Merge pull request #168 from vshn/clarify-secret-symc-example

Clarify secret sync example source secret reference

Author: bastjan

docs/annotated-examples/managedresource/sync-secrets.adoc

@@ -68,7 +68,9 @@ spec:
       local nsLabels = std.get(ns.metadata, 'labels', {});
       !inDelete(ns) && std.get(nsLabels, 'example.com/sync-secret', 'false') == 'true';
 
+    assert std.length(esp.context().source_secret) == 1 : "Expected to have exactly one source secret"; <6>
     local secret = esp.context().source_secret[0];
+
     local copy_to(nsname) = {
       apiVersion: 'v1',
       kind: 'Secret',
@@ -83,21 +85,21 @@ spec:
       type: secret.type,
     };
 
-    if esp.triggerName() == 'namespace' then ( <6>
-      local ns = esp.triggerData().resource; <7>
+    if esp.triggerName() == 'namespace' then ( <7>
+      local ns = esp.triggerData().resource; <8>
       if ns != null && wants_secret(ns) then copy_to(ns.metadata.name)
-    ) else if esp.triggerName() == 'managed_secret' then ( <8>
+    ) else if esp.triggerName() == 'managed_secret' then ( <9>
       local tdata = esp.triggerData();
       // by using the resource event when a managed secret is reconciled we
       // don't have to care about whether we got triggered due to a
       // modification or deletion of the secret.
       local secretNs = std.filter(
-        function(ns) ns.metadata.name == tdata.resourceEvent.namespace, <9>
+        function(ns) ns.metadata.name == tdata.resourceEvent.namespace, <10>
         esp.context().target_namespaces
       );
       if std.length(secretNs) == 1 && wants_secret(secretNs[0]) then
         copy_to(tdata.resourceEvent.namespace)
-    ) else [ <10>
+    ) else [ <11>
       copy_to(ns.metadata.name)
       for ns in esp.context().target_namespaces
       if wants_secret(ns)
@@ -111,13 +113,25 @@ Only namespaces with the label `example.com/sync-secret=true` will receive the s
 Uses the same cache as the `target_namespaces` context resource.
 <5> Trigger that reconciles the `ManagedResource` when a managed secret is created, modified or deleted.
 Filtered by the label `espejote.io/managed-by=secret-sync-namespace.sync-secret` injected by the template itself.
-<6> When triggered by a namespace event, reconcile only that namespace.
-<7> The full triggering resource is available in `esp.triggerData().resource`.
+<6> Assertion to ensure the source secret exists in the context.
+Context resources always return an array of resources, even if only a single resource is expected.
+If no referenced resource exists, the array is empty.
+The assertion causes the reconciliation to fail in that case, which adds an event to the `ManagedResource` and to the triggering resource.
+Jsonnet does not allow early exits but the check could guard the final `if` expression instead as jsonnet is lazy-evaluated.
++
+[source]
+----
+if std.length(esp.context().source_secret) == 1 then
+  if esp.triggerName() == 'namespace' then
+    ...
+----
+<7> When triggered by a namespace event, reconcile only that namespace.
+<8> The full triggering resource is available in `esp.triggerData().resource`.
 Can be `null` if the resource was deleted.
-<8> When triggered by a managed secret event, reconcile only the namespace of that secret.
-<9> `resourceEvent` contains the raw event data, including the namespace of the secret.
+<9> When triggered by a managed secret event, reconcile only the namespace of that secret.
+<10> `resourceEvent` contains the raw event data, including the namespace of the secret.
 This data always exists, even if the resource was deleted.
-<10> Default reconciliation: create/update the secret in all target namespaces.
+<11> Default reconciliation: create/update the secret in all target namespaces.
 Also triggers on source secret change through the `source_secret` trigger.
 
 ### RBAC [[rbac]]