Open
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new secret primitive to the operator component framework, mirroring the existing static primitives (e.g., configmap) with builder/resource APIs, mutation + flavor pipelines, hashing utilities, tests, docs, and an end-to-end example.
Changes:
- Introduces
pkg/primitives/secret(resource, builder, mutator, flavors, and hash utilities) with comprehensive unit tests. - Adds a new shared editor
SecretDataEditorunderpkg/mutation/editorsto support typed.data/.stringDatamutations. - Adds documentation for the secret primitive plus a runnable
examples/secret-primitiveshowcasing composition via feature-gated mutations and flavors.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/primitives/secret/resource.go | Implements Secret Resource wrapper around internal generic static resource. |
| pkg/primitives/secret/resource_test.go | Tests identity/object deep-copy/mutation/data extraction behavior. |
| pkg/primitives/secret/mutator.go | Implements plan-and-apply mutator API for Secret metadata and data edits. |
| pkg/primitives/secret/mutator_test.go | Tests mutator editing helpers, ordering, and interface implementation. |
| pkg/primitives/secret/hash.go | Adds DataHash and Resource.DesiredHash utilities. |
| pkg/primitives/secret/hash_test.go | Tests determinism/sensitivity and DesiredHash behavior. |
| pkg/primitives/secret/flavors.go | Adds Secret-specific field application flavors incl. preserving external .data entries. |
| pkg/primitives/secret/flavors_test.go | Tests flavors and builder integration with Mutate. |
| pkg/primitives/secret/builder.go | Adds fluent builder API over internal generic static builder. |
| pkg/primitives/secret/builder_test.go | Tests builder validation and registration behavior. |
| pkg/mutation/editors/secretdata.go | Adds a shared typed editor for Secret .data and .stringData. |
| pkg/mutation/editors/secretdata_test.go | Tests SecretDataEditor behavior and nil-handling. |
| examples/secret-primitive/resources/secret.go | Example resource factory wiring mutations/flavors/extractors. |
| examples/secret-primitive/README.md | Example documentation and run instructions. |
| examples/secret-primitive/main.go | Runnable example using fake client + multiple reconciliation steps. |
| examples/secret-primitive/features/mutations.go | Example feature-gated Secret mutations using SetStringData + metadata edits. |
| examples/secret-primitive/features/flavors.go | Example flavor wrapper for preserving external entries. |
| examples/secret-primitive/app/controller.go | Example controller wiring component + Secret resource. |
| docs/primitives/secret.md | New user-facing documentation for the secret primitive (builder, ordering, flavors, hashing). |
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored:
|
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored: <!-- claude-review-cycle --> |
Owner
Author
|
approved |
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored: <!-- claude-review-cycle --> |
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored:
<!-- claude-review-cycle --> |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…, and hash Implements the Secret primitive following the same pattern as the ConfigMap primitive. Includes full test coverage for builder validation, mutator operations, field application flavors, and data hashing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Demonstrates building a Secret resource with base credentials, version labels, and feature-gated tracing/metrics tokens using the secret primitive. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nd example - hash.go: Merge .stringData into a copy of .data before hashing to match Kubernetes API-server write semantics. Ensures DesiredHash reflects content set via SetStringData. - flavors.go: PreserveExternalEntries now treats keys present in applied.StringData as owned, preventing incorrect preservation of cluster values that the operator intends to overwrite via .stringData. - secret.md: Add nil-check for current.Data in the custom field applicator example to prevent panic. Update DataHash documentation to describe the merged hash semantics. - example secret.go: Remove misleading StringData iteration from the data extractor since .stringData is write-only and never returned by the API server on read. - Add tests for StringData-aware hash and flavor behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Print only key names and value lengths instead of base64-encoded values to prevent credential leakage if the example is copied into production. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Secret to the Built-in Primitives table and SecretDataEditor to the Mutation Editors table in docs/primitives.md so the new primitive is discoverable from the main index page. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Aligns with the fix applied to deployment and configmap mutators in #42. The constructor now initializes the plans slice directly instead of calling beginFeature(), preventing an empty feature plan when mutate_helper.go calls fm.beginFeature() before each mutation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ng guarantees The FeatureMutator interface in internal/generic uses an unexported beginFeature() method (sealed interface pattern), so primitive mutators outside that package cannot satisfy it today. Update the secret docs and Apply() doc comment to accurately describe per-mutation ordering rather than claiming cross-feature boundaries that the framework does not currently enforce for primitives. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sourcehawk
force-pushed
the
feature/secret-primitive
branch
from
61d430c to
c856ea6
Compare
# Conflicts: # docs/primitives.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update DesiredHash godoc, SecretDataEditor index entry, and hash section intro to accurately reflect that hashing includes .stringData merged into .data, and that the editor exposes SetString/RemoveString/RawStringData. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored: <!-- claude-review-cycle --> |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Kubernetes API server merges .stringData into .data on write and never returns .stringData on reads. When controllerutil.CreateOrUpdate diffs the post-mutate object against the server-populated object, leftover .stringData entries cause an Update on every reconcile. After applying all mutations, merge .stringData entries into .data (stringData keys take precedence) and clear .stringData so the mutated object matches the server-persisted form. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
Author
Claude Review Cycle 1 CompleteAddressed:
Intentionally ignored: <!-- claude-review-cycle --> |
Do not initialize an empty feature plan in NewMutator — require BeginFeature before registering mutations, matching the convention established in configmap and deployment primitives. Add constructor and feature-plan invariant tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the
secretKubernetes resource primitive following the pattern established by the existingConfigMapandDeploymentprimitives.Summary
secretprimitive package underpkg/primitives/secret/SecretDataEditorto sharedpkg/mutation/editors/(follows existingConfigMapDataEditorpattern)docs/primitives.md) to include the new primitive in the indexChecklist