywam1ucHNKOE9WbDFvZlRjOTIKd1RINXYyT2I1QjZaMFd3d25MWlNiRkFnSE1uTHJtdEtwZTVNcnRGU21nZS9SL0J5ZXNscGU0M1FubnpndzhRTwpzU3ZMNnhDU21XVW9WQURLL1MxREU0NzZBREM2a2hGTjF5ZHUzbjVBcnREVGI0c0FjUHdTeXB3WGdNM3Y5WHpnClFKSkRGT0JJOXhSTW9UM2FjUWl0Z0c2RGZibUgzOWQ3VU83M0o3dUFQWUpURG1pZGhrK0ZFOG9lbjZWUG9YRy8KNXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t"}
 export CONTAINER_IMAGE=$CONTAINER_IMAGE
+export LABEL_VALUE=${LABEL_VALUE:-"test"}
 
 setup() {
   if [[ -z "${AZURE_CLIENT_ID}" ]] || [[ -z "${AZURE_CLIENT_SECRET}" ]]; then
@@ -125,6 +126,9 @@ setup() {
   result=$(kubectl exec -it $POD printenv | grep SECRET_USERNAME) | awk -F"=" '{ print $2}'
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")
+  [[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]
+
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
   [[ "$result" -eq 2 ]]
 }

test/bats/tests/azure/azure_synck8s_v1alpha1_secretproviderclass.yaml

@@ -7,6 +7,8 @@ spec:
   secretObjects:                                 # [OPTIONAL] SecretObject defines the desired state of synced K8s secret objects
   - secretName: foosecret
     type: Opaque
+    labels:                                   
+      environment: "test"
     data: 
     - objectName: secretalias                    # name of the mounted content to sync. this could be the object name or object alias 
       key: username

test/bats/tests/vault/vault_synck8s_v1alpha1_secretproviderclass.yaml

@@ -7,6 +7,8 @@ spec:
   secretObjects:
   - secretName: foosecret
     type: Opaque
+    labels:                                   
+      environment: "test"
     data: 
     - objectName: foo
       key: pwd

test/bats/vault.bats

@@ -10,6 +10,7 @@ NAMESPACE=default
 PROVIDER_YAML=https://raw.githubusercontent.com/hashicorp/secrets-store-csi-driver-provider-vault/master/deployment/provider-vault-installer.yaml
 
 export CONTAINER_IMAGE=nginx
+export LABEL_VALUE=${LABEL_VALUE:-"test"}
 
 @test "install vault provider" {
   run kubectl apply -f $PROVIDER_YAML --namespace $NAMESPACE
@@ -183,6 +184,9 @@ EOF
   result=$(kubectl exec -it $POD -- printenv | grep SECRET_USERNAME | awk -F"=" '{ print $2 }' | tr -d '\r\n')
   [[ "$result" == "hello1" ]]
 
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")
+  [[ "${result//$'\r'}" == "${LABEL_VALUE}" ]]
+
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
   [[ "$result" -eq 2 ]]
 }