fix: vault-log-level overwritten in pods (#327)

* fix(pod.go): failing test for #290

Signed-off-by: Bence Csati <csatib02@gmail.com>

* fix(pod.go) issue fix

Signed-off-by: Bence Csati <csatib02@gmail.com>

* fix(pod.go): minor fix

Signed-off-by: Bence Csati <csatib02@gmail.com>

* fix(pod.go): minor fix

Signed-off-by: Bence Csati <csatib02@gmail.com>

* fix: simplify log check

Signed-off-by: Bence Csati <csatib02@gmail.com>

* chore: comment

Signed-off-by: Bence Csati <bcsati@cisco.com>

---------

Signed-off-by: Bence Csati <csatib02@gmail.com>
Signed-off-by: Bence Csati <bcsati@cisco.com>
Co-authored-by: Ramiz Polic <32913827+ramizpolic@users.noreply.github.com>

pkg/webhook/pod.go

@@ -358,7 +358,7 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co
 			})
 		}
 
-		if vaultConfig.LogLevel != "" {
+		if !isLogLevelSet(container.Env) && vaultConfig.LogLevel != "" {
 			container.Env = append(container.Env, []corev1.EnvVar{
 				{
 					Name:  "VAULT_LOG_LEVEL",
@@ -916,3 +916,14 @@ func getConfigMapForVaultAgent(pod *corev1.Pod, vaultConfig VaultConfig) *corev1
 		},
 	}
 }
+
+// isLogLevelSet checks if the VAULT_LOG_LEVEL environment variable
+// has already been set in the container, so it doesn't get overridden.
+func isLogLevelSet(envVars []corev1.EnvVar) bool {
+	for _, envVar := range envVars {
+		if envVar.Name == "VAULT_LOG_LEVEL" {
+			return true
+		}
+	}
+	return false
+}

pkg/webhook/pod_test.go

@@ -466,6 +466,104 @@ func Test_mutatingWebhook_mutateContainers(t *testing.T) {
 			mutated: true,
 			wantErr: false,
 		},
+		{
+			name: "Mutate will not change the containers log level if it was already set",
+			fields: fields{
+				k8sClient: fake.NewSimpleClientset(),
+				registry: &MockRegistry{
+					Image: v1.Config{},
+				},
+			},
+			args: args{
+				containers: []corev1.Container{
+					{
+						Name:    "MyContainer",
+						Image:   "myimage",
+						Command: []string{"/bin/bash"},
+						Args:    nil,
+						Env: []corev1.EnvVar{
+							{
+								Name:  "myvar",
+								Value: "vault:secrets",
+							},
+							{
+								Name:  "VAULT_LOG_LEVEL",
+								Value: "info",
+							},
+						},
+					},
+				},
+				vaultConfig: VaultConfig{
+					Addr:                 "addr",
+					SkipVerify:           false,
+					Path:                 "path",
+					Role:                 "role",
+					AuthMethod:           "jwt",
+					IgnoreMissingSecrets: "ignoreMissingSecrets",
+					VaultEnvPassThrough:  "vaultEnvPassThrough",
+					EnableJSONLog:        "enableJSONLog",
+					ClientTimeout:        10 * time.Second,
+					LogLevel:             "debug",
+				},
+			},
+			wantedContainers: []corev1.Container{
+				{
+					Name:         "MyContainer",
+					Image:        "myimage",
+					Command:      []string{"/vault/vault-env"},
+					Args:         []string{"/bin/bash"},
+					VolumeMounts: []corev1.VolumeMount{{Name: "vault-env", MountPath: "/vault/"}},
+					Env: []corev1.EnvVar{
+						{
+							Name:  "myvar",
+							Value: "vault:secrets",
+						},
+						{
+							Name:  "VAULT_LOG_LEVEL",
+							Value: "info",
+						},
+						{
+							Name:  "VAULT_ADDR",
+							Value: "addr",
+						},
+						{
+							Name:  "VAULT_SKIP_VERIFY",
+							Value: "false",
+						},
+						{
+							Name:  "VAULT_AUTH_METHOD",
+							Value: "jwt",
+						},
+						{
+							Name:  "VAULT_PATH",
+							Value: "path",
+						},
+						{
+							Name:  "VAULT_ROLE",
+							Value: "role",
+						},
+						{
+							Name:  "VAULT_IGNORE_MISSING_SECRETS",
+							Value: "ignoreMissingSecrets",
+						},
+						{
+							Name:  "VAULT_ENV_PASSTHROUGH",
+							Value: "vaultEnvPassThrough",
+						},
+						{
+							Name:  "VAULT_JSON_LOG",
+							Value: "enableJSONLog",
+						},
+						{
+							Name:  "VAULT_CLIENT_TIMEOUT",
+							Value: "10s",
+						},
+					},
+				},
+			},
+			mutated: true,
+			wantErr: false,
+		},
 	}
 
 	for _, tt := range tests {