feat: support annotations (#111)

Signed-off-by: CG <cgpoh76@gmail.com>

Author: cgpoh

api/src/main/java/io/strimzi/kafka/access/model/KafkaAccessSpec.java

@@ -21,6 +21,7 @@ public class KafkaAccessSpec {
     private KafkaReference kafka;
     private KafkaUserReference user;
     private String secretName;
+    private KafkaAccessTemplate template;
 
     /**
      * Gets the KafkaReference instance
@@ -75,4 +76,22 @@ public String getSecretName() {
     public void setSecretName(String secretName) {
         this.secretName = secretName;
     }
+
+    /**
+     * Gets the template for customizing generated resources
+     *
+     * @return The KafkaAccessTemplate instance
+     */
+    public KafkaAccessTemplate getTemplate() {
+        return template;
+    }
+
+    /**
+     * Sets the template for customizing generated resources
+     *
+     * @param template The KafkaAccessTemplate model
+     */
+    public void setTemplate(final KafkaAccessTemplate template) {
+        this.template = template;
+    }
 }

api/src/main/java/io/strimzi/kafka/access/model/KafkaAccessTemplate.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.kafka.access.model;
+
+import io.strimzi.api.kafka.model.common.Constants;
+import io.sundr.builder.annotations.Buildable;
+
+/**
+ * Template for KafkaAccess resources (e.g., Secret template)
+ */
+@Buildable(
+    editableEnabled = false,
+    builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+public class KafkaAccessTemplate {
+
+    private SecretTemplate secret;
+
+    /**
+     * Gets the Secret template
+     *
+     * @return The SecretTemplate instance
+     */
+    public SecretTemplate getSecret() {
+        return secret;
+    }
+
+    /**
+     * Sets the Secret template
+     *
+     * @param secret The SecretTemplate model
+     */
+    public void setSecret(final SecretTemplate secret) {
+        this.secret = secret;
+    }
+}
+

api/src/main/java/io/strimzi/kafka/access/model/MetadataTemplate.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.kafka.access.model;
+
+import io.strimzi.api.kafka.model.common.Constants;
+import io.sundr.builder.annotations.Buildable;
+
+import java.util.Map;
+
+/**
+ * Template for Kubernetes resource metadata (labels, annotations)
+ */
+@Buildable(
+    editableEnabled = false,
+    builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+public class MetadataTemplate {
+
+    private Map<String, String> labels;
+    private Map<String, String> annotations;
+
+    /**
+     * Gets the labels
+     *
+     * @return A map of labels
+     */
+    public Map<String, String> getLabels() {
+        return labels;
+    }
+
+    /**
+     * Sets the labels
+     *
+     * @param labels A map of labels
+     */
+    public void setLabels(final Map<String, String> labels) {
+        this.labels = labels;
+    }
+
+    /**
+     * Gets the annotations
+     *
+     * @return A map of annotations
+     */
+    public Map<String, String> getAnnotations() {
+        return annotations;
+    }
+
+    /**
+     * Sets the annotations
+     *
+     * @param annotations A map of annotations
+     */
+    public void setAnnotations(final Map<String, String> annotations) {
+        this.annotations = annotations;
+    }
+}
+

api/src/main/java/io/strimzi/kafka/access/model/SecretTemplate.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.kafka.access.model;
+
+import io.strimzi.api.kafka.model.common.Constants;
+import io.sundr.builder.annotations.Buildable;
+
+/**
+ * Template for Secret
+ */
+@Buildable(
+    editableEnabled = false,
+    builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+public class SecretTemplate {
+
+    private MetadataTemplate metadata;
+
+    /**
+     * Gets the metadata template
+     *
+     * @return The MetadataTemplate instance
+     */
+    public MetadataTemplate getMetadata() {
+        return metadata;
+    }
+
+    /**
+     * Sets the metadata template
+     *
+     * @param metadata The MetadataTemplate model
+     */
+    public void setMetadata(final MetadataTemplate metadata) {
+        this.metadata = metadata;
+    }
+}
+

operator/src/main/java/io/strimzi/kafka/access/KafkaAccessReconciler.java

@@ -106,42 +106,118 @@ private void createOrUpdateSecret(final Map<String, String> data, final KafkaAcc
         if (kafkaAccessSecretEventSource == null) {
             throw new IllegalStateException("Event source for Kafka Access Secret not initialized, cannot reconcile");
         }
+
+        final Map<String, String> templateAnnotations = getTemplateAnnotations(kafkaAccess);
+        final Map<String, String> templateLabels = getTemplateAndCommonLabels(kafkaAccess);
+
         kafkaAccessSecretEventSource.get(new ResourceID(secretName, kafkaAccessNamespace))
-                .ifPresentOrElse(secret -> {
-                    final Map<String, String> currentData = secret.getData();
-                    if (!data.equals(currentData)) {
-                        kubernetesClient.secrets()
-                                .inNamespace(kafkaAccessNamespace)
-                                .withName(secretName)
-                                .edit(s -> new SecretBuilder(s).withData(data).build());
-                    }
-                }, () -> kubernetesClient
-                        .secrets()
-                        .inNamespace(kafkaAccessNamespace)
-                        .resource(
-                                new SecretBuilder()
-                                        .withType(SECRET_TYPE)
-                                        .withNewMetadata()
-                                        .withName(secretName)
-                                        .withLabels(commonSecretLabels)
-                                        .withOwnerReferences(
-                                                new OwnerReferenceBuilder()
-                                                        .withApiVersion(kafkaAccess.getApiVersion())
-                                                        .withKind(kafkaAccess.getKind())
-                                                        .withName(kafkaAccessName)
-                                                        .withUid(kafkaAccess.getMetadata().getUid())
-                                                        .withBlockOwnerDeletion(false)
-                                                        .withController(false)
-                                                        .build()
-                                        )
-                                        .endMetadata()
-                                        .withData(data)
-                                        .build()
-                        )
-                        .create()
+                .ifPresentOrElse(
+                    secret -> updateSecretIfChanged(secret, data, templateAnnotations, templateLabels, kafkaAccessNamespace, secretName),
+                    () -> createSecret(data, kafkaAccess, secretName, kafkaAccessNamespace, kafkaAccessName, templateAnnotations, templateLabels)
             );
     }
 
+    private void updateSecretIfChanged(Secret secret, Map<String, String> data, Map<String, String> templateAnnotations,
+                                       Map<String, String> templateLabels, String namespace, String secretName) {
+        final Map<String, String> mergedAnnotations = mergeWithoutOverwritingCurrent(
+                Optional.ofNullable(secret.getMetadata().getAnnotations()).orElse(Map.of()),
+                templateAnnotations);
+
+        final Map<String, String> mergedLabels = mergeWithoutOverwritingCurrent(
+                Optional.ofNullable(secret.getMetadata().getLabels()).orElse(Map.of()),
+                templateLabels);
+
+        final boolean dataChanged = !data.equals(Optional.ofNullable(secret.getData()).orElse(Map.of()));
+        final boolean annotationsChanged = !mergedAnnotations.equals(
+                Optional.ofNullable(secret.getMetadata().getAnnotations()).orElse(Map.of()));
+        final boolean labelsChanged = !mergedLabels.equals(
+                Optional.ofNullable(secret.getMetadata().getLabels()).orElse(Map.of()));
+
+        if (dataChanged || annotationsChanged || labelsChanged) {
+            kubernetesClient.secrets()
+                    .inNamespace(namespace)
+                    .withName(secretName)
+                    .edit(s -> new SecretBuilder(s)
+                            .withData(data)
+                            .editOrNewMetadata()
+                                .withAnnotations(mergedAnnotations)
+                                .withLabels(mergedLabels)
+                            .endMetadata()
+                            .build());
+        }
+    }
+
+    private static Map<String, String> mergeWithoutOverwritingCurrent(Map<String, String> current, Map<String, String> template) {
+        Map<String, String> merged = new HashMap<>(template);
+        merged.putAll(current);
+        return merged;
+    }
+
+    private void createSecret(Map<String, String> data, KafkaAccess kafkaAccess, String secretName, String namespace,
+                              String kafkaAccessName, Map<String, String> templateAnnotations, Map<String, String> templateLabels) {
+        kubernetesClient
+                .secrets()
+                .inNamespace(namespace)
+                .resource(
+                        new SecretBuilder()
+                                .withType(SECRET_TYPE)
+                                .withNewMetadata()
+                                .withName(secretName)
+                                .withLabels(templateLabels)
+                                .withAnnotations(templateAnnotations)
+                                .withOwnerReferences(
+                                        new OwnerReferenceBuilder()
+                                                .withApiVersion(kafkaAccess.getApiVersion())
+                                                .withKind(kafkaAccess.getKind())
+                                                .withName(kafkaAccessName)
+                                                .withUid(kafkaAccess.getMetadata().getUid())
+                                                .withBlockOwnerDeletion(false)
+                                                .withController(false)
+                                                .build()
+                                )
+                                .endMetadata()
+                                .withData(data)
+                                .build()
+                )
+                .create();
+    }
+
+    /**
+     * Extracts annotations from the KafkaAccess spec template that should be applied to the Secret.
+     *
+     * @param kafkaAccess The KafkaAccess custom resource.
+     * @return A map of annotations to apply to the Secret.
+     */
+    private Map<String, String> getTemplateAnnotations(final KafkaAccess kafkaAccess) {
+        return new HashMap<>(Optional.ofNullable(kafkaAccess.getSpec().getTemplate())
+                .map(template -> template.getSecret())
+                .map(secret -> secret.getMetadata())
+                .map(metadata -> metadata.getAnnotations())
+                .orElse(new HashMap<>()));
+    }
+
+    /**
+     * Builds the desired Secret labels from the KafkaAccess template.
+     * Template-provided labels are included, then operator-required common labels are added.
+     * On key conflicts, operator-required common labels take precedence.
+     *
+     * @param kafkaAccess The KafkaAccess custom resource.
+     * @return A map of labels to apply to the Secret, including operator-required common labels.
+     */
+    private Map<String, String> getTemplateAndCommonLabels(final KafkaAccess kafkaAccess) {
+        Map<String, String> labels = Optional.ofNullable(kafkaAccess.getSpec().getTemplate())
+                .map(template -> template.getSecret())
+                .map(secret -> secret.getMetadata())
+                .map(metadata -> metadata.getLabels())
+                .map(HashMap::new)
+                .orElse(new HashMap<>());
+
+        // Keep operator default labels authoritative.
+        labels.putAll(commonSecretLabels);
+
+        return labels;
+    }
+
     /**
      * Prepares the event sources required for triggering the reconciliation.
      * It configures the JOSDK framework with resources the operator needs to watch.