From 367daac8ae023b78a692424d4e37454d7129a3c4 Mon Sep 17 00:00:00 2001 From: Anson Date: Tue, 28 Oct 2025 15:37:21 +1300 Subject: [PATCH 1/3] Add parameter to enable or disable annotations --- cmd/main.go | 10 +++++--- internal/controller/deployment_controller.go | 2 +- .../controller/onepassworditem_controller.go | 13 ++++++++--- .../kubernetes_secrets_builder.go | 8 ++++--- .../kubernetes_secrets_builder_test.go | 23 ++++++++++++++----- 5 files changed, 40 insertions(+), 16 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index e9a6e04d..a472f0c8 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -100,6 +100,7 @@ func main() { var probeAddr string var secureMetrics bool var enableHTTP2 bool + var enableAnnotations bool var tlsOpts []func(*tls.Config) flag.StringVar(&metricsAddr, "metrics-bind-address", "8080", "The address the metrics endpoint binds to. "+ @@ -119,6 +120,8 @@ func main() { "The name of the metrics server key file.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics") + flag.BoolVar(&enableAnnotations, "enable-annotations", false, + "If set, operator will add annotations to resources it manages.") opts := zap.Options{ Development: true, } @@ -289,9 +292,10 @@ func main() { } if err = (&controller.OnePasswordItemReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - OpClient: opClient, + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + OpClient: opClient, + EnableAnnotations: enableAnnotations, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "OnePasswordItem") os.Exit(1) diff --git a/internal/controller/deployment_controller.go b/internal/controller/deployment_controller.go index 6ce9ed79..d0049089 100644 --- a/internal/controller/deployment_controller.go +++ b/internal/controller/deployment_controller.go @@ -219,5 +219,5 @@ func (r *DeploymentReconciler) handleApplyingDeployment(ctx context.Context, dep UID: deployment.GetUID(), } - return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, secretType, ownerRef) + return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations, secretType, ownerRef) } diff --git a/internal/controller/onepassworditem_controller.go b/internal/controller/onepassworditem_controller.go index fbd5b635..a5dcc3ef 100644 --- a/internal/controller/onepassworditem_controller.go +++ b/internal/controller/onepassworditem_controller.go @@ -53,8 +53,9 @@ var finalizer = "onepassword.com/finalizer.secret" // OnePasswordItemReconciler reconciles a OnePasswordItem object type OnePasswordItemReconciler struct { client.Client - Scheme *runtime.Scheme - OpClient opclient.Client + Scheme *runtime.Scheme + OpClient opclient.Client + EnableAnnotations bool } // +kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems,verbs=get;list;watch;create;update;patch;delete @@ -163,6 +164,12 @@ func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, r labels := resource.Labels secretType := resource.Type autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation] + var annotations map[string]string + if r.EnableAnnotations { + annotations = resource.Annotations + } else { + annotations = nil + } item, err := op.GetOnePasswordItemByPath(ctx, r.OpClient, resource.Spec.ItemPath) if err != nil { @@ -181,7 +188,7 @@ func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, r UID: resource.GetUID(), } - return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, labels, secretType, ownerRef) + return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, annotations, labels, secretType, ownerRef) } func (r *OnePasswordItemReconciler) updateStatus(ctx context.Context, resource *onepasswordv1.OnePasswordItem, err error) error { diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder.go b/pkg/kubernetessecrets/kubernetes_secrets_builder.go index 28e6e3d9..e23f1c69 100644 --- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go +++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go @@ -37,14 +37,16 @@ func CreateKubernetesSecretFromItem( item *model.Item, autoRestart string, labels map[string]string, + secretAnnotations map[string]string, secretType string, ownerRef *metav1.OwnerReference, ) error { itemVersion := fmt.Sprint(item.Version) - secretAnnotations := map[string]string{ - VersionAnnotation: itemVersion, - ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID), + if secretAnnotations == nil { + secretAnnotations = map[string]string{} } + secretAnnotations[VersionAnnotation] = itemVersion + secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID) if autoRestart != "" { _, err := utils.StringToBool(autoRestart) diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go index 21677c4e..f3c1f69c 100644 --- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go +++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go @@ -36,9 +36,11 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { kubeClient := fake.NewClientBuilder().Build() secretLabels := map[string]string{} secretType := "" - + secretAnnotations := map[string]string{ + "testAnnotation": "exists", + } err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, - secretLabels, secretType, nil) + secretLabels, secretAnnotations, secretType, nil) if err != nil { t.Errorf("Unexpected error: %v", err) } @@ -66,6 +68,9 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { kubeClient := fake.NewClientBuilder().Build() secretLabels := map[string]string{} secretType := "" + secretAnnotations := map[string]string{ + "testAnnotation": "exists", + } ownerRef := &metav1.OwnerReference{ Kind: "Deployment", @@ -74,7 +79,7 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { UID: types.UID("test-uid"), } err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, - secretLabels, secretType, ownerRef) + secretLabels, secretAnnotations, secretType, ownerRef) if err != nil { t.Errorf("Unexpected error: %v", err) } @@ -116,9 +121,12 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { kubeClient := fake.NewClientBuilder().Build() secretLabels := map[string]string{} secretType := "" + secretAnnotations := map[string]string{ + "testAnnotation": "exists", + } err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, - secretLabels, secretType, nil) + secretLabels, secretAnnotations, secretType, nil) if err != nil { t.Errorf("Unexpected error: %v", err) @@ -131,7 +139,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { newItem.VaultID = testVaultUUID newItem.ID = testItemUUID err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, - secretLabels, secretType, nil) + secretLabels, secretAnnotations, secretType, nil) if err != nil { t.Errorf("Unexpected error: %v", err) } @@ -234,9 +242,12 @@ func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) { kubeClient := fake.NewClientBuilder().Build() secretLabels := map[string]string{} secretType := "kubernetes.io/tls" + secretAnnotations := map[string]string{ + "testAnnotation": "exists", + } err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, - secretLabels, secretType, nil) + secretLabels, secretAnnotations, secretType, nil) if err != nil { t.Errorf("Unexpected error: %v", err) } From 3c330a058e6b83089383381aab7b12fa6de6ac9f Mon Sep 17 00:00:00 2001 From: Anson Date: Tue, 28 Oct 2025 16:54:39 +1300 Subject: [PATCH 2/3] Fix the annotatoin position --- internal/controller/onepassworditem_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/onepassworditem_controller.go b/internal/controller/onepassworditem_controller.go index a5dcc3ef..344e5333 100644 --- a/internal/controller/onepassworditem_controller.go +++ b/internal/controller/onepassworditem_controller.go @@ -188,7 +188,7 @@ func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, r UID: resource.GetUID(), } - return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, annotations, labels, secretType, ownerRef) + return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, labels, annotations, secretType, ownerRef) } func (r *OnePasswordItemReconciler) updateStatus(ctx context.Context, resource *onepasswordv1.OnePasswordItem, err error) error { From 7b32dc8886b70fd1d5e230dcfbd0e3f4f6589596 Mon Sep 17 00:00:00 2001 From: Anson Date: Tue, 28 Oct 2025 19:04:57 +1300 Subject: [PATCH 3/3] Update metrics bind address to use ":8080" for consistency --- cmd/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/main.go b/cmd/main.go index a472f0c8..470fdf28 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -102,7 +102,7 @@ func main() { var enableHTTP2 bool var enableAnnotations bool var tlsOpts []func(*tls.Config) - flag.StringVar(&metricsAddr, "metrics-bind-address", "8080", + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to. "+ "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081",