ESO-279:Adds implementation logic for revisionLimitHistory to support customizations at install time #94
Conversation
WalkthroughAdds per-component deployment overrides to ExternalSecretsConfig via new ComponentConfig and DeploymentConfig types (revisionHistoryLimit); extends ComponentName with Webhook and CertController; updates CRDs and bundle manifests; generates deepcopy methods; controller applies per-component revisionHistoryLimit; a duplicated test case was added. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~30 minutes ✨ Finishing touches
📜 Recent review detailsConfiguration used: Organization UI Review profile: CHILL Plan: Pro Cache: Disabled due to data retention organization setting Knowledge base: Disabled due to 📒 Files selected for processing (1)
🧰 Additional context used📓 Path-based instructions (1)**⚙️ CodeRabbit configuration file
Files:
🔇 Additional comments (1)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.5.0)Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: siddhibhor-56 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
siddhibhor-56
force-pushed
the
ESO-278
branch
from
4baefed to
bed7f63
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
docs/api_reference.md (1)
148-148: Inconsistency in ComponentName enum documentation.The
ComponentConfig.componentNamefield (line 148) allowsWebhookandCertControlleras valid values, but theComponentNameenum section (lines 167-168) only documentsExternalSecretsCoreControllerandBitwardenSDKServer.Additionally, the description text on line 148 references "Bitwarden" but the enum shows "BitwardenSDKServer".
Please ensure the ComponentName section documents all valid component names, or verify that the ComponentConfig field should only permit a subset of component types. Update terminology for consistency.
Also applies to: 167-168
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (6)
api/v1alpha1/external_secrets_config_types.goapi/v1alpha1/zz_generated.deepcopy.gobundle/manifests/operator.openshift.io_externalsecretsconfigs.yamlconfig/crd/bases/operator.openshift.io_externalsecretsconfigs.yamldocs/api_reference.mdpkg/controller/external_secrets/deployments.go
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
api/v1alpha1/external_secrets_config_types.goapi/v1alpha1/zz_generated.deepcopy.gopkg/controller/external_secrets/deployments.gobundle/manifests/operator.openshift.io_externalsecretsconfigs.yamlconfig/crd/bases/operator.openshift.io_externalsecretsconfigs.yamldocs/api_reference.md
🧬 Code graph analysis (2)
api/v1alpha1/zz_generated.deepcopy.go (1)
api/v1alpha1/external_secrets_config_types.go (2)
ComponentConfig(140-151)DeploymentConfig(152-160)
pkg/controller/external_secrets/deployments.go (2)
pkg/controller/external_secrets/controller.go (1)
Reconciler(85-94)api/v1alpha1/external_secrets_config_types.go (7)
ExternalSecretsConfig(43-55)ControllerConfig(103-138)ComponentName(243-243)CoreController(247-247)Webhook(250-250)CertController(253-253)BitwardenSDKServer(256-256)
🔇 Additional comments (5)
api/v1alpha1/external_secrets_config_types.go (2)
131-159: ComponentConfig/DeploymentConfig shape and wiring look correctThe
ComponentConfigsfield,ComponentConfigstruct, andDeploymentConfig.RevisionHistoryLimit(pointer withMinimum=1) line up cleanly with the intended per‑component override semantics and the CRD schema; omitempty behavior with the nested pointer is also correct. I don’t see issues here.
246-254: Extending ComponentName enum for Webhook/CertController is safeAdding
WebhookandCertControllertoComponentNameis consistent with their use inComponentConfigand the controller logic; no behavioral or API‑compat concerns stand out.api/v1alpha1/zz_generated.deepcopy.go (1)
165-179: Deep‑copy implementation matches new API typesThe generated deep‑copy methods for
ComponentConfig,DeploymentConfig, and the updatedControllerConfig.DeepCopyIntocorrectly handle nested structs and pointer fields and align with the new spec types.Also applies to: 240-246, 279-297
config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml (1)
1266-1299: Base CRD schema for componentConfig matches Go typesThe
controllerConfig.componentConfigdefinition (enum values,revisionHistoryLimitconstraints, listMapKey, maxItems) is consistent with theControllerConfig/ComponentConfig/DeploymentConfigGo types and should serialize/validate correctly.pkg/controller/external_secrets/deployments.go (1)
151-154: RevisionHistoryLimit application logic is soundMapping assets to
ComponentNameand applyingDeploymentConfigs.RevisionHistoryLimitonly when set is nil‑safe, keeps defaults intact when unset, and cleanly scopes overrides per component. The helper switch on the known asset constants is straightforward and future‑proof enough for the current set of deployments.Also applies to: 669-709
bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
Outdated
Show resolved
Hide resolved
siddhibhor-56
force-pushed
the
ESO-278
branch
from
c452c0b to
c386c82
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (3)
bundle/manifests/operator.openshift.io_externalsecretsconfigs.yamldocs/api_reference.mdpkg/controller/external_secrets/deployments_test.go
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
bundle/manifests/operator.openshift.io_externalsecretsconfigs.yamldocs/api_reference.mdpkg/controller/external_secrets/deployments_test.go
🧬 Code graph analysis (1)
pkg/controller/external_secrets/deployments_test.go (2)
api/v1alpha1/external_secrets_config_types.go (4)
ComponentConfig(140-151)ComponentName(243-243)CoreController(247-247)DeploymentConfig(152-160)pkg/controller/commontest/utils.go (1)
TestExternalSecretsImageName(16-16)
🔇 Additional comments (5)
docs/api_reference.md (3)
117-132: LGTM!The ComponentConfig documentation is clear, complete, and properly structured with appropriate validation constraints and cross-references.
225-239: LGTM!The DeploymentConfig documentation is clear and properly explains the purpose of the revisionHistoryLimit field with appropriate validation constraints.
134-152: LGTM!The ComponentName enum documentation properly reflects the expanded set of component values (Webhook, CertController) and clarifies the CoreController description.
pkg/controller/external_secrets/deployments_test.go (1)
565-604: LGTM!The test case correctly validates that per-component
revisionHistoryLimitconfiguration is applied to deployments. The test setup, configuration, and assertions are appropriate for the create path.bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (1)
1266-1299: LGTM!The
componentConfigfield definition correctly matches the Go types:
- ComponentConfig with required
componentNameand optionaldeploymentConfigs- DeploymentConfig with optional
revisionHistoryLimit(int32, min: 1)- Proper list validation (maxItems: 4, map-keyed by componentName)
- Correct enum values including BitwardenSDKServer
The implementation aligns with the base CRD and API types.
| | `certProvider` _[CertProvidersConfig](#certprovidersconfig)_ | certProvider is for defining the configuration for certificate providers used to manage TLS certificates for webhook and plugins. | | Optional: \{\} <br /> | | ||
| | `labels` _object (keys:string, values:string)_ | labels to apply to all resources created for the external-secrets operand deployment.<br />This field can have a maximum of 20 entries. | | MaxProperties: 20 <br />MinProperties: 0 <br />Optional: \{\} <br /> | | ||
| | `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. | | MaxItems: 50 <br />MinItems: 0 <br />Optional: \{\} <br /> | | ||
| | `componentConfig` _[ComponentConfig](#componentconfig) array_ | | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> | |
There was a problem hiding this comment.
Add description for componentConfig field.
The componentConfig field in the ControllerConfig table is missing a description. Based on the context, it should explain that this field allows specifying per-component deployment configuration overrides.
🔎 Suggested documentation update
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `certProvider` _[CertProvidersConfig](#certprovidersconfig)_ | certProvider is for defining the configuration for certificate providers used to manage TLS certificates for webhook and plugins. | | Optional: \{\} <br /> |
| `labels` _object (keys:string, values:string)_ | labels to apply to all resources created for the external-secrets operand deployment.<br />This field can have a maximum of 20 entries. | | MaxProperties: 20 <br />MinProperties: 0 <br />Optional: \{\} <br /> |
| `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. | | MaxItems: 50 <br />MinItems: 0 <br />Optional: \{\} <br /> |
-| `componentConfig` _[ComponentConfig](#componentconfig) array_ | | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> |
+| `componentConfig` _[ComponentConfig](#componentconfig) array_ | componentConfig allows specifying per-component deployment configuration overrides.<br />Each entry targets a specific component by name and can override deployment-level settings. | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> |📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| | `componentConfig` _[ComponentConfig](#componentconfig) array_ | | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> | | |
| | `componentConfig` _[ComponentConfig](#componentconfig) array_ | componentConfig allows specifying per-component deployment configuration overrides.<br />Each entry targets a specific component by name and can override deployment-level settings. | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> | |
🤖 Prompt for AI Agents
In docs/api_reference.md around line 204, the table row for componentConfig
lacks a human-readable description; update that cell to explain that
componentConfig is an optional array (max 4 items) of ComponentConfig entries
that allow per-component deployment configuration overrides (e.g., resource
limits, environment variables, replica counts) applied to individual components
of the ControllerConfig; keep the description short, mention it's optional and
that entries are applied per-component, and ensure wording fits the table cell
format.
c386c82 to
43e5105
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
docs/api_reference.md (1)
204-204: Add description for componentConfig field.The
componentConfigfield in the ControllerConfig table is missing a description. Based on the context, it should explain that this field allows specifying per-component deployment configuration overrides.🔎 Suggested documentation update
| Field | Description | Default | Validation | | --- | --- | --- | --- | | `certProvider` _[CertProvidersConfig](#certprovidersconfig)_ | certProvider is for defining the configuration for certificate providers used to manage TLS certificates for webhook and plugins. | | Optional: \{\} <br /> | | `labels` _object (keys:string, values:string)_ | labels to apply to all resources created for the external-secrets operand deployment.<br />This field can have a maximum of 20 entries. | | MaxProperties: 20 <br />MinProperties: 0 <br />Optional: \{\} <br /> | | `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. | | MaxItems: 50 <br />MinItems: 0 <br />Optional: \{\} <br /> | -| `componentConfig` _[ComponentConfig](#componentconfig) array_ | | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> | +| `componentConfig` _[ComponentConfig](#componentconfig) array_ | componentConfig allows specifying per-component deployment configuration overrides.<br />Each entry targets a specific component by name and can override deployment-level settings. | | MaxItems: 4 <br />MinItems: 0 <br />Optional: \{\} <br /> |
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (3)
bundle/manifests/operator.openshift.io_externalsecretsconfigs.yamldocs/api_reference.mdpkg/controller/external_secrets/deployments_test.go
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
pkg/controller/external_secrets/deployments_test.godocs/api_reference.mdbundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
🧬 Code graph analysis (1)
pkg/controller/external_secrets/deployments_test.go (4)
pkg/controller/crd_annotator/controller.go (1)
Reconciler(65-69)pkg/controller/client/fakes/fake_ctrl_client.go (1)
FakeCtrlClient(12-135)api/v1alpha1/external_secrets_config_types.go (6)
ExternalSecretsConfig(43-55)ControllerConfig(103-138)ComponentConfig(140-151)ComponentName(243-243)CoreController(247-247)DeploymentConfig(152-160)pkg/controller/commontest/utils.go (1)
TestExternalSecretsImageName(16-16)
🔇 Additional comments (3)
docs/api_reference.md (1)
134-151: LGTM!The ComponentName enum documentation is properly updated to include Webhook and CertController components. The descriptions are clear and consistent.
pkg/controller/external_secrets/deployments_test.go (1)
565-607: LGTM!The test case properly validates the new per-component revisionHistoryLimit feature. The test setup, configuration, and validation logic are correct and follow established patterns in the test suite.
bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (1)
1266-1299: LGTM!The componentConfig CRD definition is well-structured with appropriate validations:
- Proper enum constraints for componentName
- Correct minimum validation (1) for revisionHistoryLimit to ensure rollback capability
- List type properly configured as map with componentName as key to enforce uniqueness
- Array size constraints (maxItems: 4) align with the number of supported components
The definition is consistent with the API types and documentation.
| #### ComponentConfig | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| _Appears in:_ | ||
| - [ControllerConfig](#controllerconfig) | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Add description for ComponentConfig type.
The ComponentConfig section lacks a description explaining what this type represents. Based on the context, it should explain that ComponentConfig allows per-component deployment configuration overrides for individual external-secrets components.
🔎 Suggested documentation update
#### ComponentConfig
+ComponentConfig allows specifying deployment configuration overrides for individual external-secrets components. Each configuration targets a specific component by name and can override deployment-level settings such as revisionHistoryLimit.
_Appears in:_
- [ControllerConfig](#controllerconfig)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| #### ComponentConfig | |
| _Appears in:_ | |
| - [ControllerConfig](#controllerconfig) | |
| #### ComponentConfig | |
| ComponentConfig allows specifying deployment configuration overrides for individual external-secrets components. Each configuration targets a specific component by name and can override deployment-level settings such as revisionHistoryLimit. | |
| _Appears in:_ | |
| - [ControllerConfig](#controllerconfig) |
🤖 Prompt for AI Agents
In docs/api_reference.md around lines 117 to 127, the ComponentConfig section is
missing a description; add a concise sentence that explains ComponentConfig
represents per-component deployment configuration overrides for individual
external-secrets components (what it configures and when to use it), and include
an example note linking back to ControllerConfig to show where it appears; keep
the wording brief, use present-tense, and place it above the "_Appears in:_ -
[ControllerConfig](#controllerconfig)" line.
| #### DeploymentConfig | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| _Appears in:_ | ||
| - [ComponentConfig](#componentconfig) |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Add description for DeploymentConfig type.
The DeploymentConfig section lacks a description explaining what this type represents. Based on the context, it should explain that DeploymentConfig contains deployment-level configuration settings that can be overridden on a per-component basis.
🔎 Suggested documentation update
#### DeploymentConfig
+DeploymentConfig contains deployment-level configuration settings that can be overridden for individual components. These settings control deployment behavior such as revision history retention.
_Appears in:_
- [ComponentConfig](#componentconfig)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| #### DeploymentConfig | |
| _Appears in:_ | |
| - [ComponentConfig](#componentconfig) | |
| #### DeploymentConfig | |
| DeploymentConfig contains deployment-level configuration settings that can be overridden for individual components. These settings control deployment behavior such as revision history retention. | |
| _Appears in:_ | |
| - [ComponentConfig](#componentconfig) |
🤖 Prompt for AI Agents
In docs/api_reference.md around lines 225 to 234, the DeploymentConfig heading
has no descriptive text; add a concise description stating that DeploymentConfig
represents deployment-level configuration settings (global defaults) that apply
to the entire deployment but may be overridden by per-component settings, and
list any primary fields or intent (e.g., scaling, environment, network, resource
defaults) so readers understand its purpose and relationship to ComponentConfig.
|
@siddhibhor-56: This pull request references ESO-279 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@siddhibhor-56: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| } | ||
|
|
||
| // Apply component-specific configurations (RevisionHistoryLimit) | ||
| if err := r.applyRevisionHistoryLimit(deployment, esc, assetName); err != nil { |
There was a problem hiding this comment.
I would suggest to keep it generic.
| if err := r.applyRevisionHistoryLimit(deployment, esc, assetName); err != nil { | |
| if err := r.applyUserDeploymentConfigs(deployment, esc, assetName); err != nil { |
| componentName := getComponentNameFromAsset(assetName) | ||
| if componentName == "" { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
This should be an error. componentName is from the enum, so must have a valid value. And if any issues in the code, must be logged.
3 participants
revisionHistoryLimiton a per-component basis for external-secrets operand deployments.