test: add test templating secrets (#1478)

danielorihuela · web-flow · commit 428be9b2a2b5 · 2025-07-28T17:28:22.000+02:00
diff --git a/agent-control/Makefile b/agent-control/Makefile
@@ -40,7 +40,7 @@ test/k8s/integration: test/k8s/integration-part1 test/k8s/integration-part2
 .PHONY: test/k8s/integration-part1
 test/k8s/integration-part1:
 	KUBECONFIG='./tests/k8s/.kubeconfig-dev' minikube update-context
-	tilt ci --file ./tests/k8s/Tiltfile
+	ENABLE_VAULT=true  tilt ci --file ./tests/k8s/Tiltfile
 	# reducing the number of threads to 1 forces the tests to run sequentially
 	cargo test k8s::scenarios -- --nocapture --ignored  --test-threads=1
 	cargo test k8s::agent_control_cli -- --nocapture --ignored  --test-threads=1
diff --git a/agent-control/src/agent_type/variable/namespace.rs b/agent-control/src/agent_type/variable/namespace.rs
@@ -41,7 +41,7 @@ impl Namespace {
     }
 
     pub fn is_secret_variable(s: &str) -> bool {
-        [Namespace::Vault]
+        [Namespace::Vault, Namespace::K8sSecret]
             .iter()
             .any(|ns| s.starts_with(ns.to_string().as_str()))
     }
diff --git a/agent-control/tests/k8s/data/k8s_template_secrets/local-data-agent-control.template b/agent-control/tests/k8s/data/k8s_template_secrets/local-data-agent-control.template
@@ -0,0 +1,18 @@
+k8s:
+  namespace: <ns>
+  namespace_agents: <agents-ns>
+  cluster_name: <cluster-name>
+agents:
+  hello-world:
+    agent_type: "newrelic/com.newrelic.custom_agent:0.0.1"
+secrets_providers:
+  vault:
+    sources:
+      sourceA:
+        url: http://127.0.0.1:8200/v1/
+        token: root
+        engine: kv1
+      sourceB:
+        url: http://127.0.0.1:8200/v1/
+        token: root
+        engine: kv2
diff --git a/agent-control/tests/k8s/data/k8s_template_secrets/local-data-hello-world.yaml b/agent-control/tests/k8s/data/k8s_template_secrets/local-data-hello-world.yaml
@@ -0,0 +1,4 @@
+chart_values:
+  hashicorpVaultV1Key: ${nr-vault:sourceA:kv-v1:my-secret:foo1}
+  hashicorpVaultV2Key: ${nr-vault:sourceB:secret:my-secret:foo2}
+  k8sSecretKey: ${nr-kubesec:<ns>:pod-secrets:foo3}
diff --git a/agent-control/tests/k8s/mod.rs b/agent-control/tests/k8s/mod.rs
@@ -2,7 +2,6 @@ pub mod agent_control_cli;
 mod client;
 mod garbage_collector;
 mod scenarios;
-mod secret_providers;
 pub mod self_update;
 mod store;
 mod tools;
diff --git a/agent-control/tests/k8s/scenarios.rs b/agent-control/tests/k8s/scenarios.rs
@@ -6,3 +6,4 @@ mod fail_remote_config;
 mod garbage_collector;
 mod no_opamp;
 mod opamp;
+mod secrets_providers;
diff --git a/agent-control/tests/k8s/scenarios/secrets_providers.rs b/agent-control/tests/k8s/scenarios/secrets_providers.rs
@@ -0,0 +1,60 @@
+use crate::common::retry::retry;
+use crate::common::runtime::block_on;
+use crate::k8s::tools::agent_control::{
+    CUSTOM_AGENT_TYPE_PATH, start_agent_control_with_testdata_config,
+};
+use crate::k8s::tools::k8s_api::{check_helmrelease_spec_values, create_values_secret};
+use crate::k8s::tools::k8s_env::K8sEnv;
+use std::time::Duration;
+use tempfile::tempdir;
+
+#[test]
+#[ignore = "needs k8s cluster"]
+fn k8s_template_secrets() {
+    let test_name = "k8s_template_secrets";
+
+    // setup the k8s environment
+    let mut k8s = block_on(K8sEnv::new());
+    k8s.port_forward("vault-0", 8200, 8200);
+    let namespace = block_on(k8s.test_namespace());
+    let tmp_dir = tempdir().expect("failed to create local temp dir");
+
+    // start the agent-control
+    let _sa = start_agent_control_with_testdata_config(
+        test_name,
+        CUSTOM_AGENT_TYPE_PATH,
+        k8s.client.clone(),
+        &namespace,
+        &namespace,
+        None,
+        None,
+        // This config is intended to be empty
+        vec!["local-data-hello-world"],
+        tmp_dir.path(),
+    );
+
+    // Now, we create all the required secrets.
+    // Hashicorp Vault secrets -> handled in the Tiltfile.
+
+    // K8s secrets -> created here on demand.
+    let name = "pod-secrets";
+    let key = "foo3";
+    let value = "bar3";
+    create_values_secret(k8s.client.clone(), &namespace, name, key, value.to_string());
+
+    // Check the HelmRelease is created with the secrets correctly populated
+    let expected_spec_values = r#"
+hashicorpVaultV1Key: bar1
+hashicorpVaultV2Key: bar2
+k8sSecretKey: bar3
+    "#;
+
+    retry(60, Duration::from_secs(1), || {
+        block_on(check_helmrelease_spec_values(
+            k8s.client.clone(),
+            namespace.as_str(),
+            "hello-world",
+            expected_spec_values,
+        ))
+    });
+}
diff --git a/agent-control/tests/k8s/secret_providers.rs b/agent-control/tests/k8s/secret_providers.rs
diff --git a/agent-control/tests/k8s/tools/k8s_api.rs b/agent-control/tests/k8s/tools/k8s_api.rs
@@ -42,9 +42,10 @@ pub async fn check_helmrelease_spec_values(
     k8s_client: Client,
     namespace: &str,
     name: &str,
-    expected_valus_as_yaml: &str,
+    expected_values_as_yaml: &str,
 ) -> Result<(), Box<dyn Error>> {
-    let expected_as_json: serde_json::Value = serde_yaml::from_str(expected_valus_as_yaml).unwrap();
+    let expected_as_json: serde_json::Value =
+        serde_yaml::from_str(expected_values_as_yaml).unwrap();
     let api = create_k8s_api(k8s_client, namespace).await;
 
     let obj = api.get(name).await?;

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ impl Namespace {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`pub fn is_secret_variable(s: &str) -> bool {`
`44`		`- [Namespace::Vault]`
	`44`	`+ [Namespace::Vault, Namespace::K8sSecret]`
`45`	`45`	`.iter()`
`46`	`46`	`.any(\|ns\| s.starts_with(ns.to_string().as_str()))`
`47`	`47`	`}`