fix: avoid provider secret last-applied annotation (#92)

Co-authored-by: Codex <codex@pikas.tech>
This commit is contained in:
Lyon
2026-06-05 18:34:13 +08:00
committed by GitHub
parent 1d434cfc53
commit a8f1e56367
2 changed files with 38 additions and 26 deletions
@@ -18,7 +18,7 @@ const selfTest: SelfTestCase = async (context) => {
}
const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js");
const appliedManifestPath = path.join(context.tmp, "provider-secret-apply.json");
const patchedSecretPath = path.join(context.tmp, "provider-secret-patch.json");
const createdJobPath = path.join(context.tmp, "provider-validation-job.json");
await writeFile(fakeKubectl, `#!/usr/bin/env bun
const args = Bun.argv.slice(2);
@@ -32,11 +32,15 @@ if (args[0] === "get" && args[1] === "secret") {
process.exit(0);
}
if (args[0] === "apply") {
console.error("provider credential updates must not use kubectl apply");
process.exit(1);
}
if (args[0] === "patch" && args[1] === "secret") {
const text = await readStdin();
await Bun.write(${JSON.stringify(appliedManifestPath)}, text);
const manifest = JSON.parse(text);
const annotations = manifest.metadata?.annotations ?? {};
console.log(JSON.stringify({ apiVersion: "v1", kind: "Secret", metadata: { name: manifest.metadata.name, namespace: manifest.metadata.namespace, resourceVersion: "rv-applied", annotations } }));
await Bun.write(${JSON.stringify(patchedSecretPath)}, JSON.stringify({ args, patch: JSON.parse(text) }, null, 2));
const patch = JSON.parse(text);
const annotations = patch.metadata?.annotations ?? {};
console.log(JSON.stringify({ apiVersion: "v1", kind: "Secret", metadata: { name: args[2], namespace: args[4], resourceVersion: "rv-patched", annotations } }));
process.exit(0);
}
if (args[0] === "create") {
@@ -77,16 +81,23 @@ process.exit(1);
reason: "self-test",
}) as JsonRecord;
assert.equal(updated.profile, "deepseek");
assert.equal(updated.resourceVersion, "rv-applied");
assert.equal(updated.resourceVersion, "rv-patched");
assert.equal(updated.requiresExternalBridgeUpdate, true);
assert.equal(JSON.stringify(updated).includes(secretText), false);
assertNoSecretLeak(updated);
const manifest = JSON.parse(await readFile(appliedManifestPath, "utf8")) as JsonRecord;
const stringData = manifest.stringData as JsonRecord;
assert.equal(String(stringData["auth.json"]).includes(secretText), true);
assert.equal(String(stringData["auth.json"]).includes("OPENAI_API_KEY"), true);
assert.equal(String(stringData["config.toml"]).includes("hwlab-deepseek-proxy.hwlab-v02.svc.cluster.local"), true);
assert.equal(String(stringData["config.toml"]).includes("hyueapi.com"), false);
const patchRecord = JSON.parse(await readFile(patchedSecretPath, "utf8")) as JsonRecord;
const patchArgs = patchRecord.args as string[];
assert.deepEqual(patchArgs, ["patch", "secret", "agentrun-v01-provider-deepseek", "-n", "agentrun-v01", "--type", "merge", "--patch-file", "/dev/stdin", "-o", "json"]);
const secretPatch = patchRecord.patch as JsonRecord;
const annotations = (secretPatch.metadata as JsonRecord).annotations as JsonRecord;
assert.equal(annotations["kubectl.kubernetes.io/last-applied-configuration"], null);
const data = secretPatch.data as JsonRecord;
const authJson = Buffer.from(String(data["auth.json"]), "base64").toString("utf8");
const configToml = Buffer.from(String(data["config.toml"]), "base64").toString("utf8");
assert.equal(authJson.includes(secretText), true);
assert.equal(authJson.includes("OPENAI_API_KEY"), true);
assert.equal(configToml.includes("hwlab-deepseek-proxy.hwlab-v02.svc.cluster.local"), true);
assert.equal(configToml.includes("hyueapi.com"), false);
await assert.rejects(
() => client.put("/api/v1/provider-profiles/deepseek/credential", { apiKey: secretText, config: { baseUrl: "https://hyueapi.com/v1" } }),
@@ -111,7 +122,7 @@ process.exit(1);
assert.equal(finalValidation.status, "completed");
assert.equal(JSON.stringify(finalValidation).includes(secretText), false);
assertNoSecretLeak(finalValidation);
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-secret-patch-no-last-applied", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
} finally {
await new Promise<void>((resolve) => server.server.close(() => resolve()));
}