CF-1873 : Manage CMF secret mappings#3306
Draft
Paras Negi (paras-negi-flink) wants to merge 7 commits intomainfrom
Draft
CF-1873 : Manage CMF secret mappings#3306Paras Negi (paras-negi-flink) wants to merge 7 commits intomainfrom
Paras Negi (paras-negi-flink) wants to merge 7 commits intomainfrom
Conversation
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
Copilot started reviewing on behalf of
Paras Negi (paras-negi-flink)
April 5, 2026 16:04
View session
There was a problem hiding this comment.
Pull request overview
This PR extends the on-prem Flink (CMF) CLI surface to support managing environment secret mappings, and adds an update command for Kafka catalogs, including CMF client support and on-prem integration test coverage.
Changes:
- Add
confluent flink secret-mappingcommand group (create/describe/list/update/delete) backed by new CMF REST client methods. - Add
confluent flink catalog updatecommand and CMF REST clientUpdateCatalog. - Extend the on-prem test server router/handlers and add integration tests + fixtures for the new behaviors.
Reviewed changes
Copilot reviewed 52 out of 52 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/test-server/flink_onprem_router.go | Adds CMF on-prem router endpoints for secret-mappings. |
| test/test-server/flink_onprem_handler.go | Implements test-server handlers for secret-mappings and catalog update. |
| test/flink_onprem_test.go | Adds integration tests for catalog update and secret-mapping commands (JSON/YAML + failures). |
| test/fixtures/output/flink/help-onprem.golden | Adds secret-mapping to top-level flink help output (on-prem). |
| test/fixtures/output/flink/catalog/help-onprem.golden | Adds update to flink catalog help (on-prem). |
| test/fixtures/output/flink/catalog/update-help-onprem.golden | Adds help fixture for flink catalog update (on-prem). |
| test/fixtures/output/flink/catalog/update-success.golden | Golden output for successful catalog update (human). |
| test/fixtures/output/flink/catalog/update-success-json.golden | Golden output for successful catalog update (json). |
| test/fixtures/output/flink/catalog/update-success-yaml.golden | Golden output for successful catalog update (yaml). |
| test/fixtures/output/flink/catalog/update-invalid-failure.golden | Golden output for invalid catalog update failure. |
| test/fixtures/output/flink/secret-mapping/create-success.golden | Golden output for secret-mapping create (human). |
| test/fixtures/output/flink/secret-mapping/create-success-json.golden | Golden output for secret-mapping create (json). |
| test/fixtures/output/flink/secret-mapping/create-success-yaml.golden | Golden output for secret-mapping create (yaml). |
| test/fixtures/output/flink/secret-mapping/create-invalid-failure.golden | Golden output for secret-mapping create invalid failure. |
| test/fixtures/output/flink/secret-mapping/describe-success.golden | Golden output for secret-mapping describe (human). |
| test/fixtures/output/flink/secret-mapping/describe-success-json.golden | Golden output for secret-mapping describe (json). |
| test/fixtures/output/flink/secret-mapping/describe-success-yaml.golden | Golden output for secret-mapping describe (yaml). |
| test/fixtures/output/flink/secret-mapping/describe-not-found.golden | Golden output for secret-mapping describe not-found failure. |
| test/fixtures/output/flink/secret-mapping/list-success.golden | Golden output for secret-mapping list (human). |
| test/fixtures/output/flink/secret-mapping/list-success-json.golden | Golden output for secret-mapping list (json). |
| test/fixtures/output/flink/secret-mapping/list-success-yaml.golden | Golden output for secret-mapping list (yaml). |
| test/fixtures/output/flink/secret-mapping/update-success.golden | Golden output for secret-mapping update (human). |
| test/fixtures/output/flink/secret-mapping/update-success-json.golden | Golden output for secret-mapping update (json). |
| test/fixtures/output/flink/secret-mapping/update-success-yaml.golden | Golden output for secret-mapping update (yaml). |
| test/fixtures/output/flink/secret-mapping/update-invalid-failure.golden | Golden output for secret-mapping update invalid failure. |
| test/fixtures/output/flink/secret-mapping/delete-single-successful.golden | Golden output for secret-mapping delete (interactive confirm). |
| test/fixtures/output/flink/secret-mapping/delete-single-force.golden | Golden output for secret-mapping delete (force). |
| test/fixtures/output/flink/secret-mapping/delete-non-exist-failure.golden | Golden output for secret-mapping delete failure. |
| test/fixtures/input/flink/catalog/update-successful.json | Input fixture for catalog update success (json). |
| test/fixtures/input/flink/catalog/update-successful.yaml | Input fixture for catalog update success (yaml). |
| test/fixtures/input/flink/catalog/update-invalid-failure.json | Input fixture for catalog update invalid case (json). |
| test/fixtures/input/flink/catalog/update-invalid-failure.yaml | Input fixture for catalog update invalid case (yaml). |
| test/fixtures/input/flink/secret-mapping/create-successful.json | Input fixture for secret-mapping create success (json). |
| test/fixtures/input/flink/secret-mapping/create-successful.yaml | Input fixture for secret-mapping create success (yaml). |
| test/fixtures/input/flink/secret-mapping/create-invalid-failure.json | Input fixture for secret-mapping create invalid case (json). |
| test/fixtures/input/flink/secret-mapping/create-invalid-failure.yaml | Input fixture for secret-mapping create invalid case (yaml). |
| test/fixtures/input/flink/secret-mapping/update-successful.json | Input fixture for secret-mapping update success (json). |
| test/fixtures/input/flink/secret-mapping/update-successful.yaml | Input fixture for secret-mapping update success (yaml). |
| test/fixtures/input/flink/secret-mapping/update-invalid-failure.json | Input fixture for secret-mapping update invalid case (json). |
| test/fixtures/input/flink/secret-mapping/update-invalid-failure.yaml | Input fixture for secret-mapping update invalid case (yaml). |
| pkg/resource/resource.go | Adds resource label constant for Flink secret mapping (used by deletion UX). |
| pkg/flink/cmf_rest_client.go | Adds CMF REST client methods for catalog update + secret-mapping CRUD/list. |
| internal/flink/local_types.go | Adds local types for serialized secret-mapping output. |
| internal/flink/command.go | Registers the new secret-mapping command under flink. |
| internal/flink/command_secret_mapping.go | Introduces secret-mapping command group + resource file parsing + output helpers. |
| internal/flink/command_secret_mapping_create.go | Implements flink secret-mapping create. |
| internal/flink/command_secret_mapping_delete.go | Implements flink secret-mapping delete with confirmation flow. |
| internal/flink/command_secret_mapping_describe.go | Implements flink secret-mapping describe. |
| internal/flink/command_secret_mapping_list.go | Implements flink secret-mapping list. |
| internal/flink/command_secret_mapping_update.go | Implements flink secret-mapping update. |
| internal/flink/command_catalog.go | Adds shared helpers for catalog output + resource-file parsing, and wires catalog update subcommand. |
| internal/flink/command_catalog_update.go | Implements flink catalog update. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
internal/flink/command_catalog.go
Outdated
Comment on lines
+64
to
+68
| func readCatalogResourceFile(resourceFilePath string) (cmfsdk.KafkaCatalog, error) { | ||
| data, err := os.ReadFile(resourceFilePath) | ||
| if err != nil { | ||
| return cmfsdk.KafkaCatalog{}, fmt.Errorf("failed to read file: %w", err) | ||
| } |
There was a problem hiding this comment.
readCatalogResourceFile introduces a shared parsing helper for catalog resource files, but catalog create (and other catalog commands) still inline similar parsing logic elsewhere. Consider reusing this helper across the catalog commands to avoid duplicated implementations that can drift in behavior/error handling over time.
Comment on lines
+25
to
+31
| func (c *command) newSecretMappingCommand() *cobra.Command { | ||
| cmd := &cobra.Command{ | ||
| Use: "secret-mapping", | ||
| Short: "Manage Flink secret mappings.", | ||
| Long: "Manage Flink environment secret mappings in Confluent Platform.", | ||
| Annotations: map[string]string{pcmd.RunRequirement: pcmd.RequireCloudLogout}, | ||
| } |
There was a problem hiding this comment.
TestHelp recurses over available commands and expects help golden fixtures under test/fixtures/output/<cmd path>/. Since flink secret-mapping is newly added, please add the missing help-onprem.golden / *-help-onprem.golden fixtures for flink secret-mapping and its subcommands (create/describe/list/update/delete), otherwise help tests will fail.
airlock-confluentinc
bot
force-pushed
the
CF-1873
branch
from
037b3a6 to
3c1807c
Compare
|
Author
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping create secret-mapping.yaml --url http://localhost:8080 --environment test
+---------------+--------------------------------+
| Creation Time | 2026-04-06T14:58:21.758923508Z |
| Name | test-mapping |
| Secret Name | test-secret |
+---------------+--------------------------------+
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping list --url http://localhost:8080 --environment test
Creation Time | Name | Secret Name
---------------------------+--------------------------+-------------------
2026-03-25T14:08:11.573Z | sec-kafka-conn-secret-id | sec-kafka-secret
2026-04-06T14:58:21.758Z | test-mapping | test-secret
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping describe test-mapping --url http://localhost:8080 --environment test --output json
{
"apiVersion": "cmf.confluent.io/v1",
"kind": "EnvironmentSecretMapping",
"metadata": {
"name": "test-mapping",
"creationTimestamp": "2026-04-06T14:58:21.758Z",
"updateTimestamp": "2026-04-06T14:58:21.758Z",
"uid": "57b4a385-376c-472d-b777-571c36ef5bca",
"labels": {},
"annotations": {}
},
"spec": {
"secretName": "test-secret"
}
}
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping describe test-mapping --url http://localhost:8080 --environment test --output yaml
apiVersion: cmf.confluent.io/v1
kind: EnvironmentSecretMapping
metadata:
name: test-mapping
creationTimestamp: "2026-04-06T14:58:21.758Z"
updateTimestamp: "2026-04-06T14:58:21.758Z"
uid: 57b4a385-376c-472d-b777-571c36ef5bca
labels: {}
annotations: {}
spec:
secretName: test-secret
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping update secret-mapping.yaml --url http://localhost:8080 --environment test --output json
{
"apiVersion": "cmf.confluent.io/v1",
"kind": "EnvironmentSecretMapping",
"metadata": {
"name": "test-mapping",
"creationTimestamp": "2026-04-06T14:58:21.758Z",
"updateTimestamp": "2026-04-06T15:07:36.432879126Z",
"uid": "57b4a385-376c-472d-b777-571c36ef5bca",
"labels": {
"env": "test",
"team": "platform"
},
"annotations": {}
},
"spec": {
"secretName": "test-secret"
}
}
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping delete test-mapping --url http://localhost:8080 --environment test
Are you sure you want to delete Flink secret mapping "test-mapping"? (y/n): y
Deleted Flink secret mapping "test-mapping".
parasnegi@C6V9RN9V2Y confluent_darwin_arm64_v8.0 % ./confluent flink secret-mapping list --url http://localhost:8080 --environment test
Creation Time | Name | Secret Name
---------------------------+--------------------------+-------------------
2026-03-25T14:08:11.573Z | sec-kafka-conn-secret-id | sec-kafka-secret |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Notes
Breaking Changes
New Features
Bug Fixes
Checklist
Whatsection below whether this PR applies to Confluent Cloud, Confluent Platform, or both.Test & Reviewsection below.Blast Radiussection below.What
Blast Radius
References
Test & Review