sdcio · henderiw · May 6, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
@@ -234,3 +234,20 @@ type UnrecoverableMessage struct {
 	ResourceVersion string `json:"resourceVersion" protobuf:"bytes,1,opt,name=resourceVersion"`
 	Message         string `json:"message" protobuf:"bytes,2,opt,name=message"`
 }
+
+// DedupeConditions returns conditions deduplicated by type; last value wins.
+// Needed because WithConditions is a generated append-only method and
+// cannot protect against duplicate list-map keys itself (issue #431).
+func DedupeConditions(conds ...Condition) []Condition {
+	index := make(map[string]int, len(conds))
+	out := make([]Condition, 0, len(conds))
+	for _, c := range conds {
+		if i, ok := index[c.Type]; ok {
+			out[i] = c // overwrite in-place, preserving order
+		} else {
+			index[c.Type] = len(out)
+			out = append(out, c)
+		}
+	}
+	return out
+}
@@ -18,7 +18,8 @@ package config
 
 import (
 	"context"
-	"crypto/sha1"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -86,13 +87,6 @@ func (r *Config) GetNamespacedName() types.NamespacedName {
 	return types.NamespacedName{Name: r.Name, Namespace: r.Namespace}
 }
 
-func (r *Config) GetLastKnownGoodSchema() *ConfigStatusLastKnownGoodSchema {
-	if r.Status.LastKnownGoodSchema == nil {
-		return &ConfigStatusLastKnownGoodSchema{}
-	}
-	return r.Status.LastKnownGoodSchema
-}
-
 func (r *Config) GetTarget() string {
 	if len(r.GetLabels()) == 0 {
 		return ""
@@ -157,28 +151,19 @@ func BuildEmptyConfig() *Config {
 	}
 }
 
-func (r *Config) HashDeviationGenerationChanged(deviation Deviation) bool {
-	if r.Status.DeviationGeneration == nil {
-		// if there was no old deviation, but now we have a deviation wwe return true
-		return len(deviation.Spec.Deviations) != 0
-	} else {
-		return *r.Status.DeviationGeneration == deviation.GetGeneration()
-	}
-}
-
 type RecoveryConfig struct {
 	Config    Config
 	Deviation Deviation
 }
 
-func (r *ConfigSpec) GetShaSum(ctx context.Context) [20]byte {
-	log := log.FromContext(ctx)
-	appliedSpec, err := json.Marshal(r)
+// GetHash returns a SHA-256 hex hash.
+func (r *ConfigSpec) GetHash() (string, error) {
+	raw, err := json.Marshal(r)
 	if err != nil {
-		log.Error("cannot marshal appliedConfig", "error", err)
-		return [20]byte{}
+		return "", fmt.Errorf("marshal config blobs: %w", err)
 	}
-	return sha1.Sum(appliedSpec)
+	h := sha256.Sum256(raw)
+	return hex.EncodeToString(h[:]), nil
 }
 
 func (r *Config) GetOwnerReference() metav1.OwnerReference {

@@ -186,7 +186,6 @@ func (r *Config) TableConvertor() func(gr schema.GroupResource) rest.TableConver
 					config.GetCondition(condition.ConditionTypeReady).Message,
 					config.Spec.Priority,
 					config.GetTarget(),
-					config.GetLastKnownGoodSchema().FileString(),
 				}
 			},
 			[]metav1.TableColumnDefinition{
@@ -195,7 +194,6 @@ func (r *Config) TableConvertor() func(gr schema.GroupResource) rest.TableConver
 				{Name: "Reason", Type: "string"},
 				{Name: "Priority", Type: "integer"},
 				{Name: "Target", Type: "string"},
-				{Name: "Schema", Type: "string"},
 			},
 		)
 	}

@@ -34,14 +34,14 @@ type ConfigSpec struct {
 	// Revertive defines if this CR is enabled for revertive or non revertve operation
 	Revertive *bool `json:"revertive,omitempty" protobuf:"varint,3,opt,name=revertive"`
 	// Config defines the configuration to be applied to a target device
-	//+kubebuilder:pruning:PreserveUnknownFields
 	Config []ConfigBlob `json:"config" protobuf:"bytes,4,rep,name=config"`
 }
 
 type ConfigBlob struct {
 	// Path defines the path relative to which the value is applicable
 	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=config"`
-	//+kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +structType=granular
 	Value runtime.RawExtension `json:"value" protobuf:"bytes,2,opt,name=value"`
 }
 
@@ -50,12 +50,6 @@ type ConfigStatus struct {
 	// ConditionedStatus provides the status of the Readiness using conditions
 	// if the condition is true the other attributes in the status are meaningful
 	condition.ConditionedStatus `json:",inline" protobuf:"bytes,1,opt,name=conditionedStatus"`
-	// LastKnownGoodSchema identifies the last known good schema used to apply the config successfully
-	LastKnownGoodSchema *ConfigStatusLastKnownGoodSchema `json:"lastKnownGoodSchema,omitempty" protobuf:"bytes,2,opt,name=lastKnownGoodSchema"`
-	// AppliedConfig defines the config applied to the target
-	AppliedConfig *ConfigSpec `json:"appliedConfig,omitempty" protobuf:"bytes,3,opt,name=appliedConfig"`
-	// Deviations generation used for the latest config apply
-	DeviationGeneration *int64 `json:"deviationGeneration,omitempty" protobuf:"bytes,4,opt,name=deviationGeneration"`
 }
 
 type ConfigStatusLastKnownGoodSchema struct {

@@ -35,7 +35,6 @@ type ConfigSetSpec struct {
 	// Revertive defines if this CR is enabled for revertive or non revertve operation
 	Revertive *bool `json:"revertive,omitempty" protobuf:"varint,4,opt,name=revertive"`
 	// Config defines the configuration to be applied to a target device
-	//+kubebuilder:pruning:PreserveUnknownFields
 	Config []ConfigBlob `json:"config" protobuf:"bytes,5,rep,name=config"`
 }
 

@@ -40,7 +40,7 @@ func (r *ConfigStoreHandler) DryRunCreateFn(ctx context.Context, key types.Names
 		return obj, err
 	}
 
-	updates, err := config.GetIntentUpdate(c, true)
+	updates, err := config.GetIntentUpdateFromBlobs(c.Spec.Config)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +62,7 @@ func (r *ConfigStoreHandler) DryRunUpdateFn(ctx context.Context, key types.Names
 		return obj, err
 	}
 
-	updates, err := config.GetIntentUpdate(c, true)
+	updates, err := config.GetIntentUpdateFromBlobs(c.Spec.Config)
 	if err != nil {
 		return nil, err
 	}

@@ -19,4 +19,11 @@ package config
 const (
 	TargetNameKey      = GroupName + "/" + "targetName"
 	TargetNamespaceKey = GroupName + "/" + "targetNamespace"
+	LabelKeyRingKey    = GroupName + "/" + "keyring"
+)
+
+const (
+    AnnotationConfigChanged  = GroupName + "/" + "change-config"
+    AnnotationSecretChanged  = GroupName + "/" + "change-secret"
+    AnnotationKeyringChanged = GroupName + "/" + "change-keyring"
 )
@@ -58,6 +58,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&TargetRunningConfig{},
 		&TargetClearDeviation{},
 		&TargetRunningConfigOptions{},
+		&SensitiveConfig{},
+		&SensitiveConfigList{},
+		&TargetSnapshot{},
+		&TargetSnapshotList{},
 	)
 	return nil
 }
@@ -24,27 +24,11 @@ import (
 	"strings"
 
 	"github.com/henderiw/logger/log"
-	"github.com/sdcio/config-server/apis/condition"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
 )
 
-// GetCondition returns the condition based on the condition kind
-func (r *SensitiveConfig) GetCondition(t condition.ConditionType) condition.Condition {
-	return r.Status.GetCondition(t)
-}
-
-// SetConditions sets the conditions on the resource. it allows for 0, 1 or more conditions
-// to be set at once
-func (r *SensitiveConfig) SetConditions(c ...condition.Condition) {
-	r.Status.SetConditions(c...)
-}
-
-func (r *SensitiveConfig) IsConditionReady() bool {
-	return r.GetCondition(condition.ConditionTypeReady).Status == metav1.ConditionTrue
-}
-
 func (r *SensitiveConfig) IsRevertive() bool {
 	if r.Spec.Revertive != nil {
 		return *r.Spec.Revertive
@@ -57,32 +41,10 @@ func (r *SensitiveConfig) IsRevertive() bool {
 	return true
 }
 
-func (r *SensitiveConfig) IsRecoverable() bool {
-	c := r.GetCondition(condition.ConditionTypeReady)
-	if c.Reason == string(condition.ConditionReasonUnrecoverable) {
-		unrecoverableMessage := &condition.UnrecoverableMessage{}
-		if err := json.Unmarshal([]byte(c.Message), unrecoverableMessage); err != nil {
-			return true
-		}
-		if unrecoverableMessage.ResourceVersion != r.GetResourceVersion() {
-			return true
-		}
-		return false
-	}
-	return true
-}
-
 func (r *SensitiveConfig) GetNamespacedName() types.NamespacedName {
 	return types.NamespacedName{Name: r.Name, Namespace: r.Namespace}
 }
 
-func (r *SensitiveConfig) GetLastKnownGoodSchema() *ConfigStatusLastKnownGoodSchema {
-	if r.Status.LastKnownGoodSchema == nil {
-		return &ConfigStatusLastKnownGoodSchema{}
-	}
-	return r.Status.LastKnownGoodSchema
-}
-
 func (r *SensitiveConfig) GetTarget() string {
 	if len(r.GetLabels()) == 0 {
 		return ""
@@ -128,15 +90,6 @@ func BuildEmptySensitiveConfig() *SensitiveConfig {
 	}
 }
 
-func (r *SensitiveConfig) HashDeviationGenerationChanged(deviation Deviation) bool {
-	if r.Status.DeviationGeneration == nil {
-		// if there was no old deviation, but now we have a deviation wwe return true
-		return len(deviation.Spec.Deviations) != 0
-	} else {
-		return *r.Status.DeviationGeneration == deviation.GetGeneration()
-	}
-}
-
 type RecoverySensitiveConfig struct {
 	SensitiveConfig SensitiveConfig
 	Deviation       Deviation