Closed
Conversation
- Replace Sidecar.Enabled boolean with NoCerts to better reflect intent - Add CertDir field to specify custom certificate directory - Remove KBSImage field (no longer needed for Trustee deployment) - Update validation to ensure CertDir is set when NoCerts is false - Change GetTrusteeNamespace to return DefaultTrusteeNamespace when URL is empty - Make TrusteeServer optional in config (only needed for initdata generation) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove --skip-trustee-deploy flag (no longer auto-deploying Trustee) - Remove --trustee-namespace flag (not needed without deployment) - Update --trustee-url description to clarify it's only needed for initdata generation - Refactor handleTrusteeSetup to simply prompt for URL without deployment logic - Remove trustee package import (no longer needed) - Simplify runInit validation and error handling Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
esposem
force-pushed
the
new_improvements
branch
from
9a5fd77 to
5fbca20
Compare
Flag changes: - Add --trustee-url flag (with fallback to config) - Add --target-namespace flag for explicit namespace control - Replace --skip-apply with --enable-initdata (inverted logic, defaults to true) - Add --cert-dir flag for custom sidecar certificate directory - Move --config flag to top of flag definitions for better organization - Update flag descriptions to clarify defaults Behavioral changes: - Remove automatic kubectl apply (now only generates manifests) - Remove automatic Trustee upload for secrets and imagePullSecrets - Update sidecar certificate handling to use --cert-dir - Add getManifestNamespace() helper to consolidate namespace resolution logic - Update transformManifest() signature (remove skipApply parameter) - Change "Backup saved" message to "CoCo-ified manifest saved" - Remove Sidecar.Enabled checks (sidecar is now controlled only by --sidecar flag) - Add validation for --cert-dir vs --no-certs config setting Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- DetectSecrets() and DetectImagePullSecretsWithServiceAccount() now take namespace parameter - Remove GetCurrentNamespace() function (namespace resolution moved to caller) - ConvertToSealed() now takes both kbsNamespace and k8sNamespace parameters - kbsNamespace: used in KBS URI (always "default" for consistency) - k8sNamespace: used for K8s resource namespace (from input manifest) - GenerateSealedSecretsYAML() now takes namespace parameter - Refactor GenerateSealedSecretYAML() to use yaml.Marshal instead of kubectl - Update error handling to be warnings instead of hard failures for: - Failed kubectl secret inspection (secrets still work, just not fully converted) - Failed imagePullSecret handling (allows workflow to continue) - Update tests to reflect new namespace handling - Remove "Note: Automatic Trustee upload failed" message (Trustee upload no longer automatic) This centralizes namespace resolution in the caller (apply.go) and makes the secrets package more explicit about which namespace is used where. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add trusteeURL parameter to Generate() function - Validate that trusteeURL is not empty before generating initdata - This makes the Trustee URL requirement explicit at the API level rather than relying on config validation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove cfg.Sidecar.Enabled checks from Inject() and GenerateService() - Sidecar injection is now controlled solely by caller (--sidecar flag in apply.go) - This simplifies the sidecar package by removing conditional logic - Caller is responsible for deciding whether to inject sidecar Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove Sidecar.Enabled field from default config - Update DetectSecrets() call to pass namespace parameter - Update sidecar check to only use enableSidecar flag (remove cfg.Sidecar.Enabled check) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
esposem
force-pushed
the
new_improvements
branch
from
5fbca20 to
59caf5b
Compare
Author
|
Closed in favor of #24 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make kubectl optional, and don't upload anything to Trustee.
Major changes include:
-- trustee-url to set the default Trustee URL, only needed by initdata
-- no-certs to avoid generating certs for the sidecar and use exsting ones
-- cert-dir to decide where to store the generated certs
-- target-namespace to define what is the target namespace of the new manifests. Priority is 1. original ns in manifest, 2. current namespace, 3. "default"
-- enable-initdata to generate initdata annotation
-- trustee-url to override default trustee-url provided with init
-- cert-dir to override default cert-dir provided with init