K8SPSMDB-1347 When password does not exist, properly update it and set the boolean to true (#1889)

gkech · web-flow · commit a466cb683fef · 2025-04-16T20:47:41.000+03:00
diff --git a/pkg/controller/perconaservermongodb/custom_users.go b/pkg/controller/perconaservermongodb/custom_users.go
@@ -505,6 +505,8 @@ func getCustomUserSecret(ctx context.Context, cl client.Client, cr *api.PerconaS
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to update user secret")
 		}
+		// given that the secret was updated, the password now exists
+		hasPass = true
 	}
 
 	// pass key should be present in the user provided secret
diff --git a/pkg/controller/perconaservermongodb/custom_users_test.go b/pkg/controller/perconaservermongodb/custom_users_test.go
@@ -1,10 +1,16 @@
 package perconaservermongodb
 
 import (
+	"context"
 	"testing"
 
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
 	"github.com/percona/percona-server-mongodb-operator/pkg/psmdb/mongo"
@@ -299,3 +305,109 @@ func TestValidateUser(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCustomUserSecret(t *testing.T) {
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	err := corev1.AddToScheme(scheme)
+	assert.NoError(t, err)
+	err = api.SchemeBuilder.AddToScheme(scheme)
+	assert.NoError(t, err)
+
+	ns := "test-ns"
+	passKey := "password"
+
+	tests := map[string]struct {
+		crName            string
+		client            func() client.Client
+		user              *api.User
+		hasExistingSecret bool
+		errMsg            string
+	}{
+		"create default secret if not exists": {
+			crName: "my-cluster-create-default-secret",
+			client: func() client.Client {
+				return fake.NewClientBuilder().WithScheme(scheme).Build()
+			},
+			user: &api.User{},
+		},
+		"user has custom secret reference that exists": {
+			crName: "my-cluster-user-has-secret",
+			client: func() client.Client {
+				existingSecret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "custom-secret",
+						Namespace: ns,
+					},
+					Data: map[string][]byte{
+						passKey: []byte("existing-password"),
+					},
+				}
+
+				return fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingSecret).Build()
+			},
+			user: &api.User{
+				PasswordSecretRef: &api.SecretKeySelector{
+					Name: "custom-secret",
+				},
+			},
+			hasExistingSecret: true,
+		},
+		"user has custom secret reference but secret does not exist": {
+			crName: "my-cluster-has-missing-secret",
+			client: func() client.Client {
+				return fake.NewClientBuilder().WithScheme(scheme).Build()
+			},
+			user: &api.User{
+				PasswordSecretRef: &api.SecretKeySelector{
+					Name: "missing-secret",
+				},
+			},
+			errMsg: "failed to get user secret",
+		},
+		"existing default secret missing password key, create new": {
+			crName: "my-cluster-existing-secret-missing-password",
+			client: func() client.Client {
+				defaultSecret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "my-cluster-existing-secret-missing-password-custom-user-secret",
+						Namespace: ns,
+					},
+					Data: map[string][]byte{},
+				}
+
+				return fake.NewClientBuilder().WithScheme(scheme).WithObjects(defaultSecret).Build()
+			},
+			user: &api.User{},
+		},
+	}
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			cr := &api.PerconaServerMongoDB{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      tt.crName,
+					Namespace: ns,
+				},
+			}
+
+			secret, err := getCustomUserSecret(ctx, tt.client(), cr, tt.user, passKey)
+			if tt.hasExistingSecret && tt.errMsg == "" {
+				assert.NoError(t, err)
+				assert.Equal(t, secret.Name, "custom-secret")
+				assert.Equal(t, string(secret.Data[passKey]), "existing-password")
+				return
+			}
+			if !tt.hasExistingSecret && tt.errMsg == "" {
+				assert.NoError(t, err)
+				assert.Equal(t, secret.Name, tt.crName+"-custom-user-secret")
+				assert.NotEmpty(t, string(secret.Data[passKey]))
+			}
+			if tt.errMsg != "" {
+				assert.Nil(t, secret)
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errMsg)
+			}
+
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -505,6 +505,8 @@ func getCustomUserSecret(ctx context.Context, cl client.Client, cr *api.PerconaS`
`505`	`505`	`if err != nil {`
`506`	`506`	`return nil, errors.Wrap(err, "failed to update user secret")`
`507`	`507`	`}`
	`508`	`+ // given that the secret was updated, the password now exists`
	`509`	`+ hasPass = true`
`508`	`510`	`}`
`509`	`511`
`510`	`512`	`// pass key should be present in the user provided secret`