adding opaque secret functionality to k8s secret resource

Signed-off-by: Will Arroyo <warroyo7199008@gmail.com>

docs/data-sources/kubernetes_secret.md

@@ -116,6 +116,7 @@ Read-Only:
 Read-Only:
 
 - `docker_config_json` (List of Object) (see [below for nested schema](#nestedobjatt--spec--docker_config_json))
+- `opaque` (Map of String)
 
 <a id="nestedobjatt--spec--docker_config_json"></a>
 ### Nested Schema for `spec.docker_config_json`
@@ -217,6 +218,7 @@ Read-Only:
 Read-Only:
 
 - `docker_config_json` (List of Object) (see [below for nested schema](#nestedobjatt--spec--docker_config_json))
+- `opaque` (Map of String)
 
 <a id="nestedobjatt--spec--docker_config_json"></a>
 ### Nested Schema for `spec.docker_config_json`

docs/resources/kubernetes_secret.md

@@ -36,7 +36,8 @@ Only one scope per resource is allowed.
 
 ```terraform
 # Create Tanzu Mission Control kubernetes secret with attached set as default value.
-resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
+# Example for creating the dockerconfigjson secret
+resource "tanzu-mission-control_kubernetes_secret" "create_dockerconfigjson_secret" {
   name           = "tf-secret"                # Required
   namespace_name = "tf-secret-namespace-name" # Required 
 
@@ -63,6 +64,34 @@ resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
     }
   }
 }
+
+# Example for creating the opaque secret
+resource "tanzu-mission-control_kubernetes_secret" "create_opaque_secret" {
+  name           = "tf-secret"                # Required
+  namespace_name = "tf-secret-namespace-name" # Required 
+
+  scope {
+    cluster {
+      name                    = "testcluster" # Required
+      provisioner_name        = "attached"    # Default: attached
+      management_cluster_name = "attached"    # Default: attached
+    }
+  }
+
+  export = false # Default: false
+
+  meta {
+    description = "Create namespace through terraform"
+    labels      = { "key" : "value" }
+  }
+
+  spec {
+    opaque = {
+      "key1" : "value1"
+      "key2" : "value2"
+    }
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -119,9 +148,10 @@ Required:
 <a id="nestedblock--spec"></a>
 ### Nested Schema for `spec`
 
-Required:
+Optional:
 
-- `docker_config_json` (Block List, Min: 1) SecretType definition - SECRET_TYPE_DOCKERCONFIGJSON, Kubernetes secrets type. (see [below for nested schema](#nestedblock--spec--docker_config_json))
+- `docker_config_json` (Block List) SecretType definition - SECRET_TYPE_DOCKERCONFIGJSON, Kubernetes secrets type. (see [below for nested schema](#nestedblock--spec--docker_config_json))
+- `opaque` (Map of String, Sensitive) SecretType definition - SECRET_TYPE_OPAQUE, Kubernetes secrets type.
 
 <a id="nestedblock--spec--docker_config_json"></a>
 ### Nested Schema for `spec.docker_config_json`
@@ -155,7 +185,8 @@ Read-Only:
 
 ```terraform
 # Create Tanzu Mission Control kubernetes secret with attached set as default value.
-resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
+# Example for creating the dockerconfigjson secret
+resource "tanzu-mission-control_kubernetes_secret" "create_dockerconfigjson_secret" {
   name           = "tf-secret"                # Required
   namespace_name = "tf-secret-namespace-name" # Required 
 
@@ -180,6 +211,32 @@ resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
     }
   }
 }
+
+# Example for creating the opaque secret
+resource "tanzu-mission-control_kubernetes_secret" "create_opaque_secret" {
+  name           = "tf-secret"                # Required
+  namespace_name = "tf-secret-namespace-name" # Required 
+
+  scope {
+    cluster_group {
+      name = "default" # Required
+    }
+  }
+
+  export = false # Default: false
+
+  meta {
+    description = "Create namespace through terraform"
+    labels      = { "key" : "value" }
+  }
+
+  spec {
+    opaque = {
+      "key1" : "value1"
+      "key2" : "value2"
+    }
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -236,9 +293,10 @@ Required:
 <a id="nestedblock--spec"></a>
 ### Nested Schema for `spec`
 
-Required:
+Optional:
 
-- `docker_config_json` (Block List, Min: 1) SecretType definition - SECRET_TYPE_DOCKERCONFIGJSON, Kubernetes secrets type. (see [below for nested schema](#nestedblock--spec--docker_config_json))
+- `docker_config_json` (Block List) SecretType definition - SECRET_TYPE_DOCKERCONFIGJSON, Kubernetes secrets type. (see [below for nested schema](#nestedblock--spec--docker_config_json))
+- `opaque` (Map of String, Sensitive) SecretType definition - SECRET_TYPE_OPAQUE, Kubernetes secrets type.
 
 <a id="nestedblock--spec--docker_config_json"></a>
 ### Nested Schema for `spec.docker_config_json`

examples/resources/kubernetes_secret/cg_resource.tf

@@ -1,5 +1,6 @@
 # Create Tanzu Mission Control kubernetes secret with attached set as default value.
-resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
+# Example for creating the dockerconfigjson secret
+resource "tanzu-mission-control_kubernetes_secret" "create_dockerconfigjson_secret" {
   name           = "tf-secret"                # Required
   namespace_name = "tf-secret-namespace-name" # Required 
 
@@ -23,4 +24,30 @@ resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
       image_registry_url = "testimageregistryurl" # Required
     }
   }
-}
+}
+
+# Example for creating the opaque secret
+resource "tanzu-mission-control_kubernetes_secret" "create_opaque_secret" {
+  name           = "tf-secret"                # Required
+  namespace_name = "tf-secret-namespace-name" # Required 
+
+  scope {
+    cluster_group {
+      name = "default" # Required
+    }
+  }
+
+  export = false # Default: false
+
+  meta {
+    description = "Create namespace through terraform"
+    labels      = { "key" : "value" }
+  }
+
+  spec {
+    opaque = {
+      "key1" : "value1"
+      "key2" : "value2"
+    }
+  }
+}

examples/resources/kubernetes_secret/resource.tf

@@ -1,5 +1,6 @@
 # Create Tanzu Mission Control kubernetes secret with attached set as default value.
-resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
+# Example for creating the dockerconfigjson secret
+resource "tanzu-mission-control_kubernetes_secret" "create_dockerconfigjson_secret" {
   name           = "tf-secret"                # Required
   namespace_name = "tf-secret-namespace-name" # Required 
 
@@ -25,4 +26,32 @@ resource "tanzu-mission-control_kubernetes_secret" "create_secret" {
       image_registry_url = "testimageregistryurl" # Required
     }
   }
-}
+}
+
+# Example for creating the opaque secret
+resource "tanzu-mission-control_kubernetes_secret" "create_opaque_secret" {
+  name           = "tf-secret"                # Required
+  namespace_name = "tf-secret-namespace-name" # Required 
+
+  scope {
+    cluster {
+      name                    = "testcluster" # Required
+      provisioner_name        = "attached"    # Default: attached
+      management_cluster_name = "attached"    # Default: attached
+    }
+  }
+
+  export = false # Default: false
+
+  meta {
+    description = "Create namespace through terraform"
+    labels      = { "key" : "value" }
+  }
+
+  spec {
+    opaque = {
+      "key1" : "value1"
+      "key2" : "value2"
+    }
+  }
+}

internal/models/kubernetessecret/cluster/secret_spec.go

@@ -49,6 +49,7 @@ func (m *VmwareTanzuManageV1alpha1ClusterNamespaceSecretSpec) UnmarshalBinary(b
 //
 //   - SECRET_TYPE_UNSPECIFIED: SECRET_TYPE_UNSPECIFIED, Unspecified secret type (default).
 //   - SECRET_TYPE_DOCKERCONFIGJSON: SECRET_TYPE_DOCKERCONFIGJSON, Kubernetes secrets type : kubernetes.io/dockerconfigjson.
+//   - SECRET_TYPE_OPAQUE: SECRET_TYPE_OPAQUE, Kubernetes opaque secret type : https://kubernetes.io/docs/concepts/configuration/secret/#opaque-secrets
 //
 // swagger:model vmware.tanzu.manage.v1alpha1.cluster.namespace.secret.SecretType
 type VmwareTanzuManageV1alpha1ClusterNamespaceSecretType string
@@ -61,14 +62,17 @@ const (
 
 	// VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEDOCKERCONFIGJSON captures enum value "SECRET_TYPE_DOCKERCONFIGJSON".
 	VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEDOCKERCONFIGJSON VmwareTanzuManageV1alpha1ClusterNamespaceSecretType = "SECRET_TYPE_DOCKERCONFIGJSON"
+	// VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEOPAQUE captures enum value "SECRET_TYPE_OPAQUE".
+	//nolint:gosec
+	VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEOPAQUE VmwareTanzuManageV1alpha1ClusterNamespaceSecretType = "SECRET_TYPE_OPAQUE"
 )
 
 // for schema.
 var vmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeEnum []interface{}
 
 func init() {
 	var res []VmwareTanzuManageV1alpha1ClusterNamespaceSecretType
-	if err := json.Unmarshal([]byte(`["SECRET_TYPE_UNSPECIFIED","SECRET_TYPE_DOCKERCONFIGJSON"]`), &res); err != nil {
+	if err := json.Unmarshal([]byte(`["SECRET_TYPE_UNSPECIFIED","SECRET_TYPE_DOCKERCONFIGJSON","SECRET_TYPE_OPAQUE"]`), &res); err != nil {
 		panic(err)
 	}
 

internal/resources/kubernetessecret/constants.go

@@ -15,6 +15,8 @@ const (
 	SecretExportPhaseKey = "secret_export_phase"
 	statusKey            = "status"
 	Ready                = "Ready"
+	DockerSecretType     = "docker"
+	OpaqueSecretType     = "opaque"
 
 	ResourceName = "tanzu-mission-control_kubernetes_secret"
 )

internal/resources/kubernetessecret/data_source_secret.go

@@ -80,10 +80,16 @@ func dataSourceSecretRead(ctx context.Context, d *schema.ResourceData, m interfa
 
 	var password string
 
-	if _, ok := d.GetOk(spec.SpecKey); ok {
+	var opaqueData map[string]interface{}
+
+	if _, ok := d.GetOk(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.PasswordKey)); ok {
 		password, _ = (d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.PasswordKey))).(string)
 	}
 
+	if opData, ok := d.GetOk(helper.GetFirstElementOf(spec.SpecKey, spec.OpaqueKey)); ok && opData != nil {
+		opaqueData = opData.(map[string]interface{})
+	}
+
 	if d.Get(ExportKey).(bool) {
 		if secretDataFromServer.secretExportErr != nil || secretDataFromServer.secretExportRespNil {
 			switch {
@@ -121,13 +127,13 @@ func dataSourceSecretRead(ctx context.Context, d *schema.ResourceData, m interfa
 
 	switch scopedFullnameData.Scope {
 	case commonscope.ClusterScope:
-		flattenedSpec = spec.FlattenSpecForClusterScope(secretDataFromServer.atomicSpec, password)
+		flattenedSpec = spec.FlattenSpecForClusterScope(secretDataFromServer.atomicSpec, password, opaqueData)
 		flattenedStatus = status.FlattenStatusForClusterScope(secretDataFromServer.clusterScopeStatus)
 	case commonscope.ClusterGroupScope:
 		clusterGroupScopeSpec := &secretclustergroupmodel.VmwareTanzuManageV1alpha1ClustergroupNamespaceSecretSpec{
 			AtomicSpec: secretDataFromServer.atomicSpec,
 		}
-		flattenedSpec = spec.FlattenSpecForClusterGroupScope(clusterGroupScopeSpec, password)
+		flattenedSpec = spec.FlattenSpecForClusterGroupScope(clusterGroupScopeSpec, password, opaqueData)
 		flattenedStatus = status.FlattenStatusForClusterGroupScope(secretDataFromServer.clusterGroupScopeStatus)
 	}
 

internal/resources/kubernetessecret/resource_secret.go

@@ -41,6 +41,7 @@ func ResourceSecret() *schema.Resource {
 		Schema:        getResourceSchema(),
 		CustomizeDiff: customdiff.All(
 			schema.CustomizeDiffFunc(commonscope.ValidateScope(scope.ScopesAllowed[:])),
+			spec.ValidateInput,
 		),
 	}
 }
@@ -279,7 +280,10 @@ func resourceSecretInPlaceUpdate(ctx context.Context, d *schema.ResourceData, m
 		return diag.Errorf("updating %v is not possible", spec.ImageRegistryURLKey)
 	}
 
-	if updateCheckForMeta(d, secretDataFromServer.meta) || updateCheckForSpec(d, secretDataFromServer.atomicSpec, scopedFullnameData.Scope) {
+	updateRequiredForSepc := updateCheckForSpec(d, secretDataFromServer.atomicSpec, scopedFullnameData.Scope)
+	updateRequiredForMeta := updateCheckForMeta(d, secretDataFromServer.meta)
+
+	if updateRequiredForSepc || updateRequiredForMeta {
 		switch scopedFullnameData.Scope {
 		case commonscope.ClusterScope:
 			if scopedFullnameData.FullnameCluster != nil {
@@ -330,14 +334,21 @@ func resourceSecretInPlaceUpdate(ctx context.Context, d *schema.ResourceData, m
 
 func updateCheckForSpec(d *schema.ResourceData, atomicSpec *clustersecretmodel.VmwareTanzuManageV1alpha1ClusterNamespaceSecretSpec, scope commonscope.Scope) bool {
 	if !(spec.HasSpecChanged(d)) {
-		username := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.UsernameKey))
-		password := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.PasswordKey))
-		url := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.ImageRegistryURLKey))
+		if atomicSpec.SecretType == clustersecretmodel.NewVmwareTanzuManageV1alpha1ClusterNamespaceSecretType(clustersecretmodel.VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEDOCKERCONFIGJSON) {
+			username := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.UsernameKey))
+			password := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.PasswordKey))
+			url := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.DockerConfigjsonKey, spec.ImageRegistryURLKey))
+
+			secretSpecData, _ := spec.GetEncodedSpecData(url.(string), username.(string), password.(string))
 
-		secretSpecData, _ := spec.GetEncodedSpecData(url.(string), username.(string), password.(string))
+			atomicSpec.Data = map[string]strfmt.Base64{
+				spec.DockerconfigKey: secretSpecData,
+			}
+		}
 
-		atomicSpec.Data = map[string]strfmt.Base64{
-			spec.DockerconfigKey: secretSpecData,
+		if atomicSpec.SecretType == clustersecretmodel.NewVmwareTanzuManageV1alpha1ClusterNamespaceSecretType(clustersecretmodel.VmwareTanzuManageV1alpha1ClusterNamespaceSecretTypeSECRETTYPEOPAQUE) {
+			kv := d.Get(helper.GetFirstElementOf(spec.SpecKey, spec.OpaqueKey))
+			atomicSpec.Data = spec.GetEncodedOpaqueData(kv.(map[string]string))
 		}
 
 		return false