Added support for TokenSecretAnnotations for HumioIngestToken

humio · Mar 5, 2025 · a06b939 · a06b939
1 parent 931de6e
commit a06b939
Show file tree

Hide file tree

Showing 11 changed files with 51 additions and 10 deletions.
diff --git a/api/v1alpha1/humioingesttoken_types.go b/api/v1alpha1/humioingesttoken_types.go
@@ -60,6 +60,10 @@ type HumioIngestTokenSpec struct {
 	// the ingest token.
 	// This field is optional.
 	TokenSecretLabels map[string]string `json:"tokenSecretLabels,omitempty"`
+	// TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+	// the ingest token.
+	// This field is optional.
+	TokenSecretAnnotations map[string]string `json:"tokenSecretAnnotations,omitempty"`
 }
 
 // HumioIngestTokenStatus defines the observed state of HumioIngestToken

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/humio-operator/crds/core.humio.com_humioingesttokens.yaml b/charts/humio-operator/crds/core.humio.com_humioingesttokens.yaml
@@ -75,6 +75,14 @@ spec:
                   which the ingest token will be created
                 minLength: 1
                 type: string
+              tokenSecretAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+                  the ingest token.
+                  This field is optional.
+                type: object
               tokenSecretLabels:
                 additionalProperties:
                   type: string

diff --git a/config/crd/bases/core.humio.com_humioingesttokens.yaml b/config/crd/bases/core.humio.com_humioingesttokens.yaml
@@ -75,6 +75,14 @@ spec:
                   which the ingest token will be created
                 minLength: 1
                 type: string
+              tokenSecretAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+                  the ingest token.
+                  This field is optional.
+                type: object
               tokenSecretLabels:
                 additionalProperties:
                   type: string

diff --git a/controllers/humiobootstraptoken_controller.go b/controllers/humiobootstraptoken_controller.go
@@ -291,7 +291,7 @@ func (r *HumioBootstrapTokenReconciler) ensureBootstrapTokenSecret(ctx context.C
 			return r.logErrorAndReturn(err, "cannot create bootstrap token")
 		}
 		if okayToCreate {
-			secret := kubernetes.ConstructSecret(hbt.Name, hbt.Namespace, humioBootstrapTokenConfig.bootstrapTokenSecretName(), secretData, nil)
+			secret := kubernetes.ConstructSecret(hbt.Name, hbt.Namespace, humioBootstrapTokenConfig.bootstrapTokenSecretName(), secretData, nil, nil)
 			if err := controllerutil.SetControllerReference(hbt, secret, r.Scheme()); err != nil {
 				return r.logErrorAndReturn(err, "could not set controller reference")
 			}

diff --git a/controllers/humiocluster_controller.go b/controllers/humiocluster_controller.go
@@ -967,7 +967,7 @@ func (r *HumioClusterReconciler) ensureValidCASecret(ctx context.Context, hc *hu
 		corev1.TLSCertKey:       ca.Certificate,
 		corev1.TLSPrivateKeyKey: ca.Key,
 	}
-	caSecret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, getCASecretName(hc), caSecretData, nil)
+	caSecret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, getCASecretName(hc), caSecretData, nil, nil)
 	if err := controllerutil.SetControllerReference(hc, caSecret, r.Scheme()); err != nil {
 		return r.logErrorAndReturn(err, "could not set controller reference")
 	}
@@ -995,7 +995,7 @@ func (r *HumioClusterReconciler) ensureHumioClusterKeystoreSecret(ctx context.Co
 			secretData := map[string][]byte{
 				"passphrase": []byte(randomPass), // TODO: do we need separate passwords for different aspects?
 			}
-			secret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, fmt.Sprintf("%s-keystore-passphrase", hc.Name), secretData, nil)
+			secret := kubernetes.ConstructSecret(hc.Name, hc.Namespace, fmt.Sprintf("%s-keystore-passphrase", hc.Name), secretData, nil, nil)
 			if err := controllerutil.SetControllerReference(hc, secret, r.Scheme()); err != nil {
 				return r.logErrorAndReturn(err, "could not set controller reference")
 			}

diff --git a/controllers/humioingesttoken_controller.go b/controllers/humioingesttoken_controller.go
@@ -224,7 +224,7 @@ func (r *HumioIngestTokenReconciler) ensureTokenSecretExists(ctx context.Context
 	}
 
 	secretData := map[string][]byte{"token": []byte(ingestToken.Token)}
-	desiredSecret := kubernetes.ConstructSecret(cluster.Name(), hit.Namespace, hit.Spec.TokenSecretName, secretData, hit.Spec.TokenSecretLabels)
+	desiredSecret := kubernetes.ConstructSecret(cluster.Name(), hit.Namespace, hit.Spec.TokenSecretName, secretData, hit.Spec.TokenSecretLabels, hit.Spec.TokenSecretAnnotations)
 	if err := controllerutil.SetControllerReference(hit, desiredSecret, r.Scheme()); err != nil {
 		return fmt.Errorf("could not set controller reference: %w", err)
 	}

diff --git a/controllers/suite/common.go b/controllers/suite/common.go
@@ -380,7 +380,7 @@ func CreateAndBootstrapCluster(ctx context.Context, k8sClient client.Client, hum
 		secretData := map[string][]byte{"token": []byte("")}
 		adminTokenSecretName := fmt.Sprintf("%s-%s", key.Name, kubernetes.ServiceTokenSecretNameSuffix)
 		UsingClusterBy(key.Name, "Simulating the admin token secret containing the API token")
-		desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, adminTokenSecretName, secretData, nil)
+		desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, adminTokenSecretName, secretData, nil, nil)
 		Expect(k8sClient.Create(ctx, desiredSecret)).To(Succeed())
 
 		UsingClusterBy(key.Name, "Simulating the creation of the HumioBootstrapToken resource")
@@ -411,7 +411,7 @@ func CreateAndBootstrapCluster(ctx context.Context, k8sClient client.Client, hum
 	UsingClusterBy(key.Name, "Simulating the humio bootstrap token controller creating the secret containing the API token")
 	secretData := map[string][]byte{"hashedToken": []byte("P2HS9.20.r+ZbMqd0pHF65h3yQiOt8n1xNytv/4ePWKIj3cElP7gt8YD+gOtdGGvJYmG229kyFWLs6wXx9lfSDiRGGu/xuQ"), "secret": []byte("cYsrKi6IeyOJVzVIdmVK3M6RGl4y9GpgduYKXk4qWvvj")}
 	bootstrapTokenSecretName := fmt.Sprintf("%s-%s", key.Name, kubernetes.BootstrapTokenSecretNameSuffix)
-	desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, bootstrapTokenSecretName, secretData, nil)
+	desiredSecret := kubernetes.ConstructSecret(key.Name, key.Namespace, bootstrapTokenSecretName, secretData, nil, nil)
 	Expect(k8sClient.Create(ctx, desiredSecret)).To(Succeed())
 
 	UsingClusterBy(key.Name, "Creating HumioCluster resource")

diff --git a/controllers/suite/resources/humioresources_controller_test.go b/controllers/suite/resources/humioresources_controller_test.go
@@ -210,6 +210,9 @@ var _ = Describe("Humio Resources Controllers", func() {
 				fetchedIngestToken.Spec.TokenSecretLabels = map[string]string{
 					"custom-label": "custom-value",
 				}
+				fetchedIngestToken.Spec.TokenSecretLabels = map[string]string{
+					"custom-annotation": "custom-value",
+				}
 				return k8sClient.Update(ctx, fetchedIngestToken)
 			}, testTimeout, suite.TestInterval).Should(Succeed())
 			ingestTokenSecret := &corev1.Secret{}
@@ -223,6 +226,7 @@ var _ = Describe("Humio Resources Controllers", func() {
 					ingestTokenSecret)
 			}, testTimeout, suite.TestInterval).Should(Succeed())
 			Expect(ingestTokenSecret.Labels).Should(HaveKeyWithValue("custom-label", "custom-value"))
+			Expect(ingestTokenSecret.Annotations).Should(HaveKeyWithValue("custom-annotation", "custom-value"))
 
 			Expect(string(ingestTokenSecret.Data["token"])).ToNot(BeEmpty())
 

diff --git a/docs/api.md b/docs/api.md
@@ -35456,6 +35456,15 @@ This conflicts with ExternalClusterName.<br/>
           RepositoryName is the name of the Humio repository under which the ingest token will be created<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>tokenSecretAnnotations</b></td>
+        <td>map[string]string</td>
+        <td>
+          TokenSecretAnnotations specifies additional key,value pairs to add as annotations on the Kubernetes Secret containing
+the ingest token.
+This field is optional.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>tokenSecretLabels</b></td>
         <td>map[string]string</td>

diff --git a/internal/kubernetes/secrets.go b/internal/kubernetes/secrets.go
@@ -47,12 +47,13 @@ func LabelsForSecret(clusterName string, secretName string, additionalSecretLabe
 }
 
 // ConstructSecret returns an opaque secret which holds the given data
-func ConstructSecret(humioClusterName, humioClusterNamespace, secretName string, data map[string][]byte, additionalSecretLabels map[string]string) *corev1.Secret {
+func ConstructSecret(humioClusterName, humioClusterNamespace, secretName string, data map[string][]byte, additionalSecretLabels map[string]string, additionalSecretAnnotations map[string]string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: humioClusterNamespace,
-			Labels:    LabelsForSecret(humioClusterName, secretName, additionalSecretLabels),
+			Name:        secretName,
+			Namespace:   humioClusterNamespace,
+			Labels:      LabelsForSecret(humioClusterName, secretName, additionalSecretLabels),
+			Annotations: additionalSecretAnnotations,
 		},
 		Data: data,
 	}