From 4b3a42a8841434925c493a6bbad2b5f336d131ba Mon Sep 17 00:00:00 2001
From: Flavio Lemos <flavio.lemos@farfetch.com>
Date: Wed, 6 Sep 2023 18:20:04 +0100
Subject: [PATCH] Added the ability to configure template delimiters on Pod
 annotations

---
 CHANGELOG.md                      |  3 ++
 agent-inject/agent/annotations.go |  8 ++++
 agent-inject/agent/config.go      | 20 +++++++++-
 agent-inject/agent/config_test.go | 64 +++++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9be774a4..a338cc32 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 1.3.0 (August 16, 2023)
 
+Improvements:
+* Added support to configure template delimiters through Pod Annotations [GH-517](https://github.com/hashicorp/vault-k8s/pull/517)
+
 Improvements:
 * Add `NAMESPACE`, `HOST_IP`, and `POD_IP` environment variables to Agent container using downward API [GH-486](https://github.com/hashicorp/vault-k8s/pull/486)
 
diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
index f6b8b9f3..26ac7833 100644
--- a/agent-inject/agent/annotations.go
+++ b/agent-inject/agent/annotations.go
@@ -268,6 +268,14 @@ const (
 	// attempts. Defaults to true.
 	AnnotationTemplateConfigExitOnRetryFailure = "vault.hashicorp.com/template-config-exit-on-retry-failure"
 
+	// AnnotationTemplateConfigLeftDelimiters template delimiters
+	// Defaults to "{{".
+	AnnotationTemplateConfigLeftDelimiters = "vault.hashicorp.com/template-left-delimiter"
+
+	// AnnotationTemplateConfigLeftDelimiters template delimiters
+	// Defaults to "{{".
+	AnnotationTemplateConfigRightDelimiters = "vault.hashicorp.com/template-right-delimiter"
+
 	// AnnotationTemplateConfigStaticSecretRenderInterval
 	// If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2.
 	// Defaults to 5 minutes.
diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go
index 387aa897..5058ed8f 100644
--- a/agent-inject/agent/config.go
+++ b/agent-inject/agent/config.go
@@ -198,12 +198,13 @@ func (a *Agent) newTemplateConfigs() []*Template {
 			filePathAndName = filepath.Join(secret.MountPath, secret.FilePathAndName)
 		}
 
+		leftDelim, rightDelim := a.getTemplateConfigDelimeters()
 		tmpl := &Template{
 			Source:      templateFile,
 			Contents:    template,
 			Destination: filePathAndName,
-			LeftDelim:   "{{",
-			RightDelim:  "}}",
+			LeftDelim:   leftDelim,
+			RightDelim:  rightDelim,
 			Command:     secret.Command,
 		}
 		if secret.FilePermission != "" {
@@ -214,6 +215,21 @@ func (a *Agent) newTemplateConfigs() []*Template {
 	return templates
 }
 
+func (a *Agent) getTemplateConfigDelimeters() (string, string) {
+	leftDelim := "{{"
+	rightDelim := "}}"
+
+	if left, defined := a.Annotations[AnnotationTemplateConfigLeftDelimiters]; defined {
+		leftDelim = left
+	}
+
+	if right, defined := a.Annotations[AnnotationTemplateConfigRightDelimiters]; defined {
+		rightDelim = right
+	}
+
+	return leftDelim, rightDelim
+}
+
 func (a *Agent) newConfig(init bool) ([]byte, error) {
 	config := Config{
 		PidFile:       PidFile,
diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go
index 283a28ee..08b0fc36 100644
--- a/agent-inject/agent/config_test.go
+++ b/agent-inject/agent/config_test.go
@@ -610,6 +610,70 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 	}
 }
 
+func TestConfigVaultAgentTemplateDelimiters(t *testing.T) {
+	tests := []struct {
+		name             string
+		annotations      map[string]string
+		expectedTemplate *Template
+	}{
+		{
+			"no_override_annotations_expect_default",
+			map[string]string{
+				AnnotationTemplateConfigExitOnRetryFailure:      "true",
+				"vault.hashicorp.com/agent-inject-template-foo": "template foo",
+			},
+			&Template{LeftDelim: "{{", RightDelim: "}}"},
+		},
+		{
+			"left_delimiter_annotation_defined_expected_left_delimiter_override",
+			map[string]string{
+				AnnotationTemplateConfigLeftDelimiters:          "[[",
+				"vault.hashicorp.com/agent-inject-template-foo": "template foo",
+			},
+			&Template{LeftDelim: "[[", RightDelim: "}}"},
+		},
+		{
+			"right_delimiter_annotation_defined_expected_right_delimiter_override",
+			map[string]string{
+				AnnotationTemplateConfigRightDelimiters:         "]]",
+				"vault.hashicorp.com/agent-inject-template-foo": "template foo",
+			},
+			&Template{LeftDelim: "{{", RightDelim: "]]"},
+		},
+		{
+			"left_right_delimiter_annotations_defined_expected_left_right_delimiters_override",
+			map[string]string{
+				AnnotationTemplateConfigLeftDelimiters:          "[[",
+				AnnotationTemplateConfigRightDelimiters:         "]]",
+				"vault.hashicorp.com/agent-inject-template-foo": "template foo",
+			},
+			&Template{LeftDelim: "[[", RightDelim: "]]"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pod := testPod(tt.annotations)
+
+			agentConfig := basicAgentConfig()
+			err := Init(pod, agentConfig)
+			require.NoError(t, err)
+
+			agent, err := New(pod)
+			require.NoError(t, err)
+			cfg, err := agent.newConfig(true)
+			require.NoError(t, err)
+
+			config := &Config{}
+			err = json.Unmarshal(cfg, config)
+			require.NoError(t, err)
+
+			assert.Equal(t, tt.expectedTemplate.LeftDelim, config.Templates[0].LeftDelim)
+			assert.Equal(t, tt.expectedTemplate.RightDelim, config.Templates[0].RightDelim)
+		})
+	}
+}
+
 func TestInjectTokenSink(t *testing.T) {
 	tokenHelperSink := &Sink{
 		Type: "file",