From ffe41fabab81c809e2811ae7f1b6357e53d57fc1 Mon Sep 17 00:00:00 2001 From: Simon Devineau Date: Thu, 23 Apr 2026 12:21:33 +0200 Subject: [PATCH] feat: allow to add annotations to secret (#15) --- api/v1alpha1/postgresrole_types.go | 1 + api/v1alpha1/zz_generated.deepcopy.go | 7 +++++++ ...s-operator.hoppscale.com_postgresroles.yaml | 4 ++++ internal/controller/postgresrole_controller.go | 18 +++++++++++++++--- .../controller/postgresrole_controller_test.go | 3 +++ 5 files changed, 30 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/postgresrole_types.go b/api/v1alpha1/postgresrole_types.go index 26e6d96..39e4cfc 100644 --- a/api/v1alpha1/postgresrole_types.go +++ b/api/v1alpha1/postgresrole_types.go @@ -53,6 +53,7 @@ type PostgresRoleSpec struct { PasswordFromSecret *PostgresRolePasswordFromSecret `json:"passwordFromSecret,omitempty"` SecretName string `json:"secretName,omitempty"` SecretTemplate map[string]string `json:"secretTemplate,omitempty"` + SecretAnnotations map[string]string `json:"secretAnnotations,omitempty"` MemberOfRoles []string `json:"memberOfRoles,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 669541d..69ff021 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -244,6 +244,13 @@ func (in *PostgresRoleSpec) DeepCopyInto(out *PostgresRoleSpec) { (*out)[key] = val } } + if in.SecretAnnotations != nil { + in, out := &in.SecretAnnotations, &out.SecretAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.MemberOfRoles != nil { in, out := &in.MemberOfRoles, &out.MemberOfRoles *out = make([]string, len(*in)) diff --git a/deploy/crds/managed-postgres-operator.hoppscale.com_postgresroles.yaml b/deploy/crds/managed-postgres-operator.hoppscale.com_postgresroles.yaml index df61419..206feee 100644 --- a/deploy/crds/managed-postgres-operator.hoppscale.com_postgresroles.yaml +++ b/deploy/crds/managed-postgres-operator.hoppscale.com_postgresroles.yaml @@ -82,6 +82,10 @@ spec: type: object replication: type: boolean + secretAnnotations: + additionalProperties: + type: string + type: object secretName: type: string secretTemplate: diff --git a/internal/controller/postgresrole_controller.go b/internal/controller/postgresrole_controller.go index 20f5540..4f816cb 100644 --- a/internal/controller/postgresrole_controller.go +++ b/internal/controller/postgresrole_controller.go @@ -156,6 +156,7 @@ func (r *PostgresRoleReconciler) Reconcile(ctx context.Context, req ctrl.Request resource.ObjectMeta.Namespace, resource.Spec.SecretName, resource.Spec.SecretTemplate, + resource.Spec.SecretAnnotations, &desiredRole, r.PGPools.Default.Config().ConnConfig, ) @@ -337,7 +338,7 @@ func (r *PostgresRoleReconciler) reconcileRoleMembership(role string, desiredMem return err } -func (r *PostgresRoleReconciler) reconcileRoleSecret(secretNamespace, secretName string, secretTemplate map[string]string, role *postgresql.Role, pgConfig *pgx.ConnConfig) (err error) { +func (r *PostgresRoleReconciler) reconcileRoleSecret(secretNamespace, secretName string, secretTemplate map[string]string, secretAnnotations map[string]string, role *postgresql.Role, pgConfig *pgx.ConnConfig) (err error) { // Do not create Secret if no name provided by the user if secretName == "" { return err @@ -391,8 +392,9 @@ func (r *PostgresRoleReconciler) reconcileRoleSecret(secretNamespace, secretName if errors.IsNotFound(err) { resourceSecret = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Namespace: secretNamespace, - Name: secretName, + Namespace: secretNamespace, + Name: secretName, + Annotations: secretAnnotations, Labels: map[string]string{ "app.kubernetes.io/managed-by": "managed-postgres-operator.hoppscale.com", }, @@ -421,6 +423,16 @@ func (r *PostgresRoleReconciler) reconcileRoleSecret(secretNamespace, secretName toUpdate = true } + if resourceSecret.ObjectMeta.Annotations == nil { + resourceSecret.ObjectMeta.Annotations = make(map[string]string) + } + for k, v := range secretAnnotations { + if val, ok := resourceSecret.ObjectMeta.Annotations[k]; !ok || val != v { + resourceSecret.ObjectMeta.Annotations[k] = v + toUpdate = true + } + } + if fmt.Sprint(resourceSecret.Data) != fmt.Sprint(desiredSecretData) { toUpdate = true resourceSecret.Data = desiredSecretData diff --git a/internal/controller/postgresrole_controller_test.go b/internal/controller/postgresrole_controller_test.go index 80e7e53..ea482ef 100644 --- a/internal/controller/postgresrole_controller_test.go +++ b/internal/controller/postgresrole_controller_test.go @@ -252,6 +252,7 @@ var _ = Describe("PostgresRole Controller", func() { "default", "db-config-myrole", make(map[string]string), + make(map[string]string), &role, pgConfig, ) @@ -299,6 +300,7 @@ var _ = Describe("PostgresRole Controller", func() { "default", "db-config-myrole", secretTemplate, + make(map[string]string), &role, pgConfig, ) @@ -816,6 +818,7 @@ var _ = Describe("PostgresRole Controller", func() { "default", "db-config-myrole", make(map[string]string), + make(map[string]string), &role, pgConfig, )