fix: delimiter annotations rebased and new annotations tests

hashicorp · Jul 8, 2024 · 7beb30b · 7beb30b
1 parent 9521c82
commit 7beb30b
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 40 deletions.
diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -84,19 +84,19 @@ const (
 	// auto-auth token into the secrets volume (e.g. /vault/secrets/token)
 	// AnnotationAgentInjectTemplateLeftDelim is the key annotation that configures Vault
 	// Agent what left delimiter to use for rendering the secrets.  The name
-	// of the template is any unique string after "vault.hashicorp.com/agent-inject-template-left-delimiter-",
-	// such as "vault.hashicorp.com/agent-inject-template-left-delimiter-foobar".  This should map
+	// of the template is any unique string after "vault.hashicorp.com/agent-inject-left-delimiter-",
+	// such as "vault.hashicorp.com/agent-inject-left-delimiter-foobar".  This should map
 	// to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-".
 	// If not provided, a default left delimiter is used as defined by https://www.vaultproject.io/docs/agent/template#left_delimiter
-	AnnotationAgentInjectTemplateLeftDelim = "vault.hashicorp.com/agent-inject-template-left-delimiter"
+	AnnotationAgentInjectTemplateLeftDelim = "vault.hashicorp.com/agent-inject-left-delimiter"
 
 	// AnnotationAgentInjectTemplateRightDelim is the key annotation that configures Vault
 	// Agent what right delimiter to use for rendering the secrets.  The name
-	// of the template is any unique string after "vault.hashicorp.com/agent-inject-template-right-delimiter-",
-	// such as "vault.hashicorp.com/agent-inject-template-right-delimiter-foobar".  This should map
+	// of the template is any unique string after "vault.hashicorp.com/agent-inject-right-delimiter-",
+	// such as "vault.hashicorp.com/agent-inject-right-delimiter-foobar".  This should map
 	// to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-".
 	// If not provided, a default right delimiter is used as defined by https://www.vaultproject.io/docs/agent/template#right_delimiter
-	AnnotationAgentInjectTemplateRightDelim = "vault.hashicorp.com/agent-inject-template-right-delimiter"
+	AnnotationAgentInjectTemplateRightDelim = "vault.hashicorp.com/agent-inject-right-delimiter"
 
 	// AnnotationAgentInjectToken is the annotation key for injecting the token
 	// from auth/token/lookup-self

diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go
@@ -461,39 +461,107 @@ func TestSecretMixedTemplatesAnnotations(t *testing.T) {
 
 				"vault.hashicorp.com/agent-inject-template-only-template":           "onlyTemplate",
 				"vault.hashicorp.com/agent-inject-template-file-only-template-file": "onlyTemplateFile",
+
+				"vault.hashicorp.com/agent-inject-secret-barfoo":          "test1",
+				"vault.hashicorp.com/agent-inject-template-barfoo":        "",
+				"vault.hashicorp.com/agent-inject-left-delimiter-barfoo":  "${",
+				"vault.hashicorp.com/agent-inject-right-delimiter-barfoo": "}",
+				"vault.hashicorp.com/agent-inject-template-file-barfoo":   "/etc/config.tmpl",
+
+				"vault.hashicorp.com/agent-inject-secret-test3":          "test3",
+				"vault.hashicorp.com/agent-inject-template-test3":        "foobarTemplate3",
+				"vault.hashicorp.com/agent-inject-template-file-test3":   "",
+				"vault.hashicorp.com/agent-inject-left-delimiter-test3":  "",
+				"vault.hashicorp.com/agent-inject-right-delimiter-test3": "",
+
+				"vault.hashicorp.com/agent-inject-template-only-template-2":        "onlyTemplate2",
+				"vault.hashicorp.com/agent-inject-left-delimiter-only-template-2":  "${",
+				"vault.hashicorp.com/agent-inject-right-delimiter-only-template-2": "}",
+
+				"vault.hashicorp.com/agent-inject-template-file-only-template-file-2":   "onlyTemplateFile2",
+				"vault.hashicorp.com/agent-inject-left-delimiter-only-template-file-2":  "${",
+				"vault.hashicorp.com/agent-inject-right-delimiter-only-template-file-2": "}",
 			},
 			map[string]Secret{
 				"foobar": {
-					Name:         "foobar",
-					RawName:      "foobar",
-					Path:         "test1",
-					Template:     "",
-					TemplateFile: "/etc/config.tmpl",
-					MountPath:    secretVolumePath,
+					Name:           "foobar",
+					RawName:        "foobar",
+					Path:           "test1",
+					Template:       "",
+					LeftDelimiter:  "",
+					RightDelimiter: "",
+					TemplateFile:   "/etc/config.tmpl",
+					MountPath:      secretVolumePath,
 				},
 				"test2": {
-					Name:         "test2",
-					RawName:      "test2",
-					Path:         "test2",
-					Template:     "foobarTemplate",
-					TemplateFile: "",
-					MountPath:    secretVolumePath,
+					Name:           "test2",
+					RawName:        "test2",
+					Path:           "test2",
+					Template:       "foobarTemplate",
+					LeftDelimiter:  "",
+					RightDelimiter: "",
+					TemplateFile:   "",
+					MountPath:      secretVolumePath,
 				},
 				"only-template": {
-					Name:         "only-template",
-					RawName:      "only-template",
-					Path:         "",
-					Template:     "onlyTemplate",
-					TemplateFile: "",
-					MountPath:    secretVolumePath,
+					Name:           "only-template",
+					RawName:        "only-template",
+					Path:           "",
+					Template:       "onlyTemplate",
+					LeftDelimiter:  "",
+					RightDelimiter: "",
+					TemplateFile:   "",
+					MountPath:      secretVolumePath,
 				},
 				"only-template-file": {
-					Name:         "only-template-file",
-					RawName:      "only-template-file",
-					Path:         "",
-					Template:     "",
-					TemplateFile: "onlyTemplateFile",
-					MountPath:    secretVolumePath,
+					Name:           "only-template-file",
+					RawName:        "only-template-file",
+					Path:           "",
+					Template:       "",
+					LeftDelimiter:  "",
+					RightDelimiter: "",
+					TemplateFile:   "onlyTemplateFile",
+					MountPath:      secretVolumePath,
+				},
+				"barfoo": {
+					Name:           "barfoo",
+					RawName:        "barfoo",
+					Path:           "test1",
+					Template:       "",
+					LeftDelimiter:  "${",
+					RightDelimiter: "}",
+					TemplateFile:   "/etc/config.tmpl",
+					MountPath:      secretVolumePath,
+				},
+				"test3": {
+					Name:           "test3",
+					RawName:        "test3",
+					Path:           "test3",
+					Template:       "foobarTemplate3",
+					LeftDelimiter:  "",
+					RightDelimiter: "",
+					TemplateFile:   "",
+					MountPath:      secretVolumePath,
+				},
+				"only-template-2": {
+					Name:           "only-template-2",
+					RawName:        "only-template-2",
+					Path:           "",
+					Template:       "onlyTemplate2",
+					LeftDelimiter:  "${",
+					RightDelimiter: "}",
+					TemplateFile:   "",
+					MountPath:      secretVolumePath,
+				},
+				"only-template-file-2": {
+					Name:           "only-template-file-2",
+					RawName:        "only-template-file-2",
+					Path:           "",
+					Template:       "",
+					LeftDelimiter:  "${",
+					RightDelimiter: "}",
+					TemplateFile:   "onlyTemplateFile2",
+					MountPath:      secretVolumePath,
 				},
 			},
 		},

diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go
@@ -51,10 +51,10 @@ func TestNewConfig(t *testing.T) {
 
 		"vault.hashicorp.com/agent-inject-command-bar": "pkill -HUP app",
 
-		"vault.hashicorp.com/agent-inject-secret-baz":                   "db/creds/baz",
-		"vault.hashicorp.com/agent-inject-template-baz":                 `[[ with secret "db/creds/baz" ]][[ range $k, $v := .Data ]][[ $k ]]: [[ $v ]]\n[[ end ]][[ end ]]`,
-		"vault.hashicorp.com/agent-inject-template-left-delimiter-baz":  "[[",
-		"vault.hashicorp.com/agent-inject-template-right-delimiter-baz": "]]",
+		"vault.hashicorp.com/agent-inject-secret-baz":          "db/creds/baz",
+		"vault.hashicorp.com/agent-inject-template-baz":        `[[ with secret "db/creds/baz" ]][[ range $k, $v := .Data ]][[ $k ]]: [[ $v ]]\n[[ end ]][[ end ]]`,
+		"vault.hashicorp.com/agent-inject-left-delimiter-baz":  "[[",
+		"vault.hashicorp.com/agent-inject-right-delimiter-baz": "]]",
 
 		AnnotationAgentCacheEnable: "true",
 	}
@@ -178,6 +178,7 @@ func TestNewConfig(t *testing.T) {
 		} else if template.Source == "just-template-file" {
 			if template.Destination != "/vault/secrets/just-template-file" {
 				t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/just-template-file", template.Destination)
+			}
 		} else if strings.Contains(template.Destination, "baz") {
 			if template.LeftDelim != "[[" || template.RightDelim != "]]" {
 				t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", template.LeftDelim, template.RightDelim, "[[", "]]")
@@ -639,7 +640,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				AnnotationTemplateConfigExitOnRetryFailure: "true",
 			},
 			&TemplateConfig{
-				ExitOnRetryFailure: true,
+				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
 			},
 		},
@@ -649,7 +650,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				AnnotationTemplateConfigExitOnRetryFailure: "false",
 			},
 			&TemplateConfig{
-				ExitOnRetryFailure: false,
+				ExitOnRetryFailure:    false,
 				MaxConnectionsPerHost: 0,
 			},
 		},
@@ -659,9 +660,9 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				AnnotationTemplateConfigStaticSecretRenderInterval: "10s",
 			},
 			&TemplateConfig{
-				ExitOnRetryFailure: true,
+				ExitOnRetryFailure:         true,
 				StaticSecretRenderInterval: "10s",
-				MaxConnectionsPerHost: 0,
+				MaxConnectionsPerHost:      0,
 			},
 		},
 		{
@@ -670,15 +671,15 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				AnnotationTemplateConfigMaxConnectionsPerHost: "100",
 			},
 			&TemplateConfig{
-				ExitOnRetryFailure: true,
+				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 100,
 			},
 		},
 		{
 			"template_config_empty",
 			map[string]string{},
 			&TemplateConfig{
-				ExitOnRetryFailure: true,
+				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
 			},
 		},