Skip to content

Commit

Permalink
Avoid conflicts when deployed by ArgoCD
Browse files Browse the repository at this point in the history
This change introduces a black list for labels like the one already
existing for metadata.

The list contains one entry for the prefix "app.kubernetes.io". The
label "app.kubernetes.io/instance" is per default used by ArgoCD to
track resources, which causes copied Secrets to be potentially deleted
again by ArgoCD. Also labels with prefix "app.kubernetes.io" are in
general very specific to the resources in their respective namespace and
therefore shouldn't probably be automatically copied to resources in
other namespaces anyway.

In order to avoid code duplication the filtering is delegated to an
embedded function filter_dict.

Signed-off-by: Max Harmathy <[email protected]>
  • Loading branch information
harmathy committed Oct 11, 2024
1 parent cee6cb0 commit 60d5abc
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 14 deletions.
3 changes: 2 additions & 1 deletion src/consts.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,5 @@

CLUSTER_SECRET_LABEL = "clustersecret.io"

BLACK_LISTED_ANNOTATIONS = ["kopf.zalando.org", "kubectl.kubernetes.io"]
BLACK_LISTED_ANNOTATIONS = ["kopf.zalando.org", "kubectl.kubernetes.io"]
BLACK_LISTED_LABELS = ["app.kubernetes.io"]
35 changes: 22 additions & 13 deletions src/kubernetes_utils.py
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
import logging
from datetime import datetime
from typing import Optional, Dict, Any, List, Mapping
from typing import Optional, Dict, Any, List, Mapping, Tuple, Iterator
import re

import kopf
from kubernetes.client import CoreV1Api, CustomObjectsApi, exceptions, V1ObjectMeta, rest, V1Secret

from os_utils import get_replace_existing, get_version
from consts import CREATE_BY_ANNOTATION, LAST_SYNC_ANNOTATION, VERSION_ANNOTATION, BLACK_LISTED_ANNOTATIONS, \
CREATE_BY_AUTHOR, CLUSTER_SECRET_LABEL
BLACK_LISTED_LABELS, CREATE_BY_AUTHOR, CLUSTER_SECRET_LABEL


def patch_clustersecret_status(
Expand Down Expand Up @@ -286,27 +286,36 @@ def create_secret_metadata(
Kubernetes metadata object with ClusterSecret annotations.
"""

_labels = {
def filter_dict(
prefixes: List[str],
base: Dict[str, str],
source: Optional[Mapping[str, str]] = None
) -> Iterator[Tuple[str, str]]:
""" Remove potential useless / dangerous annotations and labels"""
for item in base.items():
yield item
if source is not None:
for item in source.items():
key, _ = item
if not any(key.startswith(prefix) for prefix in prefixes):
yield item

base_labels = {
CLUSTER_SECRET_LABEL: 'true'
}
_labels.update(labels or {})

_annotations = {
base_annotations = {
CREATE_BY_ANNOTATION: CREATE_BY_AUTHOR,
VERSION_ANNOTATION: get_version(),
LAST_SYNC_ANNOTATION: datetime.now().isoformat(),
}
_annotations.update(annotations or {})

# Remove potential useless / dangerous annotations
_annotations = {key: value for key, value in _annotations.items() if
not any(key.startswith(prefix) for prefix in BLACK_LISTED_ANNOTATIONS)}

_annotations = filter_dict(BLACK_LISTED_ANNOTATIONS, base_annotations, annotations)
_labels = filter_dict(BLACK_LISTED_LABELS, base_labels, labels)
return V1ObjectMeta(
name=name,
namespace=namespace,
annotations=_annotations,
labels=_labels,
annotations=dict(_annotations),
labels=dict(_labels),
)


Expand Down

0 comments on commit 60d5abc

Please sign in to comment.