fix: remove provider secret last-applied annotation (#94)
Co-authored-by: Codex <codex@pikas.tech>
This commit is contained in:
@@ -13,12 +13,14 @@ const selfTest: SelfTestCase = async (context) => {
|
||||
const gitopsRenderer = await readFile(path.join(context.root, "scripts/src/gitops-render.ts"), "utf8");
|
||||
assert.equal(gitopsRenderer.includes("agentrun-v01-mgr-provider-secret-manager"), true);
|
||||
assert.equal(gitopsRenderer.includes('verbs: ["get", "patch", "update"]'), true);
|
||||
assert.equal(gitopsRenderer.includes('resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3"]'), true);
|
||||
for (const profile of ["codex", "deepseek", "minimax-m3"]) {
|
||||
assert.equal(gitopsRenderer.includes(`agentrun-v01-provider-${profile}`), true);
|
||||
}
|
||||
|
||||
const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js");
|
||||
const replacedSecretPath = path.join(context.tmp, "provider-secret-replace.json");
|
||||
const cleanupPatchPath = path.join(context.tmp, "provider-secret-cleanup-patch.json");
|
||||
const createdJobPath = path.join(context.tmp, "provider-validation-job.json");
|
||||
await writeFile(fakeKubectl, `#!/usr/bin/env bun
|
||||
const args = Bun.argv.slice(2);
|
||||
@@ -35,10 +37,21 @@ if (args[0] === "apply") {
|
||||
console.error("provider credential updates must not use kubectl apply");
|
||||
process.exit(1);
|
||||
}
|
||||
if (args[0] === "patch" && args[1] === "secret") {
|
||||
if (args[0] === "patch" && args[1] === "secret" && args.includes("--patch-file")) {
|
||||
console.error("provider credential updates must not use kubectl patch --patch-file");
|
||||
process.exit(1);
|
||||
}
|
||||
if (args[0] === "patch" && args[1] === "secret") {
|
||||
const patchArg = args[args.indexOf("-p") + 1] ?? "{}";
|
||||
const patch = JSON.parse(patchArg);
|
||||
await Bun.write(${JSON.stringify(cleanupPatchPath)}, JSON.stringify({ args, patch }, null, 2));
|
||||
if (patch.metadata?.annotations?.["kubectl.kubernetes.io/last-applied-configuration"] !== null) {
|
||||
console.error("provider credential patch may only remove last-applied annotation");
|
||||
process.exit(1);
|
||||
}
|
||||
console.log(JSON.stringify({ apiVersion: "v1", kind: "Secret", metadata: { name: args[2], namespace: "agentrun-v01", resourceVersion: "rv-cleaned", annotations: { "agentrun.pikastech.local/provider-profile-updated-at": "2026-06-05T00:00:01.000Z" } }, data: { "auth.json": "REDACTED", "config.toml": "REDACTED" } }));
|
||||
process.exit(0);
|
||||
}
|
||||
if (args[0] === "replace") {
|
||||
const text = await readStdin();
|
||||
await Bun.write(${JSON.stringify(replacedSecretPath)}, JSON.stringify({ args, manifest: JSON.parse(text) }, null, 2));
|
||||
@@ -85,7 +98,7 @@ process.exit(1);
|
||||
reason: "self-test",
|
||||
}) as JsonRecord;
|
||||
assert.equal(updated.profile, "deepseek");
|
||||
assert.equal(updated.resourceVersion, "rv-replaced");
|
||||
assert.equal(updated.resourceVersion, "rv-cleaned");
|
||||
assert.equal(updated.requiresExternalBridgeUpdate, true);
|
||||
assert.equal(JSON.stringify(updated).includes(secretText), false);
|
||||
assertNoSecretLeak(updated);
|
||||
@@ -97,7 +110,12 @@ process.exit(1);
|
||||
assert.equal(((secretManifest.metadata as JsonRecord).name), "agentrun-v01-provider-deepseek");
|
||||
assert.equal(((secretManifest.metadata as JsonRecord).namespace), "agentrun-v01");
|
||||
const annotations = (secretManifest.metadata as JsonRecord).annotations as JsonRecord;
|
||||
assert.equal(annotations["kubectl.kubernetes.io/last-applied-configuration"], null);
|
||||
assert.equal(Object.hasOwn(annotations, "kubectl.kubernetes.io/last-applied-configuration"), false);
|
||||
const cleanupRecord = JSON.parse(await readFile(cleanupPatchPath, "utf8")) as JsonRecord;
|
||||
const cleanupArgs = cleanupRecord.args as string[];
|
||||
assert.deepEqual(cleanupArgs, ["patch", "secret", "agentrun-v01-provider-deepseek", "-n", "agentrun-v01", "--type", "merge", "-p", JSON.stringify({ metadata: { annotations: { "kubectl.kubernetes.io/last-applied-configuration": null } } }), "-o", "json"]);
|
||||
const cleanupPatch = cleanupRecord.patch as JsonRecord;
|
||||
assert.deepEqual(cleanupPatch, { metadata: { annotations: { "kubectl.kubernetes.io/last-applied-configuration": null } } });
|
||||
const data = secretManifest.data as JsonRecord;
|
||||
const authJson = Buffer.from(String(data["auth.json"]), "base64").toString("utf8");
|
||||
const configToml = Buffer.from(String(data["config.toml"]), "base64").toString("utf8");
|
||||
@@ -129,7 +147,7 @@ process.exit(1);
|
||||
assert.equal(finalValidation.status, "completed");
|
||||
assert.equal(JSON.stringify(finalValidation).includes(secretText), false);
|
||||
assertNoSecretLeak(finalValidation);
|
||||
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-secret-upsert-no-last-applied", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
|
||||
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-secret-replace-annotation-cleanup", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
|
||||
} finally {
|
||||
await new Promise<void>((resolve) => server.server.close(() => resolve()));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user