Process EnvFileDir in file-based config mode

[jhrozek]

Fixes vault secrets not being passed to workload pods when using file-based configuration in the proxy runner.

The runWithFileBasedConfig function was loading the RunConfig from the ConfigMap but never processing the EnvFileDir field. This caused Vault Agent injected secrets to remain in the proxy pod at /vault/secrets without being propagated to the workload StatefulSet.

The fix adds environment file processing when EnvFileDir is set, matching the behavior of the flags-based configuration path. When the operator detects Vault annotations, it sets EnvFileDir to /vault/secrets in the RunConfig. The proxy runner now reads files from that directory and merges them into config.EnvVars before deploying the workload.

Fixes #2460

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.44%. Comparing base (03302b2) to head (3284837).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2470      +/-   ##
==========================================
+ Coverage   55.39%   55.44%   +0.05%     
==========================================
  Files         281      284       +3     
  Lines       26609    26720     +111     
==========================================
+ Hits        14739    14816      +77     
- Misses      10514    10540      +26     
- Partials     1356     1364       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR fixes a bug where Vault-injected secrets were not being propagated to workload pods when using file-based configuration in the proxy runner. The core issue was that the EnvFileDir field in the RunConfig was being loaded but never processed.

Key Changes:

• Added environment file processing in the file-based config path to read and merge secrets from EnvFileDir
• Added test coverage for the WithEnvFilesFromDirectory pattern used in the fix

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
cmd/thv-proxyrunner/app/execution.go	Adds processing of EnvFileDir to load environment variables from files (e.g., Vault secrets)
cmd/thv-proxyrunner/app/run_test.go	Adds test verifying that environment files are correctly loaded and merged with existing env vars

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JAORMX]

@claude please review this

[claude]

Claude finished @JAORMX's task —— View job

---

Code Review Complete

• Read and analyze changed files
• Review code for correctness and best practices
• Verify test coverage
• Provide comprehensive feedback

---

Summary

This PR successfully fixes the bug where Vault-injected secrets were not being propagated to workload pods when using file-based configuration. The fix is straightforward, well-tested, and follows the existing patterns in the codebase.

Positive Findings

1. Correct Fix: The implementation properly processes EnvFileDir in the file-based config path (cmd/thv-proxyrunner/app/execution.go:131-137), matching the behavior already present in the flags-based path (line 56).

2. Good Test Coverage: The new test (cmd/thv-proxyrunner/app/run_test.go:215-242) directly validates the fix:

   • Creates mock Vault secret files in a temp directory
   • Verifies that WithEnvFilesFromDirectory correctly reads and merges environment variables
   • Tests that existing env vars are preserved while new ones are added
   • Codecov confirms all modified lines are covered

3. Follows Existing Patterns: The fix uses the exact same method (WithEnvFilesFromDirectory) that's already used in the flags-based config path, ensuring consistency.

4. Proper Error Handling: The error message is clear and includes the directory path for debugging.

Observations

1. Placement: The EnvFileDir processing happens after env var validation (line 122-128), which seems intentional and correct. This allows the validator to process the base env vars first, then the file-based secrets are merged in.

2. Config Reassignment: The code correctly reassigns the result back to config (line 136), which is necessary since WithEnvFilesFromDirectory returns a new *RunConfig.

3. Test Quality: The test is well-structured with clear comments explaining its purpose and relationship to issue Vault secrets not passed to workload pods in file-based config mode #2460.

Minor Suggestions (Non-blocking)

1. Comment Clarity: Consider whether the comment at line 130 could be more specific about the Vault Agent injection pattern:

   // Process environment files from EnvFileDir if specified
   // This is used when Vault Agent or similar tools inject secrets as files

   However, the current comment is fine as-is since "e.g., for Vault secrets" already provides context.

2. Test Documentation: The test has excellent inline documentation explaining what it's testing and why. No changes needed.

Verdict

LGTM ✅

This is a solid fix that:

• Addresses the root cause of issue Vault secrets not passed to workload pods in file-based config mode #2460
• Follows established patterns in the codebase
• Has appropriate test coverage
• Maintains backward compatibility
• Uses clear error handling

The code is ready to merge.

---