Fix secret binding to support public names (#1472) (#1940)

Signed-off-by: Grant Linville <grant@acorn.io>

pkg/controller/secrets/secret_test.go

@@ -375,3 +375,7 @@ func TestSecretLabelsAnnotations(t *testing.T) {
 	assert.Contains(t, secret.Annotations, "globalfromacornfilea")
 	assert.NotContains(t, secret.Annotations, "sec1fromacornfilea")
 }
+
+func TestSecretBinding(t *testing.T) {
+	tester.DefaultTest(t, scheme.Scheme, "testdata/binding", CreateSecrets)
+}

pkg/controller/secrets/testdata/binding/existing.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: existing-secret-abcdef
+  namespace: app-namespace
+  labels:
+    acorn.io/public-name: old-app.secret-name
+type: secrets.acorn.io/opaque
+data:
+  # username: myusername
+  username: bXl1c2VybmFtZQ==

pkg/controller/secrets/testdata/binding/expected.golden

@@ -0,0 +1,18 @@
+`apiVersion: v1
+data:
+  username: bXl1c2VybmFtZQ==
+kind: Secret
+metadata:
+  annotations:
+    acorn.io/app-generation: "0"
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/managed: "true"
+    acorn.io/secret-name: foo
+    acorn.io/secret-source-name: existing-secret-abcdef
+  name: foo
+  namespace: app-created-namespace
+type: secrets.acorn.io/opaque
+`

pkg/controller/secrets/testdata/binding/input.yaml

@@ -0,0 +1,25 @@
+kind: AppInstance
+apiVersion: internal.acorn.io/v1
+metadata:
+  uid: 1234567890abcdef
+  name: app-name
+  namespace: app-namespace
+spec:
+  image: test
+  secrets:
+    - secret: old-app.secret-name
+      target: foo
+status:
+  namespace: app-created-namespace
+  appImage:
+    id: test
+    imageData:
+      images:
+        foo:
+          image: asdf
+  appSpec:
+    secrets:
+      foo:
+        type: opaque
+        data:
+          username: ""

pkg/ref/expr.go

@@ -59,6 +59,13 @@ func Lookup(ctx context.Context, req kclient.Client, out kclient.Object, namespa
 		}
 
 		if validSecrets == nil {
+			if v, ok := out.(*corev1.Secret); ok {
+				// Support binding existing secrets with "." in the name, i.e. my-old-app.secret-name
+				if err := r.getSecret(v, namespace, strings.Join(parts, "."), validSecrets); !apierrors.IsNotFound(err) {
+					return err
+				}
+			}
+
 			app, err := r.getAcorn(namespace, name)
 			if apierrors.IsNotFound(err) {
 				svc := &v1.ServiceInstance{}
@@ -146,7 +153,28 @@ func (r *resolver) getSecret(secret *corev1.Secret, namespace, name string, vali
 			}, name)
 		}
 	}
-	return r.req.Get(r.ctx, router.Key(namespace, name), secret)
+	if err := r.req.Get(r.ctx, router.Key(namespace, name), secret); err != nil {
+		if apierrors.IsNotFound(err) {
+			// Try finding by public name
+			secretList := &corev1.SecretList{}
+			if err := r.req.List(r.ctx, secretList, &kclient.ListOptions{
+				LabelSelector: klabels.SelectorFromSet(map[string]string{
+					labels.AcornPublicName: name,
+				}),
+				Namespace: namespace,
+			}); err != nil {
+				return err
+			}
+
+			if len(secretList.Items) == 1 {
+				secretList.Items[0].DeepCopyInto(secret)
+				return nil
+			}
+		}
+		return err
+	}
+
+	return nil
 }
 
 func (r *resolver) getAcorn(namespace, name string) (*v1.AppInstance, error) {