Ensure that spec.hmacSecretData's value honoured

benashz · benashz · commit b87654186d28 · 2024-05-16T14:05:18.000-04:00
Previously, upon the first application of a VaultStaticSecret instance
that had spec.hmacSecretData explicitly set to false, the K8s API would
replace that value with default as is defined in the CRD's schema. This
fix makes HMACSecretData a pointer receiver, which make K8s do the right
thing.
diff --git a/api/v1beta1/vaultstaticsecret_types.go b/api/v1beta1/vaultstaticsecret_types.go
@@ -42,7 +42,7 @@ type VaultStaticSecretSpec struct {
 	// and during incoming Vault secret comparison.
 	// Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault.
 	// +kubebuilder:default=true
-	HMACSecretData bool `json:"hmacSecretData,omitempty"`
+	HMACSecretData *bool `json:"hmacSecretData,omitempty"`
 	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
 	// not support dynamically reloading a rotated secret.
 	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/controllers/vaultstaticsecret_controller.go b/controllers/vaultstaticsecret_controller.go
@@ -127,7 +127,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 
 	var doRolloutRestart bool
 	doSync := true
-	if o.Spec.HMACSecretData {
+	if o.Spec.HMACSecretData != nil && *o.Spec.HMACSecretData {
 		// we want to ensure that requeueAfter is set so that we can perform the proper drift detection during each reconciliation.
 		// setting up a watcher on the Secret is also possibility, but polling seems to be the simplest approach for now.
 		if requeueAfter == 0 {
diff --git a/test/integration/vaultstaticsecret_integration_test.go b/test/integration/vaultstaticsecret_integration_test.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/cenkalti/backoff/v4"
 	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/hashicorp/vault/sdk/helper/pointerutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -215,7 +216,7 @@ func TestVaultStaticSecret(t *testing.T) {
 						Name:   "secretkv",
 						Create: false,
 					},
-					HMACSecretData: true,
+					HMACSecretData: pointerutil.BoolPtr(true),
 					RefreshAfter:   "5s",
 					RolloutRestartTargets: []secretsv1beta1.RolloutRestartTarget{
 						{
@@ -243,7 +244,7 @@ func TestVaultStaticSecret(t *testing.T) {
 						Create: false,
 					},
 					RefreshAfter:   "5s",
-					HMACSecretData: false,
+					HMACSecretData: pointerutil.BoolPtr(false),
 				},
 			},
 		}
@@ -360,7 +361,7 @@ func TestVaultStaticSecret(t *testing.T) {
 			obj.ObjectMeta.Namespace, data)
 		if assert.NoError(t, err) {
 			assertSyncableSecret(t, crdClient, obj, secret)
-			if obj.Spec.HMACSecretData {
+			if obj.Spec.HMACSecretData != nil && *obj.Spec.HMACSecretData {
 				assertHMAC(t, ctx, crdClient, obj, expectInitial)
 			} else {
 				assertNoHMAC(t, obj)
@@ -444,7 +445,7 @@ func TestVaultStaticSecret(t *testing.T) {
 									Create: true,
 								},
 								RefreshAfter:   "5s",
-								HMACSecretData: true,
+								HMACSecretData: pointerutil.BoolPtr(true),
 							},
 						}
 						if tt.version != 0 {
