Feat: leverage the secret to read authorization token #229
Open
anishbista60 wants to merge 1 commit into
Open
Conversation
anishbista60
requested review from
FogDong,
Somefive,
anoop2811,
briankane,
jguionnet,
leejanee and
wonderflow
as code owners
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 3 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #229 +/- ##
==========================================
+ Coverage 62.49% 67.69% +5.20%
==========================================
Files 62 65 +3
Lines 4415 5429 +1014
==========================================
+ Hits 2759 3675 +916
- Misses 1324 1367 +43
- Partials 332 387 +55
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Signed-off-by: anish bista <anishbista053@gmail.com>
anishbista60
force-pushed
the
lfx-issue-1
branch
from
c82a641 to
8fa7e21
Compare
Author
|
Testing locally: I switched to PR kubevela/kubevela#7194. Then I changed to go mod file replace (
github.com/kubevela/workflow => /home/anish60/workflow
)Ran make Once, controller is ready, Apply the manifest apiVersion: v1
kind: Secret
metadata:
name: api-credentials
namespace: default
type: Opaque
stringData:
token: "Bearer sk-supersecret-12345"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
namespace: default
spec:
replicas: 1
selector:
matchLabels: {app: httpbin}
template:
metadata:
labels: {app: httpbin}
spec:
containers:
- name: httpbin
image: kennethreitz/httpbin
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: default
spec:
selector: {app: httpbin}
ports:
- port: 80
targetPort: 80
---
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
name: demo-request-step
namespace: default
spec:
components: []
workflow:
steps:
- name: notify
type: request
outputs:
- name: authHeader
valueFrom: response
properties:
url: http://localhost:8081/headers
method: GET
headersFromSecret:
- name: Authorization
secret: api-credentials
key: token
namespace: defaultMake sure to portforward the service at port After that Application CR would look like below apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"core.oam.dev/v1beta1","kind":"Application","metadata":{"annotations":{},"name":"demo-request-step","namespace":"default"},"spec":{"components":[],"workflow":{"steps":[{"name":"notify","outputs":[{"name":"authHeader","valueFrom":"response"}],"properties":{"headersFromSecret":[{"key":"token","name":"Authorization","namespace":"default","secret":"api-credentials"}],"method":"GET","url":"http://localhost:8081/headers"},"type":"request"}]}}}
oam.dev/kubevela-version: UNKNOWN
creationTimestamp: "2026-06-21T07:56:33Z"
finalizers:
- app.oam.dev/resource-tracker-finalizer
generation: 1
name: demo-request-step
namespace: default
resourceVersion: "780838"
uid: e52942ef-fedf-4a36-b24e-6e0d01ed37da
spec:
components: []
workflow:
steps:
- name: notify
outputs:
- name: authHeader
valueFrom: response
properties:
headersFromSecret:
- key: token
name: Authorization
namespace: default
secret: api-credentials
method: GET
url: http://localhost:8081/headers
type: request
status:
conditions:
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: Available
status: "True"
type: Parsed
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: Available
status: "True"
type: Revision
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: Available
status: "True"
type: Policy
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: Available
status: "True"
type: Render
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: Available
status: "True"
type: Workflow
- lastTransitionTime: "2026-06-21T07:56:33Z"
reason: ReconcileSuccess
status: "True"
type: Ready
latestRevision:
name: demo-request-step-v1
revision: 1
revisionHash: 819fb21900658cb0
observedGeneration: 1
status: running
workflow:
appRevision: demo-request-step-v1
contextBackend:
apiVersion: v1
kind: ConfigMap
name: workflow-demo-request-step-context
namespace: default
uid: 6ccd4e9e-08ed-498a-944d-c3ea65bfb823
endTime: "2026-06-21T07:56:33Z"
finished: true
mode: StepByStep-DAG
startTime: "2026-06-21T07:56:33Z"
status: succeeded
steps:
- firstExecuteTime: "2026-06-21T07:56:33Z"
id: zj77pshkwv
lastExecuteTime: "2026-06-21T07:56:33Z"
name: notify
phase: succeeded
type: request
suspend: false
terminated: falseThis creates the configmap as well with Name: workflow-demo-request-step-context
Namespace: default
Labels: <none>
Annotations: vela.io/startTime: 2026-06-21 13:26:33.096781116 +0530 IST m=+62.769867856
Data
====
vars:
----
authHeader: {
headers: {
"Accept-Encoding": "gzip"
Authorization: "Bearer sk-supersecret-12345"
"Content-Type": "application/json"
Host: "localhost:8081"
"User-Agent": "Go-http-client/1.1"
}
}
BinaryData
====
Events: <none> |
There was a problem hiding this comment.
1 issue found across 3 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Author
anishbista60
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of your changes
Application CRand now we can pass the reference of the secret and it take that token from k8s secret.Fixes kubevela/kubevela#7104
I have:
make reviewableto ensure this PR is ready for review.backport release-x.ylabels to auto-backport this PR if necessary.How has this code been tested
Special notes for your reviewer
Summary by cubic
Allow
pkg/providers/httpto read HTTP headers (e.g., Authorization) from Kubernetes Secrets instead of hardcoding tokens inApplicationCRs. This improves security and simplifies configuration.headersFromSecretto the CUE schema and GoRequestto map header names to Secretsecret/key(optionalnamespace).KubeClient; defaults namespace to the process context when not provided.KubeClientis not provided.Written for commit 8fa7e21. Summary will update on new commits.