feat: support custom labels and annotations on generated secrets (#29)

* enable integration with [Jenkins' Kubernetes Credentials Provider Plugin](https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/) and similar use cases.

Author: isometry

api/v1/clustertoken_types.go

@@ -33,7 +33,7 @@ type ClusterTokenSpec struct {
 	// Important: Run "make" to regenerate code after modifying this file
 
 	// +kubebuilder:validation:Required
-	Secret clusterTokenSecretSpec `json:"secret"`
+	Secret ClusterTokenSecretSpec `json:"secret"`
 
 	// +optional
 	// +kubebuilder:example:="123456789"
@@ -63,7 +63,7 @@ type ClusterTokenSpec struct {
 	RepositoryIDs []int64 `json:"repositoryIDs,omitempty"`
 }
 
-type clusterTokenSecretSpec struct {
+type ClusterTokenSecretSpec struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MaxLength:=253
 	// +kubebuilder:example:="default"
@@ -75,6 +75,14 @@ type clusterTokenSecretSpec struct {
 	// Name for the Secret managed by this ClusterToken (defaults to the name of the ClusterToken)
 	Name string `json:"name,omitempty"`
 
+	// +optional
+	// Extra labels for the Secret managed by this Token
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// +optional
+	// Extra annotations for the Secret managed by this Token
+	Annotations map[string]string `json:"annotations,omitempty"`
+
 	// +optional
 	// Create a secret with 'username' and 'password' fields for HTTP Basic Auth rather than simply 'token'
 	BasicAuth bool `json:"basicAuth,omitempty"`
@@ -133,6 +141,14 @@ func (t *ClusterToken) GetSecretName() string {
 	return secretName
 }
 
+func (t *ClusterToken) GetSecretLabels() map[string]string {
+	return t.Spec.Secret.Labels
+}
+
+func (t *ClusterToken) GetSecretAnnotations() map[string]string {
+	return t.Spec.Secret.Annotations
+}
+
 func (t *ClusterToken) GetSecretBasicAuth() bool {
 	return t.Spec.Secret.BasicAuth
 }

api/v1/token_types.go

@@ -34,7 +34,7 @@ type TokenSpec struct {
 
 	// +optional
 	// Override the default token secret name and type
-	Secret tokenSecretSpec `json:"secret,omitempty"`
+	Secret TokenSecretSpec `json:"secret,omitempty"`
 
 	// +optional
 	// +kubebuilder:example:="123456789"
@@ -64,12 +64,20 @@ type TokenSpec struct {
 	RepositoryIDs []int64 `json:"repositoryIDs,omitempty"`
 }
 
-type tokenSecretSpec struct {
+type TokenSecretSpec struct {
 	// +optional
 	// +kubebuilder:validation:MaxLength:=253
-	// Name for the Secret managed by this ClusterToken (defaults to the name of the Token)
+	// Name for the Secret managed by this Token (defaults to the name of the Token)
 	Name string `json:"name,omitempty"`
 
+	// +optional
+	// Extra labels for the Secret managed by this Token
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// +optional
+	// Extra annotations for the Secret managed by this Token
+	Annotations map[string]string `json:"annotations,omitempty"`
+
 	// +optional
 	// Create a secret with 'username' and 'password' fields for HTTP Basic Auth rather than simply 'token'
 	BasicAuth bool `json:"basicAuth,omitempty"`
@@ -126,6 +134,14 @@ func (t *Token) GetSecretName() string {
 	return secretName
 }
 
+func (t *Token) GetSecretLabels() map[string]string {
+	return t.Spec.Secret.Labels
+}
+
+func (t *Token) GetSecretAnnotations() map[string]string {
+	return t.Spec.Secret.Annotations
+}
+
 func (t *Token) GetSecretBasicAuth() bool {
 	return t.Spec.Secret.BasicAuth
 }

api/v1/zz_generated.deepcopy.go

@@ -260,11 +260,23 @@ spec:
                   type: array
                 secret:
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description:
+                        Extra annotations for the Secret managed by this
+                        Token
+                      type: object
                     basicAuth:
                       description:
                         Create a secret with 'username' and 'password' fields
                         for HTTP Basic Auth rather than simply 'token'
                       type: boolean
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Extra labels for the Secret managed by this Token
+                      type: object
                     name:
                       description:
                         Name for the Secret managed by this ClusterToken

config/crd/bases/github.as-code.io_clustertokens.yaml

@@ -261,15 +261,27 @@ spec:
                 secret:
                   description: Override the default token secret name and type
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description:
+                        Extra annotations for the Secret managed by this
+                        Token
+                      type: object
                     basicAuth:
                       description:
                         Create a secret with 'username' and 'password' fields
                         for HTTP Basic Auth rather than simply 'token'
                       type: boolean
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Extra labels for the Secret managed by this Token
+                      type: object
                     name:
                       description:
-                        Name for the Secret managed by this ClusterToken
-                        (defaults to the name of the Token)
+                        Name for the Secret managed by this Token (defaults
+                        to the name of the Token)
                       maxLength: 253
                       type: string
                   type: object

config/crd/bases/github.as-code.io_tokens.yaml

@@ -6,7 +6,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/google/go-github/v66 v66.0.0
 	github.com/isometry/ghait v0.1.1
-	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.34.2
 	github.com/spf13/viper v1.19.0
 	k8s.io/api v0.31.2
@@ -17,25 +17,25 @@ require (
 
 require (
 	cloud.google.com/go v0.116.0 // indirect
-	cloud.google.com/go/auth v0.9.8 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
+	cloud.google.com/go/auth v0.10.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
-	cloud.google.com/go/iam v1.2.1 // indirect
-	cloud.google.com/go/kms v1.20.0 // indirect
-	cloud.google.com/go/longrunning v0.6.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.43 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.41 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+	cloud.google.com/go/iam v1.2.2 // indirect
+	cloud.google.com/go/kms v1.20.1 // indirect
+	cloud.google.com/go/longrunning v0.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.32.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.28.1 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.42 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.37.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.37.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.32.3 // indirect
 	github.com/aws/smithy-go v1.22.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0 // indirect
@@ -45,7 +45,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -63,7 +63,7 @@ require (
 	github.com/google/go-github/v62 v62.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20241009165004-a3522334989c // indirect
+	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
@@ -78,7 +78,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/vault/api v1.15.0 // indirect
-	github.com/imdario/mergo v1.0.0 // indirect
+	github.com/imdario/mergo v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
@@ -91,9 +91,9 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.20.4 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.60.0 // indirect
+	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sagikazarmark/locafero v0.6.0 // indirect
@@ -123,17 +123,17 @@ require (
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/api v0.200.0 // indirect
-	google.golang.org/genproto v0.0.0-20241007155032-5fefd90f89a9 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/api v0.203.0 // indirect
+	google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.31.1 // indirect
+	k8s.io/apiextensions-apiserver v0.31.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241009091222-67ed5848f094 // indirect
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect