fix tests

plugins/kubernetes/app/models/kubernetes/template_filler.rb

@@ -299,10 +299,6 @@ def secret_annotations
       end
     end
 
-    def inject_secret_sidecar?
-      SECRET_PULLER_TYPE == 'secret-sidecar'
-    end
-
     # Sets up the secret-puller and the various mounts that are required
     # if the secret-puller service is enabled
     # /vaultauth is a secrets volume in the cluster
@@ -314,20 +310,10 @@ def set_secret_puller
         image: SECRET_PULLER_IMAGE,
         imagePullPolicy: 'IfNotPresent',
         name: 'secret-puller',
-        volumeMounts: [
-          {mountPath: "/vault-auth", name: "vaultauth"},
-          {mountPath: "/secretkeys", name: "secretkeys"},
-          secret_vol
-        ],
         securityContext: {
           readOnlyRootFilesystem: true,
           runAsNonRoot: true
         },
-        env: [
-          {name: "VAULT_TLS_VERIFY", value: vault_client.options.fetch(:ssl_verify).to_s},
-          {name: "VAULT_MOUNT", value: Samson::Secrets::VaultClientManager::MOUNT},
-          {name: "VAULT_PREFIX", value: Samson::Secrets::VaultClientManager::PREFIX}
-        ],
         resources: {
           requests: {cpu: "100m", memory: "64Mi"},
           limits: {cpu: "100m", memory: "100Mi"}
@@ -336,7 +322,7 @@ def set_secret_puller
 
       # Modifies init container to use internal secret-sidecar instead of
       # public samson_secret_puller
-      if inject_secret_sidecar?
+      if SECRET_PULLER_TYPE == 'secret-sidecar'
         container[:command] = '/bin/secret-sidecar-v2'
 
         container[:volumeMounts] = [
@@ -350,6 +336,17 @@ def set_secret_puller
           {name: "VAULT_ROLE", value: project.permalink},
           {name: "VAULT_TOKEN", valueFrom: {secretKeyRef: {name: "vaultauth", key: "authsecret"}}}
         ]
+      else
+        container[:volumeMounts] = [
+          {mountPath: "/vault-auth", name: "vaultauth"},
+          {mountPath: "/secretkeys", name: "secretkeys"},
+          secret_vol
+        ]
+        container[:env] = [
+          {name: "VAULT_TLS_VERIFY", value: vault_client.options.fetch(:ssl_verify).to_s},
+          {name: "VAULT_MOUNT", value: Samson::Secrets::VaultClientManager::MOUNT},
+          {name: "VAULT_PREFIX", value: Samson::Secrets::VaultClientManager::PREFIX}
+        ]
       end
 
       init_containers.unshift container

plugins/kubernetes/test/models/kubernetes/template_filler_test.rb

@@ -609,7 +609,6 @@ def with_init_contnainer_old_syntax(container)
 
       around do |test|
         stub_const Kubernetes::TemplateFiller, :SECRET_PULLER_IMAGE, "docker-registry.example.com/foo:bar", &test
-        stub_const Kubernetes::TemplateFiller, :SECRET_PULLER_TYPE, "secret-sidecar", &test
       end
 
       before do
@@ -623,9 +622,9 @@ def with_init_contnainer_old_syntax(container)
         init_containers.first[:name].must_equal('secret-puller')
         init_containers.first[:env].must_equal(
           [
-            {name: "VAULT_ADDR", valueFrom: {secretKeyRef: {name: "vaultauth", key: "address"}}},
-            {name: "VAULT_ROLE", value: "foo"},
-            {name: "VAULT_TOKEN", valueFrom: {secretKeyRef: {name: "vaultauth", key: "authsecret"}}}
+            {name: "VAULT_TLS_VERIFY", value: "false"},
+            {name: "VAULT_MOUNT", value: "secret"},
+            {name: "VAULT_PREFIX", value: "apps"}
           ]
         )
 
@@ -636,6 +635,11 @@ def with_init_contnainer_old_syntax(container)
         )
       end
 
+      it "adds vault kv v2 hint so puller knows to use the new api" do
+        vault_server.update_column :versioned_kv, true
+        init_containers.first[:env].last.must_equal name: "VAULT_PREFIX", value: "apps"
+      end
+
       it "fails when vault is not configured" do
         with_env('SECRET_STORAGE_BACKEND': "Samson::Secrets::HashicorpVaultBackend") do
           Samson::Secrets::VaultClientManager.instance.expects(:client).raises("Could not find Vault config for pod1")
@@ -700,9 +704,14 @@ def with_init_contnainer_old_syntax(container)
         e.message.must_include "baz\n  (tried: production/foo/pod1/baz" # shows all at once for easier debugging
       end
 
-      describe "container changes for secret sidecar" do
-        it "sets the init container command" do
+      it "with secret-sidecar" do
+        stub_const Kubernetes::TemplateFiller, :SECRET_PULLER_TYPE, "secret-sidecar" do
           init_containers.first[:command].must_equal('/bin/secret-sidecar-v2')
+          init_containers.first[:env].must_equal [
+            {name: "VAULT_ADDR", valueFrom: {secretKeyRef: {name: "vaultauth", key: "address"}}},
+            {name: "VAULT_ROLE", value: "foo"},
+            {name: "VAULT_TOKEN", valueFrom: {secretKeyRef: {name: "vaultauth", key: "authsecret"}}}
+          ]
         end
       end