finleap-connect · lukasgr90 · Jan 6, 2023 · Jan 6, 2023 · Jan 6, 2023
diff --git a/Makefile b/Makefile
@@ -168,7 +168,7 @@ $(GOLANGCILINT): $(LOCALBIN)
 .PHONY: vault
 vault: $(VAULT) ## Download vault locally if necessary.
 $(VAULT): $(LOCALBIN)
-	wget https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$(GO_OS)_$(GO_ARCH).zip -O $(LOCALBIN)/vault.zip
+	curl -o $(LOCALBIN)/vault.zip -L https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$(GO_OS)_$(GO_ARCH).zip
 	unzip -o $(LOCALBIN)/vault.zip -d $(LOCALBIN)
 	rm $(LOCALBIN)/vault.zip
 

diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
@@ -13,8 +13,8 @@
 // limitations under the License.
 
 // Package v1alpha1 contains API Schema definitions for the vault.finleap.cloud v1alpha1 API group
-//+kubebuilder:object:generate=true
-//+groupName=vault.finleap.cloud
+// +kubebuilder:object:generate=true
+// +groupName=vault.finleap.cloud
 package v1alpha1
 
 import (

diff --git a/api/v1alpha1/vaultsecret_types.go b/api/v1alpha1/vaultsecret_types.go
@@ -131,6 +131,9 @@ type VaultSecretSpec struct {
 	// Array of vault path references where to gather data from for the secret.
 	// +optional
 	DataFrom []VaultSecretDataRef `json:"dataFrom,omitempty"`
+	// Array of labels for the created secret.
+	// +optional
+	SecretLabels map[string]string `json:"secretLabels,omitempty"`
 }
 
 // VaultSecretStatus defines the observed state of VaultSecret

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/vault-operator/templates/crds.yaml b/charts/vault-operator/templates/crds.yaml
@@ -1,4 +1,3 @@
-{{- if .Values.deployCRDs }}
 # Generated by 'make manifests'
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -183,6 +182,11 @@ spec:
                   - path
                   type: object
                 type: array
+              secretLabels:
+                additionalProperties:
+                  type: string
+                description: Array of labels for the created secret.
+                type: object
               secretName:
                 description: Optional name of secret which is created by this object.
                 type: string
@@ -239,4 +243,3 @@ status:
     plural: ""
   conditions: []
   storedVersions: []
-{{- end }}
diff --git a/config/crd/bases/vault.finleap.cloud_vaultsecrets.yaml b/config/crd/bases/vault.finleap.cloud_vaultsecrets.yaml
@@ -169,6 +169,11 @@ spec:
                   - path
                   type: object
                 type: array
+              secretLabels:
+                additionalProperties:
+                  type: string
+                description: Array of labels for the created secret.
+                type: object
               secretName:
                 description: Optional name of secret which is created by this object.
                 type: string

diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go
@@ -253,6 +253,16 @@ func (r *VaultSecretReconciler) updateSecret(secret *corev1.Secret, vaultSecret
 		secret.Type = corev1.SecretTypeDockerConfigJson
 	}
 
+	// Update secret labels
+	if vaultSecret.Spec.SecretLabels != nil && len(vaultSecret.Spec.SecretLabels) > 0 {
+		if secret.ObjectMeta.Labels == nil {
+			secret.ObjectMeta.Labels = make(map[string]string)
+		}
+		for k, v := range vaultSecret.Spec.SecretLabels {
+			secret.ObjectMeta.Labels[k] = v
+		}
+	}
+
 	// Update secret data
 	if vaultSecret.Spec.Data != nil && len(vaultSecret.Spec.Data) > 0 {
 		for _, data := range vaultSecret.Spec.Data {

diff --git a/controllers/vaultsecret_controller_test.go b/controllers/vaultsecret_controller_test.go
@@ -423,6 +423,28 @@ var _ = Describe("VaultSecretReconciler", func() {
 			Expect(s.Type).To(Equal(corev1.SecretTypeTLS))
 		})
 	})
+	It("can specify secret's labels", func() {
+		Context("new secret", func() {
+			vs := mustCreateNewVaultSecret(func(spec *vaultv1alpha1.VaultSecretSpec) {
+				spec.Data[0].Name = "secret-with-labels"
+				spec.Data = append(spec.Data, vaultv1alpha1.VaultSecretData{
+					Name: corev1.TLSPrivateKeyKey,
+					Location: &vaultv1alpha1.VaultSecretLocation{
+						Path:  "app/test/bar",
+						Field: "baz",
+					},
+				})
+				spec.SecretLabels = map[string]string{"frog": "prince"}
+			})
+			mustReconcile(vs)
+
+			s := &corev1.Secret{}
+			Eventually(func() bool {
+				return k8sClient.Get(ctx, namespacedName(vs), s) == nil
+			}, timeout, interval).Should(BeTrue())
+			Expect(s.ObjectMeta.Labels["frog"]).To(Equal("prince"))
+		})
+	})
 	It("can use templating", func() {
 		Context("with variables", func() {
 			vs := mustCreateNewVaultSecret(func(spec *vaultv1alpha1.VaultSecretSpec) {