Skip to content

feat: update sealed secret handling to use SealedSecret manifest format #907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ferruhcihan merged 3 commits into from
Feb 3, 2026
Merged

feat: update sealed secret handling to use SealedSecret manifest format #907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c81b6cc
feat: update sealed secret handling to use SealedSecret manifest format
CasLubbers Jan 30, 2026
a0c3d5a
Merge remote-tracking branch 'origin/main' into APL-1448
svcAPLBot Feb 2, 2026
9554984
Merge remote-tracking branch 'origin/main' into APL-1448
svcAPLBot Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions src/api-v2.authz.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -491,10 +491,18 @@ describe('API V2 authz tests', () => {
})

describe('V2 Sealed Secret Endpoints', () => {
const secretData = createTeamResource('AplTeamSecret', {
type: 'kubernetes.io/opaque',
encryptedData: { key: 'value' },
})
const secretData = {
kind: 'SealedSecret',
metadata: {
name: 'test-secret',
},
spec: {
encryptedData: { key: 'value' },
template: {
type: 'kubernetes.io/opaque',
},
},
}

describe('Platform Admin', () => {
test('platform admin can get all sealed secrets', async () => {
Expand Down
8 changes: 4 additions & 4 deletions src/api/v2/teams/{teamId}/sealedsecrets.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
import Debug from 'debug'
import { Response } from 'express'
import { AplSecretRequest, OpenApiRequestExt } from 'src/otomi-models'
import { OpenApiRequestExt, SealedSecretManifestRequest } from 'src/otomi-models'

const debug = Debug('otomi:api:v2:teams:sealedsecrets')

/**
* GET /v2/teams/{teamId}/sealedsecrets
* Get all sealed secrets for a team (APL format)
* Get all sealed secrets for a team (SealedSecret manifest format)
*/
export const getAplSealedSecrets = (req: OpenApiRequestExt, res: Response): void => {
const { teamId } = req.params
Expand All @@ -17,11 +17,11 @@ export const getAplSealedSecrets = (req: OpenApiRequestExt, res: Response): void

/**
* POST /v2/teams/{teamId}/sealedsecrets
* Create a new sealed secret (APL format)
* Create a new sealed secret (SealedSecret manifest format)
*/
export const createAplSealedSecret = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
const { teamId } = req.params
debug(`createSealedSecret(${teamId}, ...)`)
const v = await req.otomi.createAplSealedSecret(decodeURIComponent(teamId), req.body as AplSecretRequest)
const v = await req.otomi.createAplSealedSecret(decodeURIComponent(teamId), req.body as SealedSecretManifestRequest)
res.json(v)
}
12 changes: 6 additions & 6 deletions src/api/v2/teams/{teamId}/sealedsecrets/{sealedSecretName}.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
import Debug from 'debug'
import { Response } from 'express'
import { AplSecretRequest, DeepPartial, OpenApiRequestExt } from 'src/otomi-models'
import { DeepPartial, OpenApiRequestExt, SealedSecretManifestRequest } from 'src/otomi-models'

const debug = Debug('otomi:api:v2:teams:sealedsecrets')

/**
* GET /v2/teams/{teamId}/sealedsecrets/{sealedSecretName}
* Get a specific sealed secret (APL format)
* Get a specific sealed secret (SealedSecret manifest format)
*/
export const getAplSealedSecret = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
const { teamId, sealedSecretName } = req.params
Expand All @@ -17,30 +17,30 @@ export const getAplSealedSecret = async (req: OpenApiRequestExt, res: Response):

/**
* PUT /v2/teams/{teamId}/sealedsecrets/{sealedSecretName}
* Edit a sealed secret (APL format)
* Edit a sealed secret (SealedSecret manifest format)
*/
export const editAplSealedSecret = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
const { teamId, sealedSecretName } = req.params
debug(`editSealedSecret(${sealedSecretName})`)
const data = await req.otomi.editAplSealedSecret(
decodeURIComponent(teamId),
decodeURIComponent(sealedSecretName),
req.body as AplSecretRequest,
req.body as SealedSecretManifestRequest,
)
res.json(data)
}

/**
* PATCH /v2/teams/{teamId}/sealedsecrets/{sealedSecretName}
* Partially update a sealed secret (APL format)
* Partially update a sealed secret (SealedSecret manifest format)
*/
export const patchAplSealedSecret = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
const { teamId, sealedSecretName } = req.params
debug(`editSealedSecret(${sealedSecretName}, patch)`)
const data = await req.otomi.editAplSealedSecret(
decodeURIComponent(teamId),
decodeURIComponent(sealedSecretName),
req.body as DeepPartial<AplSecretRequest>,
req.body as DeepPartial<SealedSecretManifestRequest>,
true,
)
res.json(data)
Expand Down
4 changes: 2 additions & 2 deletions src/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import {
} from 'src/middleware'
import { apiRateLimiter, authRateLimiter } from 'src/middleware/rate-limit'
import { setMockIdx } from 'src/mocks'
import { AplResponseObject, OpenAPIDoc, Schema } from 'src/otomi-models'
import { AplResponseObject, OpenAPIDoc, Schema, SealedSecretManifestResponse } from 'src/otomi-models'
import { default as OtomiStack } from 'src/otomi-stack'
import { extract, getPaths, getValuesSchema } from 'src/utils'
import {
Expand Down Expand Up @@ -89,7 +89,7 @@ const resourceStatus = async (errorSet) => {
}
const { cluster } = otomiStack.getSettings(['cluster'])
const domainSuffix = cluster?.domainSuffix
const resources: Record<string, AplResponseObject[]> = {
const resources: Record<string, (AplResponseObject | SealedSecretManifestResponse)[]> = {
workloads: otomiStack.getAllAplWorkloads(),
builds: otomiStack.getAllAplBuilds(),
services: otomiStack.getAllAplServices(),
Expand Down
4 changes: 2 additions & 2 deletions src/fileStore/file-map.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,8 @@ export function getFileMaps(envDir: string): Map<AplKind, FileMap> {
name: 'services',
})

maps.set('AplTeamSecret', {
kind: 'AplTeamSecret',
maps.set('SealedSecret', {
kind: 'SealedSecret',
envDir,
pathGlob: `${envDir}/env/teams/*/sealedsecrets/*.yaml`,
pathTemplate: 'env/teams/{teamId}/sealedsecrets/{name}.yaml',
Expand Down
6 changes: 3 additions & 3 deletions src/k8s_operations.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import Debug from 'debug'
import * as fs from 'fs'
import * as yaml from 'js-yaml'
import { promisify } from 'util'
import { AplBuildResponse, AplSecretResponse, AplServiceResponse, AplWorkloadResponse } from './otomi-models'
import { AplBuildResponse, AplServiceResponse, AplWorkloadResponse, SealedSecretManifestResponse } from './otomi-models'

const debug = Debug('otomi:api:k8sOperations')

Expand Down Expand Up @@ -433,10 +433,10 @@ export async function getSealedSecretSyncedStatus(name: string, namespace: strin
}
}

export async function getSealedSecretStatus(sealedsecret: AplSecretResponse): Promise<string> {
export async function getSealedSecretStatus(sealedsecret: SealedSecretManifestResponse): Promise<string> {
const { name, labels } = sealedsecret.metadata
const teamName = labels['apl.io/teamId']
const namespace = sealedsecret.spec.namespace ?? `team-${teamName}`
const namespace = sealedsecret.spec.template?.metadata?.namespace ?? `team-${teamName}`
const value = await getSecretValues(name, namespace)
const syncedStatus = await getSealedSecretSyncedStatus(name, namespace)

Expand Down
49 changes: 35 additions & 14 deletions src/openapi/api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -730,7 +730,7 @@ paths:
schema:
type: array
items:
$ref: '#/components/schemas/AplSecretResponse'
$ref: '#/components/schemas/SealedSecretManifestResponse'
'400':
$ref: '#/components/responses/BadRequest'

Expand All @@ -750,7 +750,7 @@ paths:
schema:
type: array
items:
$ref: '#/components/schemas/AplSecretResponse'
$ref: '#/components/schemas/SealedSecretManifestResponse'
'400':
description: Bad Request
content:
Expand All @@ -766,7 +766,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/AplSecretRequest'
$ref: '#/components/schemas/SealedSecretManifestRequest'
description: SealedSecret object
required: true
responses:
Expand All @@ -779,7 +779,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/AplSecretResponse'
$ref: '#/components/schemas/SealedSecretManifestResponse'

'/v2/teams/{teamId}/sealedsecrets/{sealedSecretName}':
parameters:
Expand All @@ -800,7 +800,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/AplSecretResponse'
$ref: '#/components/schemas/SealedSecretManifestResponse'
put:
operationId: editAplSealedSecret
x-eov-operation-handler: v2/teams/{teamId}/sealedsecrets/{sealedSecretName}
Expand All @@ -810,7 +810,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/AplSecretRequest'
$ref: '#/components/schemas/SealedSecretManifestRequest'
description: SealedSecret object that contains updated values
required: true
responses:
Expand All @@ -823,7 +823,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/AplSecretResponse'
$ref: '#/components/schemas/SealedSecretManifestResponse'
delete:
operationId: deleteAplSealedSecret
x-eov-operation-handler: v2/teams/{teamId}/sealedsecrets/{sealedSecretName}
Expand Down Expand Up @@ -2833,6 +2833,16 @@ components:
properties:
name:
$ref: 'definitions.yaml#/idName'
namespace:
$ref: 'definitions.yaml#/idName'
annotations:
type: object
additionalProperties:
type: string
labels:
type: object
additionalProperties:
type: string
required:
- name
required:
Expand All @@ -2845,6 +2855,12 @@ components:
properties:
name:
$ref: 'definitions.yaml#/idName'
namespace:
$ref: 'definitions.yaml#/idName'
annotations:
type: object
additionalProperties:
type: string
labels:
type: object
properties:
Expand Down Expand Up @@ -3014,25 +3030,28 @@ components:
- $ref: '#/components/schemas/AplPolicy'
- $ref: '#/components/schemas/aplTeamMetadata'
- $ref: '#/components/schemas/aplStatusResponse'
AplSecret:
SealedSecretManifest:
type: object
properties:
apiVersion:
type: string
enum: ['bitnami.com/v1alpha1']
kind:
type: string
enum: [AplTeamSecret]
enum: [SealedSecret]
spec:
$ref: 'sealedsecret.yaml#/AplSealedSecretSpec'
$ref: '#/components/schemas/SealedSecretManifestSpec'
required:
- kind
- spec
AplSecretRequest:
SealedSecretManifestRequest:
allOf:
- $ref: '#/components/schemas/AplSecret'
- $ref: '#/components/schemas/SealedSecretManifest'
- $ref: '#/components/schemas/aplMetadata'
AplSecretResponse:
SealedSecretManifestResponse:
type: object
allOf:
- $ref: '#/components/schemas/AplSecret'
- $ref: '#/components/schemas/SealedSecretManifest'
- $ref: '#/components/schemas/aplTeamMetadata'
- $ref: '#/components/schemas/aplStatusResponse'
AplService:
Expand Down Expand Up @@ -3139,6 +3158,8 @@ components:
$ref: 'policies.yaml#/Policies'
SealedSecret:
$ref: 'sealedsecret.yaml#/SealedSecret'
SealedSecretManifestSpec:
$ref: 'sealedsecret.yaml#/SealedSecretManifestSpec'
SealedSecretsKeys:
$ref: 'sealedsecretskeys.yaml#/SealedSecretsKeys'
K8sSecret:
Expand Down
Loading
Loading