Additional k8s secret labels#31
Conversation
| labels := make(map[string]string) | ||
| maps.Copy(labels, mapping.AdditionalSecretLabels) |
There was a problem hiding this comment.
nit: this is equivalent to labels := maps.Clone(mapping.AdditionalSecretLabels)
Another option would be to only replace the make call with the map literal it's replacing (map[string]string{LabelKey: r.labelValue}). Then it's clear that we don't expect to have additional labels most of the time.
There was a problem hiding this comment.
Thanks for the feedback. I just pushed a change that uses the latter approach you suggested to maintain clarity.
sergiosalvatore
left a comment
sergiosalvatore
left a comment
There was a problem hiding this comment.
Sorry for the back and forth...
| labels := map[string]string{LabelKey: r.labelValue} | ||
| maps.Copy(labels, mapping.AdditionalSecretLabels) |
There was a problem hiding this comment.
I know David already commented on this code, but I think it actually needs to be written the other way in order to not mess with the reconciliation logic here and here.
| labels := map[string]string{LabelKey: r.labelValue} | |
| maps.Copy(labels, mapping.AdditionalSecretLabels) | |
| labels := maps.Clone(mapping.AdditionalSecretLabels) | |
| labels[LabelKey] = r.labelValue |
This ensures that the label key that pentagon uses to find its secrets is always set and can't be accidentally overwritten. I'd suggest adding a test that confirms this. I suppose we can also add some extra validation to the config to make sure that the user isn't trying to overwrite the pentagon label with one of their own.
There was a problem hiding this comment.
When writing the tests for this I noticed that if AdditionalSecretLabels is not passed in the config, making it nil, the result of labels := maps.Clone(mapping.AdditionalSecretLabels) is nil.
To avoid this, I've decided to initialize AdditionalSecretLabels in SetDefaults if they are not specified by the user. This avoids any potential nil map panics in the code.
Otherwise, I can do a nil check on AdditionalSecretLabels in the reflector code after cloning.
Let me know what you think.
There was a problem hiding this comment.
Thanks... While what you did is perfectly fine, it might actually be more "ergonomic" to do a nil check in the reflector code and not bother defaulting it to an empty map in SetDefaults. That would allow you to avoid initializing it in the tests and everything "just works."
jamiedel818
force-pushed
the
additional-k8s-secret-labels
branch
from
86945af to
44cb5b8
Compare
|
Closing this in favor of #34. Existing workflows do not work with fork PRs. |
3 participants
This pull requests extends Pentagon's secret mapping config to allow for extra labels to be added to the generated Kubernetes secret(s).
additionalSecretLabelscan optionally be added to amappingconfig.additionalSecretLabelswill be merged with the top level defaultlabelconfig value.Extended existing test cases to account for scenarios where no additional labels have been provided, ensuring the default label still exists. Introduced new test cases where additional labels are provided, ensuring the default label still exists.