feat(health): add PushSecret health status and force-sync action (#14375

)

* feat(health): add `PushSecret` health status

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add status healthy

Signed-off-by: Alexandre Gaudreault <[email protected]>

* Push action

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix test

Signed-off-by: Alexandre Gaudreault <[email protected]>

---------

Signed-off-by: Alexandre Gaudreault <[email protected]>

resource_customizations/external-secrets.io/PushSecret/actions/action_test.yaml

@@ -0,0 +1,4 @@
+actionTests:
+  - action: push
+    inputPath: testdata/push-secret.yaml
+    expectedOutputPath: testdata/push-secret-updated.yaml

resource_customizations/external-secrets.io/PushSecret/actions/discovery.lua

@@ -0,0 +1,3 @@
+actions = {}
+actions["push"] = {["disabled"] = false}
+return actions

resource_customizations/external-secrets.io/PushSecret/actions/push/action.lua

@@ -0,0 +1,6 @@
+local os = require("os")
+if obj.metadata.annotations == nil then
+    obj.metadata.annotations = {}
+end
+obj.metadata.annotations["force-sync"] = os.date("!%Y-%m-%dT%XZ")
+return obj

resource_customizations/external-secrets.io/PushSecret/actions/testdata/push-secret-updated.yaml

@@ -0,0 +1,41 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  annotations:
+    force-sync: '0001-01-01T00:00:00Z'
+  creationTimestamp: '2023-07-05T20:49:16Z'
+  generation: 1
+  name: test-healthy
+  namespace: external-secret
+  resourceVersion: '777692391'
+  uid: 88cb613a-07b0-4fb2-8fdb-d5a5a9c2c917
+spec:
+  data:
+    - match:
+        remoteRef:
+          property: test
+          remoteKey: remote/path
+        secretKey: test
+  deletionPolicy: None
+  refreshInterval: 5m
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: my-store
+  selector:
+    secret:
+      name: existing-secret
+status:
+  conditions:
+    - lastTransitionTime: '2023-07-05T20:49:16Z'
+      message: PushSecret synced successfully
+      reason: Synced
+      status: 'True'
+      type: Ready
+  syncedPushSecrets:
+    ClusterSecretStore/my-store:
+      remote/path/test:
+        match:
+          remoteRef:
+            property: test
+            remoteKey: remote/path
+          secretKey: test

resource_customizations/external-secrets.io/PushSecret/actions/testdata/push-secret.yaml

@@ -0,0 +1,39 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  creationTimestamp: '2023-07-05T20:49:16Z'
+  generation: 1
+  name: test-healthy
+  namespace: external-secret
+  resourceVersion: '777692391'
+  uid: 88cb613a-07b0-4fb2-8fdb-d5a5a9c2c917
+spec:
+  data:
+    - match:
+        remoteRef:
+          property: test
+          remoteKey: remote/path
+        secretKey: test
+  deletionPolicy: None
+  refreshInterval: 5m
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: my-store
+  selector:
+    secret:
+      name: existing-secret
+status:
+  conditions:
+    - lastTransitionTime: '2023-07-05T20:49:16Z'
+      message: PushSecret synced successfully
+      reason: Synced
+      status: 'True'
+      type: Ready
+  syncedPushSecrets:
+    ClusterSecretStore/my-store:
+      remote/path/test:
+        match:
+          remoteRef:
+            property: test
+            remoteKey: remote/path
+          secretKey: test

resource_customizations/external-secrets.io/PushSecret/health.lua

@@ -0,0 +1,20 @@
+hs = {}
+if obj.status ~= nil then
+  if obj.status.conditions ~= nil then
+    for i, condition in ipairs(obj.status.conditions) do
+      if condition.type == "Ready" and condition.status == "False" then
+        hs.status = "Degraded"
+        hs.message = condition.message
+        return hs
+      end
+      if condition.type == "Ready" and condition.status == "True" then
+        hs.status = "Healthy"
+        hs.message = condition.message
+        return hs
+      end
+    end
+  end
+end
+hs.status = "Progressing"
+hs.message = "Waiting for PushSecret"
+return hs

resource_customizations/external-secrets.io/PushSecret/health_test.yaml

@@ -0,0 +1,13 @@
+tests:
+  - healthStatus:
+      status: Progressing
+      message: Waiting for PushSecret
+    inputPath: testdata/progressing.yaml
+  - healthStatus:
+      status: Degraded
+      message: 'set secret failed: could not write remote ref test to target secretstore my-store: Error making API request.'
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Healthy
+      message: 'PushSecret synced successfully'
+    inputPath: testdata/healthy.yaml

resource_customizations/external-secrets.io/PushSecret/testdata/degraded.yaml

@@ -0,0 +1,33 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  creationTimestamp: '2023-07-05T20:49:16Z'
+  generation: 1
+  name: test-degraded
+  namespace: external-secret
+  resourceVersion: '777692391'
+  uid: 88cb613a-07b0-4fb2-8fdb-d5a5a9c2c917
+spec:
+  data:
+    - match:
+        remoteRef:
+          property: test
+          remoteKey: remote/path
+        secretKey: test
+  deletionPolicy: None
+  refreshInterval: 5m
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: my-store
+  selector:
+    secret:
+      name: existing-secret
+status:
+  conditions:
+    - lastTransitionTime: '2023-07-05T20:49:16Z'
+      message: 'set secret failed: could not write remote ref test to target secretstore my-store: Error making API request.'
+      reason: Errored
+      status: 'False'
+      type: Ready
+  syncedPushSecrets:
+    ClusterSecretStore/my-store: {}

resource_customizations/external-secrets.io/PushSecret/testdata/healthy.yaml

@@ -0,0 +1,39 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  creationTimestamp: '2023-07-05T20:49:16Z'
+  generation: 1
+  name: test-healthy
+  namespace: external-secret
+  resourceVersion: '777692391'
+  uid: 88cb613a-07b0-4fb2-8fdb-d5a5a9c2c917
+spec:
+  data:
+    - match:
+        remoteRef:
+          property: test
+          remoteKey: remote/path
+        secretKey: test
+  deletionPolicy: None
+  refreshInterval: 5m
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: my-store
+  selector:
+    secret:
+      name: existing-secret
+status:
+  conditions:
+    - lastTransitionTime: '2023-07-05T20:49:16Z'
+      message: PushSecret synced successfully
+      reason: Synced
+      status: 'True'
+      type: Ready
+  syncedPushSecrets:
+    ClusterSecretStore/my-store:
+      remote/path/test:
+        match:
+          remoteRef:
+            property: test
+            remoteKey: remote/path
+          secretKey: test

resource_customizations/external-secrets.io/PushSecret/testdata/progressing.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  creationTimestamp: '2023-07-05T20:49:16Z'
+  generation: 1
+  name: test-progressing
+  namespace: external-secret
+  resourceVersion: '777692391'
+  uid: 88cb613a-07b0-4fb2-8fdb-d5a5a9c2c917
+spec:
+  data:
+    - match:
+        remoteRef:
+          property: test
+          remoteKey: remote/path
+        secretKey: test
+  deletionPolicy: None
+  refreshInterval: 5m
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: my-store
+  selector:
+    secret:
+      name: existing-secret

util/lua/custom_actions_test.go

@@ -58,7 +58,7 @@ func (t testNormalizer) Normalize(un *unstructured.Unstructured) error {
 		if err != nil {
 			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
-	case "ExternalSecret":
+	case "ExternalSecret", "PushSecret":
 		err := unstructured.SetNestedStringMap(un.Object, map[string]string{"force-sync": "0001-01-01T00:00:00Z"}, "metadata", "annotations")
 		if err != nil {
 			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)