From 1c46d0f8ce2a5dc0f9e57a283f8e82de8dde08c3 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Wed, 12 Feb 2025 16:36:20 +0100
Subject: [PATCH] add annotation check for secret

---
 e2e/tests/test_e2e.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/e2e/tests/test_e2e.py b/e2e/tests/test_e2e.py
index 5d52cd899..c78d48fa3 100644
--- a/e2e/tests/test_e2e.py
+++ b/e2e/tests/test_e2e.py
@@ -1860,13 +1860,7 @@ def test_password_rotation(self):
         self.eventuallyEqual(lambda: len(self.query_database_with_user(leader.metadata.name, "postgres", "SELECT 1", "foo_user")), 1,
             "Could not connect to the database with rotation user {}".format(rotation_user), 10, 5)
 
-        # check if rotation has been ignored for user from test_cross_namespace_secrets test
-        db_user_secret = k8s.get_secret(username="test.db_user", namespace="test")
-        secret_username = str(base64.b64decode(db_user_secret.data["username"]), 'utf-8')
-        self.assertEqual("test.db_user", secret_username,
-                        "Unexpected username in secret of test.db_user: expected {}, got {}".format("test.db_user", secret_username))
-
-        # do a cluster update which syncs secrets but not not init users
+        # add annotation which triggers syncSecrets call
         pg_annotation_patch = {
             "metadata": {
                 "annotations": {
@@ -1877,10 +1871,18 @@ def test_password_rotation(self):
         k8s.api.custom_objects_api.patch_namespaced_custom_object(
             "acid.zalan.do", "v1", "default", "postgresqls", "acid-minimal-cluster", pg_annotation_patch)
         self.eventuallyEqual(lambda: k8s.get_operator_state(), {"0": "idle"}, "Operator does not get in sync")
-
         time.sleep(10)
         self.eventuallyEqual(lambda: k8s.count_secrets_with_label(cluster_label), secret_count, "Unexpected number of secrets")
 
+        # check if rotation has been ignored for user from test_cross_namespace_secrets test
+        db_user_secret = k8s.get_secret(username="test.db_user", namespace="test")
+        secret_username = str(base64.b64decode(db_user_secret.data["username"]), 'utf-8')
+        self.assertEqual("test.db_user", secret_username,
+                        "Unexpected username in secret of test.db_user: expected {}, got {}".format("test.db_user", secret_username))
+
+        # check if annotation for secret has been updated
+        self.assertTrue("deployment-time" in db_user_secret.metadata.annotations, "Added annotation was not propagated to secret")
+
         # disable password rotation for all other users (foo_user)
         # and pick smaller intervals to see if the third fake rotation user is dropped 
         enable_password_rotation = {