Added support for TokenSecretAnnotations for HumioIngestToken

api/v1alpha1/humioingesttoken_types.go

@@ -54,12 +54,16 @@ type HumioIngestTokenSpec struct {
 	RepositoryName string `json:"repositoryName,omitempty"`
 	// TokenSecretName specifies the name of the Kubernetes secret that will be created
 	// and contain the ingest token. The key in the secret storing the ingest token is "token".
-	// This field is optional.
+	// +optional
 	TokenSecretName string `json:"tokenSecretName,omitempty"`
 	// TokenSecretLabels specifies additional key,value pairs to add as labels on the Kubernetes Secret containing
 	// the ingest token.
-	// This field is optional.
+	// +optional
 	TokenSecretLabels map[string]string `json:"tokenSecretLabels,omitempty"`
+	// TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+	// the ingest token.
+	// +optional
+	TokenSecretAnnotations map[string]string `json:"tokenSecretAnnotations,omitempty"`
 }
 
 // HumioIngestTokenStatus defines the observed state of HumioIngestToken.

charts/humio-operator/crds/core.humio.com_humioingesttokens.yaml

@@ -75,19 +75,24 @@ spec:
                   which the ingest token will be created
                 minLength: 1
                 type: string
+              tokenSecretAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+                  the ingest token.
+                type: object
               tokenSecretLabels:
                 additionalProperties:
                   type: string
                 description: |-
                   TokenSecretLabels specifies additional key,value pairs to add as labels on the Kubernetes Secret containing
                   the ingest token.
-                  This field is optional.
                 type: object
               tokenSecretName:
                 description: |-
                   TokenSecretName specifies the name of the Kubernetes secret that will be created
                   and contain the ingest token. The key in the secret storing the ingest token is "token".
-                  This field is optional.
                 type: string
             required:
             - name

config/crd/bases/core.humio.com_humioingesttokens.yaml

@@ -75,19 +75,24 @@ spec:
                   which the ingest token will be created
                 minLength: 1
                 type: string
+              tokenSecretAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+                  the ingest token.
+                type: object
               tokenSecretLabels:
                 additionalProperties:
                   type: string
                 description: |-
                   TokenSecretLabels specifies additional key,value pairs to add as labels on the Kubernetes Secret containing
                   the ingest token.
-                  This field is optional.
                 type: object
               tokenSecretName:
                 description: |-
                   TokenSecretName specifies the name of the Kubernetes secret that will be created
                   and contain the ingest token. The key in the secret storing the ingest token is "token".
-                  This field is optional.
                 type: string
             required:
             - name

docs/api.md

@@ -36760,22 +36760,28 @@ resources should be created.
 This conflicts with ExternalClusterName.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>tokenSecretAnnotations</b></td>
+        <td>map[string]string</td>
+        <td>
+          TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+the ingest token.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>tokenSecretLabels</b></td>
         <td>map[string]string</td>
         <td>
           TokenSecretLabels specifies additional key,value pairs to add as labels on the Kubernetes Secret containing
-the ingest token.
-This field is optional.<br/>
+the ingest token.<br/>
         </td>
         <td>false</td>
       </tr><tr>
         <td><b>tokenSecretName</b></td>
         <td>string</td>
         <td>
           TokenSecretName specifies the name of the Kubernetes secret that will be created
-and contain the ingest token. The key in the secret storing the ingest token is "token".
-This field is optional.<br/>
+and contain the ingest token. The key in the secret storing the ingest token is "token".<br/>
         </td>
         <td>false</td>
       </tr></tbody>

internal/controller/humiobootstraptoken_controller.go

@@ -301,7 +301,7 @@ func (r *HumioBootstrapTokenReconciler) ensureBootstrapTokenSecret(ctx context.C
 			return r.logErrorAndReturn(err, "cannot create bootstrap token")
 		}
 		if okayToCreate {
-			secret := kubernetes.ConstructSecret(hbt.Name, hbt.Namespace, humioBootstrapTokenConfig.bootstrapTokenSecretName(), secretData, nil)
+			secret := kubernetes.ConstructSecret(hbt.Name, hbt.Namespace, humioBootstrapTokenConfig.bootstrapTokenSecretName(), secretData, nil, nil)
 			if err := controllerutil.SetControllerReference(hbt, secret, r.Scheme()); err != nil {
 				return r.logErrorAndReturn(err, "could not set controller reference")
 			}

internal/controller/humiocluster_controller.go

@@ -966,7 +966,7 @@ func (r *HumioClusterReconciler) ensureValidCASecret(ctx context.Context, hc *hu
 		corev1.TLSCertKey:       ca.Certificate,
 		corev1.TLSPrivateKeyKey: ca.Key,
 	}
-	caSecret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, getCASecretName(hc), caSecretData, nil)
+	caSecret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, getCASecretName(hc), caSecretData, nil, nil)
 	if err := controllerutil.SetControllerReference(hc, caSecret, r.Scheme()); err != nil {
 		return r.logErrorAndReturn(err, "could not set controller reference")
 	}
@@ -994,7 +994,7 @@ func (r *HumioClusterReconciler) ensureHumioClusterKeystoreSecret(ctx context.Co
 			secretData := map[string][]byte{
 				"passphrase": []byte(randomPass), // TODO: do we need separate passwords for different aspects?
 			}
-			secret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, fmt.Sprintf("%s-keystore-passphrase", hc.Name), secretData, nil)
+			secret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, fmt.Sprintf("%s-keystore-passphrase", hc.Name), secretData, nil, nil)
 			if err := controllerutil.SetControllerReference(hc, secret, r.Scheme()); err != nil {
 				return r.logErrorAndReturn(err, "could not set controller reference")
 			}

internal/controller/humioingesttoken_controller.go

@@ -224,7 +224,7 @@ func (r *HumioIngestTokenReconciler) ensureTokenSecretExists(ctx context.Context
 	}
 
 	secretData := map[string][]byte{"token": []byte(ingestToken.Token)}
-	desiredSecret := kubernetes.ConstructSecret(cluster.Name(), hit.Namespace, hit.Spec.TokenSecretName, secretData, hit.Spec.TokenSecretLabels)
+	desiredSecret := kubernetes.ConstructSecret(cluster.Name(), hit.Namespace, hit.Spec.TokenSecretName, secretData, hit.Spec.TokenSecretLabels, hit.Spec.TokenSecretAnnotations)
 	if err := controllerutil.SetControllerReference(hit, desiredSecret, r.Scheme()); err != nil {
 		return fmt.Errorf("could not set controller reference: %w", err)
 	}
@@ -242,7 +242,9 @@ func (r *HumioIngestTokenReconciler) ensureTokenSecretExists(ctx context.Context
 	} else {
 		// kubernetes secret exists, check if we need to update it
 		r.Log.Info("ingest token secret already exists", "TokenSecretName", hit.Spec.TokenSecretName)
-		if string(existingSecret.Data["token"]) != string(desiredSecret.Data["token"]) {
+		if string(existingSecret.Data["token"]) != string(desiredSecret.Data["token"]) ||
+			!cmp.Equal(existingSecret.Labels, desiredSecret.Labels) ||
+			!cmp.Equal(existingSecret.Annotations, desiredSecret.Annotations) {
 			r.Log.Info("secret does not match the token in Humio. Updating token", "TokenSecretName", hit.Spec.TokenSecretName)
 			if err = r.Update(ctx, desiredSecret); err != nil {
 				return r.logErrorAndReturn(err, "unable to update ingest token")

internal/controller/suite/common.go

@@ -381,7 +381,7 @@ func CreateAndBootstrapCluster(ctx context.Context, k8sClient client.Client, hum
 		secretData := map[string][]byte{"token": []byte("")}
 		adminTokenSecretName := fmt.Sprintf("%s-%s", key.Name, kubernetes.ServiceTokenSecretNameSuffix)
 		UsingClusterBy(key.Name, "Simulating the admin token secret containing the API token")
-		desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, adminTokenSecretName, secretData, nil)
+		desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, adminTokenSecretName, secretData, nil, nil)
 		Expect(k8sClient.Create(ctx, desiredSecret)).To(Succeed())
 
 		UsingClusterBy(key.Name, "Simulating the creation of the HumioBootstrapToken resource")
@@ -412,7 +412,7 @@ func CreateAndBootstrapCluster(ctx context.Context, k8sClient client.Client, hum
 	UsingClusterBy(key.Name, "Simulating the humio bootstrap token controller creating the secret containing the API token")
 	secretData := map[string][]byte{"hashedToken": []byte("P2HS9.20.r+ZbMqd0pHF65h3yQiOt8n1xNytv/4ePWKIj3cElP7gt8YD+gOtdGGvJYmG229kyFWLs6wXx9lfSDiRGGu/xuQ"), "secret": []byte("cYsrKi6IeyOJVzVIdmVK3M6RGl4y9GpgduYKXk4qWvvj")}
 	bootstrapTokenSecretName := fmt.Sprintf("%s-%s", key.Name, kubernetes.BootstrapTokenSecretNameSuffix)
-	desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, bootstrapTokenSecretName, secretData, nil)
+	desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, bootstrapTokenSecretName, secretData, nil, nil)
 	Expect(k8sClient.Create(ctx, desiredSecret)).To(Succeed())
 
 	UsingClusterBy(key.Name, "Creating HumioCluster resource")

internal/controller/suite/resources/humioresources_controller_test.go

@@ -213,6 +213,9 @@ var _ = Describe("Humio Resources Controllers", func() {
 				fetchedIngestToken.Spec.TokenSecretLabels = map[string]string{
 					"custom-label": "custom-value",
 				}
+				fetchedIngestToken.Spec.TokenSecretAnnotations = map[string]string{
+					"custom-annotation": "custom-value",
+				}
 				return k8sClient.Update(ctx, fetchedIngestToken)
 			}, testTimeout, suite.TestInterval).Should(Succeed())
 			ingestTokenSecret := &corev1.Secret{}
@@ -226,6 +229,7 @@ var _ = Describe("Humio Resources Controllers", func() {
 					ingestTokenSecret)
 			}, testTimeout, suite.TestInterval).Should(Succeed())
 			Expect(ingestTokenSecret.Labels).Should(HaveKeyWithValue("custom-label", "custom-value"))
+			Expect(ingestTokenSecret.Annotations).Should(HaveKeyWithValue("custom-annotation", "custom-value"))
 
 			Expect(string(ingestTokenSecret.Data["token"])).ToNot(BeEmpty())
 

internal/kubernetes/secrets.go

@@ -47,12 +47,13 @@ func LabelsForSecret(clusterName string, secretName string, additionalSecretLabe
 }
 
 // ConstructSecret returns an opaque secret which holds the given data
-func ConstructSecret(humioClusterName, humioClusterNamespace, secretName string, data map[string][]byte, additionalSecretLabels map[string]string) *corev1.Secret {
+func ConstructSecret(humioClusterName, humioClusterNamespace, secretName string, data map[string][]byte, additionalSecretLabels map[string]string, additionalSecretAnnotations map[string]string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: humioClusterNamespace,
-			Labels:    LabelsForSecret(humioClusterName, secretName, additionalSecretLabels),
+			Name:        secretName,
+			Namespace:   humioClusterNamespace,
+			Labels:      LabelsForSecret(humioClusterName, secretName, additionalSecretLabels),
+			Annotations: additionalSecretAnnotations,
 		},
 		Data: data,
 	}