feat: Add support for environment variable secrets in cleanup jobs

Signed-off-by: Magnus Ullberg <magnus@ullberg.us>

Author: ullbergm

Makefile

@@ -54,11 +54,12 @@ run: build ## Run the application locally
 	./$(BUILD_DIR)/$(BINARY_NAME) \
 		-group startpunkt.ullberg.us \
 		-kind Application \
-		-version v1alpha2 \
+		-version v1alpha4 \
 		-leader-elect \
 		-leader-elect-namespace default \
-		-opt-in-label-key "object-lease-controller.ullberg.io/enabled" \
-		-opt-in-label-value true
+# 		-opt-in-label-key "object-lease-controller.ullberg.io/enabled" \
+# 		-opt-in-label-value true \
+		-zap-log-level debug
 
 # =============================================================================
 # Docker Targets - Main Controller

cmd/main.go

@@ -42,6 +42,7 @@ const (
 	AnnJobTimeout        = "object-lease-controller.ullberg.io/job-timeout"
 	AnnJobTTL            = "object-lease-controller.ullberg.io/job-ttl"
 	AnnJobBackoffLimit   = "object-lease-controller.ullberg.io/job-backoff-limit"
+	AnnJobEnvSecrets     = "object-lease-controller.ullberg.io/job-env-secrets"
 )
 
 // ParseParams holds runtime configuration parsed from flags and environment.
@@ -67,10 +68,19 @@ var statFn = os.Stat
 var readFileFn = os.ReadFile
 
 func main() {
-	ctrl.SetLogger(zap.New())
+	// Bind zap logging flags (e.g., -zap-log-level) to the global flag set
+	// so callers (and the Makefile) can adjust verbosity. Don't set the
+	// logger until after flags are parsed so the selected level is applied.
+	var zapOpts zap.Options
+	zapOpts.BindFlags(flag.CommandLine)
 
 	params := parseParameters()
 
+	// Set logger using the parsed zap options (this reads values parsed by
+	// parseParameters which calls flag.Parse()). This allows callers to pass
+	// flags like -zap-log-level=debug to control verbosity.
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&zapOpts)))
+
 	enableLeaderElection, leaderElectionNamespace, errE := parseLeaderElectionConfig(params.LeaderElectionEnabled, params.LeaderElectionNamespace)
 	if errE != nil {
 		fmt.Printf("%v\n", errE)
@@ -310,6 +320,7 @@ func newLeaseWatcher(mgr ctrl.Manager, gvk schema.GroupVersionKind, leaderElecti
 			JobTimeout:        AnnJobTimeout,
 			JobTTL:            AnnJobTTL,
 			JobBackoffLimit:   AnnJobBackoffLimit,
+			JobEnvSecrets:     AnnJobEnvSecrets,
 		},
 		Metrics: ometrics.NewLeaseMetrics(gvk),
 	}

examples/cleanup/README.md

@@ -22,6 +22,7 @@ This directory contains example configurations for using cleanup jobs with the o
 | `object-lease-controller.ullberg.io/on-delete-job` | Yes (only if cleanup is needed) | - | ConfigMap reference in format `configmap-name/script-key` |
 | `object-lease-controller.ullberg.io/job-service-account` | No | `default` | ServiceAccount to run the Job as |
 | `object-lease-controller.ullberg.io/job-image` | No | `bitnami/kubectl:latest` | Container image for running the script |
+| `object-lease-controller.ullberg.io/job-env-secrets` | No | - | Comma-separated list of Secret names to mount as environment variables |
 | `object-lease-controller.ullberg.io/job-wait` | No | `false` | Wait for Job completion before deleting object |
 | `object-lease-controller.ullberg.io/job-timeout` | No | `5m` | Maximum time to wait for Job completion |
 | `object-lease-controller.ullberg.io/job-ttl` | No | `300` | TTL in seconds for Job cleanup |

examples/cleanup/backup-to-s3.yaml

@@ -46,14 +46,12 @@ metadata:
   namespace: demo
 
 ---
-# Secret containing AWS credentials (linked to ServiceAccount)
+# Secret containing AWS credentials
 apiVersion: v1
 kind: Secret
 metadata:
   name: aws-credentials
   namespace: demo
-  annotations:
-    kubernetes.io/service-account.name: backup-sa
 type: Opaque
 stringData:
   AWS_ACCESS_KEY_ID: "YOUR_AWS_ACCESS_KEY_ID"
@@ -106,6 +104,7 @@ metadata:
     object-lease-controller.ullberg.io/on-delete-job: "cleanup-scripts/backup-to-s3.sh"
     object-lease-controller.ullberg.io/job-image: "amazon/aws-cli:latest"
     object-lease-controller.ullberg.io/job-service-account: "backup-sa"
+    object-lease-controller.ullberg.io/job-env-secrets: "aws-credentials"
     object-lease-controller.ullberg.io/job-wait: "true"
     object-lease-controller.ullberg.io/job-timeout: "10m"
     object-lease-controller.ullberg.io/job-ttl: "600"

examples/cleanup/notify-webhook.yaml

@@ -67,14 +67,12 @@ metadata:
   namespace: demo
 
 ---
-# Secret containing webhook token (linked to ServiceAccount)
+# Secret containing webhook token
 apiVersion: v1
 kind: Secret
 metadata:
   name: webhook-token
   namespace: demo
-  annotations:
-    kubernetes.io/service-account.name: webhook-sa
 type: Opaque
 stringData:
   WEBHOOK_TOKEN: "your-webhook-token-here"
@@ -95,6 +93,7 @@ metadata:
     object-lease-controller.ullberg.io/on-delete-job: "webhook-scripts/notify-webhook.sh"
     object-lease-controller.ullberg.io/job-image: "curlimages/curl:latest"
     object-lease-controller.ullberg.io/job-service-account: "webhook-sa"
+    object-lease-controller.ullberg.io/job-env-secrets: "webhook-token"
     object-lease-controller.ullberg.io/job-wait: "false"
     object-lease-controller.ullberg.io/job-timeout: "2m"
     object-lease-controller.ullberg.io/job-ttl: "300"

pkg/controllers/lease_controller.go

@@ -49,6 +49,7 @@ type Annotations struct {
 	JobTimeout        string
 	JobTTL            string
 	JobBackoffLimit   string
+	JobEnvSecrets     string
 }
 
 var (
@@ -253,6 +254,7 @@ func (r *LeaseWatcher) handleExpired(ctx context.Context, obj *unstructured.Unst
 		"JobTimeout":        r.Annotations.JobTimeout,
 		"JobTTL":            r.Annotations.JobTTL,
 		"JobBackoffLimit":   r.Annotations.JobBackoffLimit,
+		"JobEnvSecrets":     r.Annotations.JobEnvSecrets,
 	}
 
 	config, err := util.ParseCleanupJobConfig(anns, annotationKeys)

pkg/util/cleanup_job.go

@@ -22,9 +22,9 @@ var jsonMarshal = json.Marshal
 const (
 	DefaultJobImage        = "bitnami/kubectl:latest"
 	DefaultServiceAccount  = "default"
-	DefaultJobTTL          = 300
+	DefaultJobTTL          = 60
 	DefaultJobBackoffLimit = 3
-	DefaultJobTimeout      = "5m"
+	DefaultJobTimeout      = "30s"
 )
 
 // CleanupJobConfig holds the configuration for a cleanup job
@@ -37,6 +37,7 @@ type CleanupJobConfig struct {
 	Timeout                 time.Duration
 	TTLSecondsAfterFinished int32
 	BackoffLimit            int32
+	EnvFromSecrets          []string // List of secret names to mount as environment variables
 }
 
 // ParseCleanupJobConfig extracts cleanup job configuration from object annotations
@@ -62,13 +63,23 @@ func ParseCleanupJobConfig(annotations map[string]string, annotationKeys map[str
 		Timeout:                 5 * time.Minute,
 		TTLSecondsAfterFinished: DefaultJobTTL,
 		BackoffLimit:            DefaultJobBackoffLimit,
+		EnvFromSecrets:          []string{},
 	}
 
 	// Parse optional service account
 	if sa := annotations[annotationKeys["JobServiceAccount"]]; sa != "" {
 		config.ServiceAccount = sa
 	}
 
+	// Parse optional secrets for environment variables
+	if secrets := annotations[annotationKeys["JobEnvSecrets"]]; secrets != "" {
+		config.EnvFromSecrets = strings.Split(secrets, ",")
+		// Trim whitespace from secret names
+		for i := range config.EnvFromSecrets {
+			config.EnvFromSecrets[i] = strings.TrimSpace(config.EnvFromSecrets[i])
+		}
+	}
+
 	// Parse optional image
 	if img := annotations[annotationKeys["JobImage"]]; img != "" {
 		config.Image = img
@@ -189,6 +200,7 @@ func CreateCleanupJob(
 							Image:   config.Image,
 							Command: []string{"/scripts/cleanup-script"},
 							Env:     envVars,
+							EnvFrom: buildEnvFrom(config.EnvFromSecrets),
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "script",
@@ -246,3 +258,24 @@ func WaitForJobCompletion(ctx context.Context, c client.Client, job *batchv1.Job
 func int32Ptr(i int32) *int32 {
 	return &i
 }
+
+// buildEnvFrom creates EnvFromSource entries for each secret name
+func buildEnvFrom(secretNames []string) []corev1.EnvFromSource {
+	if len(secretNames) == 0 {
+		return nil
+	}
+
+	envFrom := make([]corev1.EnvFromSource, 0, len(secretNames))
+	for _, secretName := range secretNames {
+		if secretName != "" {
+			envFrom = append(envFrom, corev1.EnvFromSource{
+				SecretRef: &corev1.SecretEnvSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: secretName,
+					},
+				},
+			})
+		}
+	}
+	return envFrom
+}

pkg/util/cleanup_job_test.go

@@ -173,6 +173,7 @@ func TestParseCleanupJobConfig_Defaults(t *testing.T) {
 		"JobTimeout":        "job-timeout",
 		"JobTTL":            "job-ttl",
 		"JobBackoffLimit":   "job-backoff-limit",
+		"JobEnvSecrets":     "job-env-secrets",
 	}
 
 	config, err := ParseCleanupJobConfig(annotations, annotationKeys)
@@ -198,6 +199,65 @@ func TestParseCleanupJobConfig_Defaults(t *testing.T) {
 	if config.BackoffLimit != DefaultJobBackoffLimit {
 		t.Errorf("Expected default BackoffLimit %d, got %d", DefaultJobBackoffLimit, config.BackoffLimit)
 	}
+	if len(config.EnvFromSecrets) != 0 {
+		t.Errorf("Expected empty EnvFromSecrets, got %v", config.EnvFromSecrets)
+	}
+}
+
+func TestParseCleanupJobConfig_WithSecrets(t *testing.T) {
+	annotations := map[string]string{
+		"on-delete-job":   "scripts/cleanup.sh",
+		"job-env-secrets": "aws-creds,db-creds",
+	}
+	annotationKeys := map[string]string{
+		"OnDeleteJob":       "on-delete-job",
+		"JobEnvSecrets":     "job-env-secrets",
+		"JobServiceAccount": "job-service-account",
+	}
+
+	config, err := ParseCleanupJobConfig(annotations, annotationKeys)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if config == nil {
+		t.Fatal("Expected config, got nil")
+	}
+
+	if len(config.EnvFromSecrets) != 2 {
+		t.Fatalf("Expected 2 secrets, got %d", len(config.EnvFromSecrets))
+	}
+	if config.EnvFromSecrets[0] != "aws-creds" {
+		t.Errorf("Expected first secret 'aws-creds', got %s", config.EnvFromSecrets[0])
+	}
+	if config.EnvFromSecrets[1] != "db-creds" {
+		t.Errorf("Expected second secret 'db-creds', got %s", config.EnvFromSecrets[1])
+	}
+}
+
+func TestParseCleanupJobConfig_WithSecretsWhitespace(t *testing.T) {
+	annotations := map[string]string{
+		"on-delete-job":   "scripts/cleanup.sh",
+		"job-env-secrets": "aws-creds , db-creds , third-secret",
+	}
+	annotationKeys := map[string]string{
+		"OnDeleteJob":       "on-delete-job",
+		"JobEnvSecrets":     "job-env-secrets",
+		"JobServiceAccount": "job-service-account",
+	}
+
+	config, err := ParseCleanupJobConfig(annotations, annotationKeys)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if len(config.EnvFromSecrets) != 3 {
+		t.Fatalf("Expected 3 secrets, got %d", len(config.EnvFromSecrets))
+	}
+	// Verify whitespace is trimmed
+	for i, expected := range []string{"aws-creds", "db-creds", "third-secret"} {
+		if config.EnvFromSecrets[i] != expected {
+			t.Errorf("Expected secret %d to be '%s', got '%s'", i, expected, config.EnvFromSecrets[i])
+		}
+	}
 }
 
 func TestCreateCleanupJob(t *testing.T) {
@@ -473,3 +533,105 @@ func TestWaitForJobCompletion_GetError(t *testing.T) {
 		t.Fatalf("expected error when Get fails, got nil")
 	}
 }
+
+func TestBuildEnvFrom_Empty(t *testing.T) {
+	result := buildEnvFrom([]string{})
+	if result != nil {
+		t.Errorf("Expected nil for empty input, got %v", result)
+	}
+}
+
+func TestBuildEnvFrom_SingleSecret(t *testing.T) {
+	result := buildEnvFrom([]string{"my-secret"})
+	if len(result) != 1 {
+		t.Fatalf("Expected 1 EnvFromSource, got %d", len(result))
+	}
+	if result[0].SecretRef == nil {
+		t.Fatal("Expected SecretRef to be set")
+	}
+	if result[0].SecretRef.Name != "my-secret" {
+		t.Errorf("Expected secret name 'my-secret', got %s", result[0].SecretRef.Name)
+	}
+}
+
+func TestBuildEnvFrom_MultipleSecrets(t *testing.T) {
+	result := buildEnvFrom([]string{"secret1", "secret2", "secret3"})
+	if len(result) != 3 {
+		t.Fatalf("Expected 3 EnvFromSource, got %d", len(result))
+	}
+	for i, expected := range []string{"secret1", "secret2", "secret3"} {
+		if result[i].SecretRef == nil {
+			t.Fatalf("Expected SecretRef at index %d to be set", i)
+		}
+		if result[i].SecretRef.Name != expected {
+			t.Errorf("Expected secret %d to be '%s', got %s", i, expected, result[i].SecretRef.Name)
+		}
+	}
+}
+
+func TestBuildEnvFrom_EmptyStringInList(t *testing.T) {
+	result := buildEnvFrom([]string{"secret1", "", "secret2"})
+	if len(result) != 2 {
+		t.Fatalf("Expected 2 EnvFromSource (empty string should be skipped), got %d", len(result))
+	}
+	if result[0].SecretRef.Name != "secret1" {
+		t.Errorf("Expected first secret 'secret1', got %s", result[0].SecretRef.Name)
+	}
+	if result[1].SecretRef.Name != "secret2" {
+		t.Errorf("Expected second secret 'secret2', got %s", result[1].SecretRef.Name)
+	}
+}
+
+func TestCreateCleanupJob_WithSecrets(t *testing.T) {
+	scheme := runtime.NewScheme()
+	_ = batchv1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+
+	cl := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	obj := &unstructured.Unstructured{}
+	obj.SetName("test-obj")
+	obj.SetNamespace("test-ns")
+	obj.SetUID("test-uid")
+	obj.SetResourceVersion("123")
+
+	gvk := schema.GroupVersionKind{
+		Group:   "example.com",
+		Version: "v1",
+		Kind:    "TestKind",
+	}
+
+	config := &CleanupJobConfig{
+		ConfigMapName:           "my-scripts",
+		ScriptKey:               "cleanup.sh",
+		ServiceAccount:          "test-sa",
+		Image:                   "test/image:v1",
+		Wait:                    false,
+		Timeout:                 5 * time.Minute,
+		TTLSecondsAfterFinished: 300,
+		BackoffLimit:            3,
+		EnvFromSecrets:          []string{"aws-creds", "db-password"},
+	}
+
+	job, err := CreateCleanupJob(context.Background(), cl, obj, gvk, config, time.Now(), time.Now())
+	if err != nil {
+		t.Fatalf("Failed to create cleanup job: %v", err)
+	}
+
+	if len(job.Spec.Template.Spec.Containers) != 1 {
+		t.Fatalf("Expected 1 container, got %d", len(job.Spec.Template.Spec.Containers))
+	}
+
+	container := job.Spec.Template.Spec.Containers[0]
+	if len(container.EnvFrom) != 2 {
+		t.Fatalf("Expected 2 EnvFromSource, got %d", len(container.EnvFrom))
+	}
+
+	// Check that secrets are correctly mounted
+	if container.EnvFrom[0].SecretRef.Name != "aws-creds" {
+		t.Errorf("Expected first secret 'aws-creds', got %s", container.EnvFrom[0].SecretRef.Name)
+	}
+	if container.EnvFrom[1].SecretRef.Name != "db-password" {
+		t.Errorf("Expected second secret 'db-password', got %s", container.EnvFrom[1].SecretRef.Name)
+	}
+}