fix: avoid provider secret last-applied annotation (#92)
Co-authored-by: Codex <codex@pikas.tech>
This commit is contained in:
@@ -56,12 +56,8 @@ export async function setProviderProfileCredential(profileValue: string, body: u
|
||||
const delegatedBy = delegatedBySummary(record.delegatedBy);
|
||||
const rendered = renderCredential(apiKey, await renderedConfigForWrite(profile, record, options));
|
||||
const namespace = profileNamespace(options);
|
||||
const manifest: JsonRecord = {
|
||||
apiVersion: "v1",
|
||||
kind: "Secret",
|
||||
const secretPatch: JsonRecord = {
|
||||
metadata: {
|
||||
name: spec.defaultSecretName,
|
||||
namespace,
|
||||
labels: {
|
||||
"app.kubernetes.io/part-of": "agentrun",
|
||||
"agentrun.pikastech.local/profile": profile,
|
||||
@@ -71,16 +67,17 @@ export async function setProviderProfileCredential(profileValue: string, body: u
|
||||
[`${credentialAnnotationPrefix}-credential-hash-suffix`]: shortHash(rendered.authJson),
|
||||
[`${credentialAnnotationPrefix}-config-hash-suffix`]: shortHash(rendered.config.configToml),
|
||||
[`${credentialAnnotationPrefix}-updated-at`]: new Date().toISOString(),
|
||||
"kubectl.kubernetes.io/last-applied-configuration": null,
|
||||
...(delegatedBy ? { [`${credentialAnnotationPrefix}-delegated-system`]: delegatedBy.system, [`${credentialAnnotationPrefix}-delegated-request-id`]: delegatedBy.requestId ?? "" } : {}),
|
||||
},
|
||||
},
|
||||
type: "Opaque",
|
||||
stringData: {
|
||||
"auth.json": rendered.authJson,
|
||||
"config.toml": rendered.config.configToml,
|
||||
data: {
|
||||
"auth.json": base64Data(rendered.authJson),
|
||||
"config.toml": base64Data(rendered.config.configToml),
|
||||
},
|
||||
};
|
||||
const applied = await kubectlApplySecret(manifest, options.kubectlCommand ?? "kubectl");
|
||||
const applied = await kubectlPatchSecret(spec.defaultSecretName, namespace, secretPatch, options.kubectlCommand ?? "kubectl");
|
||||
return {
|
||||
action: "provider-profile-credential-updated",
|
||||
mutation: true,
|
||||
@@ -422,12 +419,12 @@ async function kubectlGetSecret(name: string, namespace: string, kubectlCommand:
|
||||
return parseKubectlObject(result.stdout, "secret");
|
||||
}
|
||||
|
||||
async function kubectlApplySecret(manifest: JsonRecord, kubectlCommand: string): Promise<JsonRecord> {
|
||||
const result = await runKubectl(kubectlCommand, ["apply", "-f", "-", "-o", "json"], `${JSON.stringify(manifest)}\n`);
|
||||
async function kubectlPatchSecret(name: string, namespace: string, patch: JsonRecord, kubectlCommand: string): Promise<JsonRecord> {
|
||||
const result = await runKubectl(kubectlCommand, ["patch", "secret", name, "-n", namespace, "--type", "merge", "--patch-file", "/dev/stdin", "-o", "json"], `${JSON.stringify(patch)}\n`);
|
||||
if (result.code !== 0) {
|
||||
throw new AgentRunError("infra-failed", `kubectl apply provider profile secret failed with code ${result.code}`, { httpStatus: 502, details: redactJson({ stderr: redactText(result.stderr.slice(-2000)), stdout: redactText(result.stdout.slice(-1000)) }) });
|
||||
throw new AgentRunError("infra-failed", `kubectl patch provider profile secret ${namespace}/${name} failed with code ${result.code}`, { httpStatus: 502, details: redactJson({ stderr: redactText(result.stderr.slice(-2000)), stdout: redactText(result.stdout.slice(-1000)) }) });
|
||||
}
|
||||
return parseKubectlObject(result.stdout, "applied secret", { redactSecretData: true });
|
||||
return parseKubectlObject(result.stdout, "patched secret", { redactSecretData: true });
|
||||
}
|
||||
|
||||
async function runKubectl(kubectlCommand: string, args: string[], stdin?: string): Promise<{ code: number | null; signal: NodeJS.Signals | null; stdout: string; stderr: string }> {
|
||||
@@ -479,6 +476,10 @@ function hashDataKey(data: JsonRecord | null, key: string): string | null {
|
||||
}
|
||||
}
|
||||
|
||||
function base64Data(value: string): string {
|
||||
return Buffer.from(value, "utf8").toString("base64");
|
||||
}
|
||||
|
||||
function shortHash(value: string): string {
|
||||
return createHash("sha256").update(value).digest("hex").slice(0, 12);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user