fix: create/read sealed secrets (#677)

ferruhcihan · web-flow · commit ff819edb0435 · 2025-04-02T09:03:06.000+02:00
diff --git a/src/otomi-stack.ts b/src/otomi-stack.ts
@@ -80,7 +80,12 @@ import {
   testPublicRepoConnect,
 } from './utils/coderepoUtils'
 import { getPolicies } from './utils/policiesUtils'
-import { EncryptedDataRecord, encryptSecretItem, sealedSecretManifest } from './utils/sealedSecretUtils'
+import {
+  EncryptedDataRecord,
+  encryptSecretItem,
+  mapObjectToKeyValueArray,
+  sealedSecretManifest,
+} from './utils/sealedSecretUtils'
 import { getKeycloakUsers, isValidUsername } from './utils/userUtils'
 import { ObjectStorageClient } from './utils/wizardUtils'
 import { fetchChartYaml, fetchWorkloadCatalog, NewHelmChartValues, sparseCloneChart } from './utils/workloadUtils'
@@ -1658,6 +1663,19 @@ export default class OtomiStack {
       key,
       value: secretValues?.[key] || value,
     }))
+    type SealedSecretMetadata = {
+      annotations?: Record<string, string>
+      labels?: Record<string, string>
+      finalizers?: string[]
+    }
+    const metadata = sealedSecret?.metadata as SealedSecretMetadata
+    if (metadata) {
+      sealedSecret.metadata = {
+        ...metadata,
+        annotations: mapObjectToKeyValueArray(metadata.annotations),
+        labels: mapObjectToKeyValueArray(metadata.labels),
+      }
+    }
     const res = { ...sealedSecret, encryptedData, isDisabled } as any
     return res
   }
diff --git a/src/utils/sealedSecretUtils.ts b/src/utils/sealedSecretUtils.ts
@@ -1,4 +1,5 @@
 import crypto, { X509Certificate } from 'crypto'
+import { isEmpty } from 'lodash'
 import { SealedSecret } from 'src/otomi-models'
 
 function hybridEncrypt(pubKey, plaintext, label) {
@@ -88,12 +89,9 @@ export function sealedSecretManifest(
     apiVersion: 'bitnami.com/v1alpha1',
     kind: 'SealedSecret',
     metadata: {
-      ...data.metadata,
       annotations: {
-        ...annotations,
         'sealedsecrets.bitnami.com/namespace-wide': 'true',
       },
-      labels,
       name: data.name,
       namespace,
     },
@@ -105,10 +103,19 @@ export function sealedSecretManifest(
         metadata: {
           name: data.name,
           namespace,
+          ...(!isEmpty(annotations) && { annotations }),
+          ...(!isEmpty(labels) && { labels }),
+          ...(!isEmpty(data.metadata?.finalizers) && { finalizers: data.metadata?.finalizers }),
         },
       },
     },
   }
 
   return SealedSecretSchema
 }
+
+export function mapObjectToKeyValueArray(obj?: Record<string, string>): { key: string; value: string }[] | undefined {
+  if (Array.isArray(obj)) return obj
+  if (!obj || isEmpty(obj) || typeof obj !== 'object') return undefined
+  return Object.entries(obj).map(([key, value]) => ({ key, value }))
+}
