feat: support custom labels and annotations on generated secrets

Author: isometry

api/v1/clustertoken_types.go

@@ -33,7 +33,7 @@ type ClusterTokenSpec struct {
 	// Important: Run "make" to regenerate code after modifying this file
 
 	// +kubebuilder:validation:Required
-	Secret clusterTokenSecretSpec `json:"secret"`
+	Secret ClusterTokenSecretSpec `json:"secret"`
 
 	// +optional
 	// +kubebuilder:example:="123456789"
@@ -63,7 +63,7 @@ type ClusterTokenSpec struct {
 	RepositoryIDs []int64 `json:"repositoryIDs,omitempty"`
 }
 
-type clusterTokenSecretSpec struct {
+type ClusterTokenSecretSpec struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MaxLength:=253
 	// +kubebuilder:example:="default"
@@ -75,6 +75,14 @@ type clusterTokenSecretSpec struct {
 	// Name for the Secret managed by this ClusterToken (defaults to the name of the ClusterToken)
 	Name string `json:"name,omitempty"`
 
+	// +optional
+	// Extra labels for the Secret managed by this Token
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// +optional
+	// Extra annotations for the Secret managed by this Token
+	Annotations map[string]string `json:"annotations,omitempty"`
+
 	// +optional
 	// Create a secret with 'username' and 'password' fields for HTTP Basic Auth rather than simply 'token'
 	BasicAuth bool `json:"basicAuth,omitempty"`
@@ -133,6 +141,14 @@ func (t *ClusterToken) GetSecretName() string {
 	return secretName
 }
 
+func (t *ClusterToken) GetSecretLabels() map[string]string {
+	return t.Spec.Secret.Labels
+}
+
+func (t *ClusterToken) GetSecretAnnotations() map[string]string {
+	return t.Spec.Secret.Annotations
+}
+
 func (t *ClusterToken) GetSecretBasicAuth() bool {
 	return t.Spec.Secret.BasicAuth
 }

api/v1/token_types.go

@@ -34,7 +34,7 @@ type TokenSpec struct {
 
 	// +optional
 	// Override the default token secret name and type
-	Secret tokenSecretSpec `json:"secret,omitempty"`
+	Secret TokenSecretSpec `json:"secret,omitempty"`
 
 	// +optional
 	// +kubebuilder:example:="123456789"
@@ -64,12 +64,20 @@ type TokenSpec struct {
 	RepositoryIDs []int64 `json:"repositoryIDs,omitempty"`
 }
 
-type tokenSecretSpec struct {
+type TokenSecretSpec struct {
 	// +optional
 	// +kubebuilder:validation:MaxLength:=253
-	// Name for the Secret managed by this ClusterToken (defaults to the name of the Token)
+	// Name for the Secret managed by this Token (defaults to the name of the Token)
 	Name string `json:"name,omitempty"`
 
+	// +optional
+	// Extra labels for the Secret managed by this Token
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// +optional
+	// Extra annotations for the Secret managed by this Token
+	Annotations map[string]string `json:"annotations,omitempty"`
+
 	// +optional
 	// Create a secret with 'username' and 'password' fields for HTTP Basic Auth rather than simply 'token'
 	BasicAuth bool `json:"basicAuth,omitempty"`
@@ -126,6 +134,14 @@ func (t *Token) GetSecretName() string {
 	return secretName
 }
 
+func (t *Token) GetSecretLabels() map[string]string {
+	return t.Spec.Secret.Labels
+}
+
+func (t *Token) GetSecretAnnotations() map[string]string {
+	return t.Spec.Secret.Annotations
+}
+
 func (t *Token) GetSecretBasicAuth() bool {
 	return t.Spec.Secret.BasicAuth
 }

api/v1/zz_generated.deepcopy.go

@@ -260,11 +260,23 @@ spec:
                   type: array
                 secret:
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description:
+                        Extra annotations for the Secret managed by this
+                        Token
+                      type: object
                     basicAuth:
                       description:
                         Create a secret with 'username' and 'password' fields
                         for HTTP Basic Auth rather than simply 'token'
                       type: boolean
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Extra labels for the Secret managed by this Token
+                      type: object
                     name:
                       description:
                         Name for the Secret managed by this ClusterToken

config/crd/bases/github.as-code.io_clustertokens.yaml

@@ -261,15 +261,27 @@ spec:
                 secret:
                   description: Override the default token secret name and type
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description:
+                        Extra annotations for the Secret managed by this
+                        Token
+                      type: object
                     basicAuth:
                       description:
                         Create a secret with 'username' and 'password' fields
                         for HTTP Basic Auth rather than simply 'token'
                       type: boolean
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Extra labels for the Secret managed by this Token
+                      type: object
                     name:
                       description:
-                        Name for the Secret managed by this ClusterToken
-                        (defaults to the name of the Token)
+                        Name for the Secret managed by this Token (defaults
+                        to the name of the Token)
                       maxLength: 253
                       type: string
                   type: object

config/crd/bases/github.as-code.io_tokens.yaml

@@ -25,6 +25,8 @@ type tokenManager interface {
 	GetRefreshInterval() time.Duration
 	GetSecretNamespace() string
 	GetSecretName() string
+	GetSecretLabels() map[string]string
+	GetSecretAnnotations() map[string]string
 	GetInstallationTokenOptions() *github.InstallationTokenOptions
 	GetManagedSecret() githubv1.ManagedSecret
 	UpdateManagedSecret() (changed bool)

internal/tokenmanager/token_manager.go

@@ -186,9 +186,10 @@ func (s *tokenSecret) CreateSecret() error {
 
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: s.owner.GetSecretNamespace(),
-			Name:      s.owner.GetSecretName(),
-			Labels:    s.SecretLabels(),
+			Namespace:   s.owner.GetSecretNamespace(),
+			Name:        s.owner.GetSecretName(),
+			Labels:      s.SecretLabels(),
+			Annotations: s.owner.GetSecretAnnotations(),
 		},
 		Data: s.SecretData(installationToken.GetToken()),
 		Type: secretType,
@@ -382,12 +383,16 @@ func (s *tokenSecret) UpdateTokenStatus(options ...tokenStatusOptions) error {
 }
 
 func (s *tokenSecret) SecretLabels() map[string]string {
-	return map[string]string{
+	secretLabels := map[string]string{
 		"app.kubernetes.io/name":       s.owner.GetType(),
 		"app.kubernetes.io/instance":   s.owner.GetName(),
 		"app.kubernetes.io/part-of":    "github-token-manager",
 		"app.kubernetes.io/created-by": "github-token-manager",
 	}
+	for k, v := range s.owner.GetSecretLabels() {
+		secretLabels[k] = v
+	}
+	return secretLabels
 }
 
 func (s *tokenSecret) SecretData(installationToken string) map[string][]byte {