Documentation
¶
Overview ¶
Package secrets manages External Secrets Operator resources and Kubernetes Secrets for CobaltCore operators. It provides functions for checking ExternalSecret readiness, verifying Secret existence, reading Secret values, and ensuring PushSecret resources exist.
Feature: CC-0005
Index ¶
- Variables
- func EnsurePushSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, ...) error
- func GetSecretValue(ctx context.Context, c client.Client, key client.ObjectKey, dataKey string) (string, error)
- func IsClusterSecretStoreReady(ctx context.Context, c client.Client, name string) (bool, error)
- func IsMissingSecretOrKey(err error) bool
- func IsSecretReady(ctx context.Context, c client.Client, key client.ObjectKey, ...) (bool, error)
- func WaitForExternalSecret(ctx context.Context, c client.Client, key client.ObjectKey) (bool, error)
Constants ¶
This section is empty.
Variables ¶
var ErrKeyNotFound = errors.New("key not found in Secret")
ErrKeyNotFound is returned (wrapped) by GetSecretValue when the requested data key is absent from the Secret. Callers use errors.Is to distinguish this recoverable condition (e.g. wait-for-credentials) from transport or permission errors (CC-0080, W-001).
Functions ¶
func EnsurePushSecret ¶
func EnsurePushSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, owner client.Object, ps *esov1alpha1.PushSecret) error
EnsurePushSecret creates a PushSecret if it does not exist or updates its spec if it already exists. An owner reference is set on the PushSecret so that it is garbage-collected when the owning resource is deleted (CC-0005).
func GetSecretValue ¶
func GetSecretValue(ctx context.Context, c client.Client, key client.ObjectKey, dataKey string) (string, error)
GetSecretValue retrieves the value of a specific data key from the Secret identified by key. It returns an error if the Secret is not found or if the data key is not present (CC-0005).
func IsClusterSecretStoreReady ¶
IsClusterSecretStoreReady checks whether the ClusterSecretStore identified by name currently reports a Ready condition with status True. It returns (false, nil) when the store does not exist or is not ready, and (false, error) on unexpected client failures. Consumers use this to flip their own *Ready conditions when the upstream secret backend is unreachable — ESO only re-syncs ExternalSecrets at their refreshInterval (default 1h), so relying on ExternalSecret Ready alone would miss short-lived outages.
func IsMissingSecretOrKey ¶
IsMissingSecretOrKey reports whether err indicates either an absent upstream Secret (apierrors.IsNotFound through the wrap chain) or a missing data key. GetSecretValue wraps the IsNotFound from c.Get with %w so apierrors.IsNotFound walks the chain, and wraps ErrKeyNotFound when the requested data key is absent so errors.Is walks the chain for the missing-data-key case (CC-0080, W-001).
func IsSecretReady ¶
func IsSecretReady(ctx context.Context, c client.Client, key client.ObjectKey, expectedKeys ...string) (bool, error)
IsSecretReady checks whether a Kubernetes Secret exists at the given key and contains all expectedKeys in its Data field. When no expectedKeys are provided, it only checks for Secret existence. It returns (true, nil) when the Secret exists and all expected keys are present, (false, nil) when the Secret is not found or is missing expected keys, and (false, error) on unexpected failures (CC-0005).
func WaitForExternalSecret ¶
func WaitForExternalSecret(ctx context.Context, c client.Client, key client.ObjectKey) (bool, error)
WaitForExternalSecret checks whether the ExternalSecret identified by key has a Ready condition with status True. It returns (true, nil) when ready, (false, nil) when not yet ready, and (false, error) on unexpected failures (CC-0005).
Types ¶
This section is empty.
Source Files