adding unit tests around templating basic concepts and verifying output

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1alpha1/externalsecret_conversion_test.go

@@ -59,7 +59,7 @@ func newExternalSecretV1Alpha1() *ExternalSecret {
 				Immutable:      false,
 				Template: &SecretTemplate{
 					Type: corev1.SecretTypeOpaque,
-					Metadata: ExternalSecretTemplateMetadata{
+					Metadata: TemplateMetadata{
 						Annotations: map[string]string{
 							"foo": "bar",
 						},

apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -45,8 +45,8 @@ const (
 	None ExternalSecretCreationPolicy = "None"
 )
 
-// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-type ExternalSecretTemplateMetadata struct {
+// TemplateMetadata defines metadata fields for the Secret blueprint.
+type TemplateMetadata struct {
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 
@@ -67,7 +67,7 @@ type SecretTemplate struct {
 	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
 
 	// +optional
-	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
+	Metadata TemplateMetadata `json:"metadata,omitempty"`
 
 	// +optional
 	Data map[string]string `json:"data,omitempty"`

config/crds/bases/external-secrets.io_externalsecrets.yaml

@@ -176,8 +176,8 @@ spec:
                         - v2
                         type: string
                       metadata:
-                        description: ExternalSecretTemplateMetadata defines metadata
-                          fields for the Secret blueprint.
+                        description: TemplateMetadata defines metadata fields for
+                          the Secret blueprint.
                         properties:
                           annotations:
                             additionalProperties:

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -179,8 +179,8 @@ spec:
                     - v2
                     type: string
                   metadata:
-                    description: ExternalSecretTemplateMetadata defines metadata fields
-                      for the Secret blueprint.
+                    description: TemplateMetadata defines metadata fields for the
+                      Secret blueprint.
                     properties:
                       annotations:
                         additionalProperties:

deploy/crds/bundle.yaml

@@ -3691,7 +3691,7 @@ spec:
                             - v2
                           type: string
                         metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                          description: TemplateMetadata defines metadata fields for the Secret blueprint.
                           properties:
                             annotations:
                               additionalProperties:
@@ -4399,7 +4399,7 @@ spec:
                         - v2
                       type: string
                     metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                      description: TemplateMetadata defines metadata fields for the Secret blueprint.
                       properties:
                         annotations:
                           additionalProperties:

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -153,11 +153,6 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{}, err
 	}
 
-	// TODO: apply templating to the secret?
-	// I have no secret, and no datamap.
-	// The data in the Secret IS the data map
-	// The result needs to be a thing that is then pushed. The result is a set of secret keys.
-	// We could say the Target Secret is the Secret that we are going to push.
 	if err := r.applyTemplate(ctx, &ps, secret); err != nil {
 		return ctrl.Result{}, err
 	}

pkg/controllers/pushsecret/pushsecret_controller_template.go

@@ -155,26 +155,15 @@ func (r *Reconciler) applyTemplate(ctx context.Context, ps *v1alpha1.PushSecret,
 		return nil
 	}
 
-	// Merge Policy should merge secrets
-	// We aren't merging with anything. We just apply the template and DONE.
-	// if ps.Spec.Template.MergePolicy == esv1beta1.MergePolicyMerge {
-	//	 for k, v := range dataMap {
-	//		 secret.Data[k] = v
-	//	 }
-	// }
-	execute, err := template.EngineForVersion("v1")
+	execute, err := template.EngineForVersion(esv1beta1.TemplateEngineV2)
 	if err != nil {
 		return err
 	}
 
-	templateData := make(map[string][]byte, len(ps.Spec.Template.Data))
-	for k, v := range ps.Spec.Template.Data {
-		templateData[k] = []byte(v)
-	}
 	p := Parser{
 		client:       r.Client,
 		targetSecret: secret,
-		dataMap:      templateData,
+		dataMap:      secret.Data,
 		exec:         execute,
 	}
 

pkg/controllers/pushsecret/pushsecret_controller_test.go

@@ -206,6 +206,69 @@ var _ = Describe("ExternalSecret controller", func() {
 			return true
 		}
 	}
+
+	// if target Secret name is not specified it should use the ExternalSecret name.
+	syncSuccessfullyWithTemplate := func(tc *testCase) {
+		fakeProvider.SetSecretFn = func() error {
+			return nil
+		}
+		tc.pushsecret = &v1alpha1.PushSecret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      PushSecretName,
+				Namespace: PushSecretNamespace,
+			},
+			Spec: v1alpha1.PushSecretSpec{
+				SecretStoreRefs: []v1alpha1.PushSecretStoreRef{
+					{
+						Name: PushSecretStore,
+						Kind: "SecretStore",
+					},
+				},
+				Selector: v1alpha1.PushSecretSelector{
+					Secret: v1alpha1.PushSecretSecret{
+						Name: SecretName,
+					},
+				},
+				Data: []v1alpha1.PushSecretData{
+					{
+						Match: v1alpha1.PushSecretMatch{
+							SecretKey: "key",
+							RemoteRef: v1alpha1.PushSecretRemoteRef{
+								RemoteKey: "path/to/key",
+							},
+						},
+					},
+				},
+				Template: &v1alpha1.SecretTemplate{
+					Metadata: v1alpha1.TemplateMetadata{
+						Labels: map[string]string{
+							"foos": "ball",
+						},
+						Annotations: map[string]string{
+							"hihi": "ga",
+						},
+					},
+					Type:          v1.SecretTypeOpaque,
+					EngineVersion: v1alpha1.TemplateEngineV2,
+					Data: map[string]string{
+						"key": "{{ .key | toString | upper }} was templated",
+					},
+				},
+			},
+		}
+		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+			Eventually(func() bool {
+				By("checking if Provider value got updated")
+				providerValue, ok := fakeProvider.SetSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey]
+				if !ok {
+					return false
+				}
+				got := providerValue.Value
+				return bytes.Equal(got, []byte("VALUE was templated"))
+			}, time.Second*10, time.Second).Should(BeTrue())
+			return true
+		}
+	}
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	syncAndDeleteSuccessfully := func(tc *testCase) {
 		fakeProvider.SetSecretFn = func() error {
@@ -705,6 +768,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			// this must be optional so we can test faulty es configuration
 		},
 		Entry("should sync", syncSuccessfully),
+		Entry("should sync with template", syncSuccessfullyWithTemplate),
 		Entry("should delete if DeletionPolicy=Delete", syncAndDeleteSuccessfully),
 		Entry("should track deletion tasks if Delete fails", failDelete),
 		Entry("should track deleted stores if Delete fails", failDeleteStore),