feat: A lot of refactoring and CSI test cases

test/e2e/annotations/annotations_suite_test.go

@@ -6,14 +6,17 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"github.com/stakater/Reloader/test/e2e/utils"
-	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	csiclient "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned"
+
+	"github.com/stakater/Reloader/test/e2e/utils"
 )
 
 var (
 	kubeClient    kubernetes.Interface
-	dynamicClient dynamic.Interface
+	csiClient     csiclient.Interface
+	restConfig    *rest.Config
 	testNamespace string
 	ctx           context.Context
 	cancel        context.CancelFunc
@@ -25,35 +28,43 @@ func TestAnnotations(t *testing.T) {
 	RunSpecs(t, "Annotations Strategy E2E Suite")
 }
 
-var _ = BeforeSuite(func() {
-	var err error
-	ctx, cancel = context.WithCancel(context.Background())
+var _ = BeforeSuite(
+	func() {
+		var err error
+		ctx, cancel = context.WithCancel(context.Background())
 
-	// Setup test environment
-	testEnv, err = utils.SetupTestEnvironment(ctx, "reloader-annotations-test")
-	Expect(err).NotTo(HaveOccurred(), "Failed to setup test environment")
+		testEnv, err = utils.SetupTestEnvironment(ctx, "reloader-annotations-test")
+		Expect(err).NotTo(HaveOccurred(), "Failed to setup test environment")
 
-	// Export for use in tests
-	kubeClient = testEnv.KubeClient
-	dynamicClient = testEnv.DynamicClient
-	testNamespace = testEnv.Namespace
+		kubeClient = testEnv.KubeClient
+		csiClient = testEnv.CSIClient
+		restConfig = testEnv.RestConfig
+		testNamespace = testEnv.Namespace
 
-	// Deploy Reloader with annotations strategy
-	err = testEnv.DeployAndWait(map[string]string{
-		"reloader.reloadStrategy": "annotations",
+		deployValues := map[string]string{
+			"reloader.reloadStrategy": "annotations",
+			"reloader.watchGlobally":  "false", // Only watch own namespace to prevent cross-talk between test suites
+		}
+
+		if utils.IsCSIDriverInstalled(ctx, csiClient) {
+			deployValues["reloader.enableCSIIntegration"] = "true"
+			GinkgoWriter.Println("Deploying Reloader with CSI integration support")
+		}
+
+		err = testEnv.DeployAndWait(deployValues)
+		Expect(err).NotTo(HaveOccurred(), "Failed to deploy Reloader")
 	})
-	Expect(err).NotTo(HaveOccurred(), "Failed to deploy Reloader")
-})
 
-var _ = AfterSuite(func() {
-	if testEnv != nil {
-		err := testEnv.Cleanup()
-		Expect(err).NotTo(HaveOccurred(), "Failed to cleanup test environment")
-	}
+var _ = AfterSuite(
+	func() {
+		if testEnv != nil {
+			err := testEnv.Cleanup()
+			Expect(err).NotTo(HaveOccurred(), "Failed to cleanup test environment")
+		}
 
-	if cancel != nil {
-		cancel()
-	}
+		if cancel != nil {
+			cancel()
+		}
 
-	GinkgoWriter.Println("Annotations E2E Suite cleanup complete")
-})
+		GinkgoWriter.Println("Annotations E2E Suite cleanup complete")
+	})

test/e2e/annotations/auto_reload_test.go

@@ -1,30 +1,40 @@
 package annotations
 
 import (
+	"fmt"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )
 
 var _ = Describe("Auto Reload Annotation Tests", func() {
 	var (
-		deploymentName string
-		configMapName  string
-		secretName     string
+		deploymentName  string
+		configMapName   string
+		secretName      string
+		spcName         string
+		vaultSecretPath string
 	)
 
 	BeforeEach(func() {
 		deploymentName = utils.RandName("deploy")
 		configMapName = utils.RandName("cm")
 		secretName = utils.RandName("secret")
+		spcName = utils.RandName("spc")
+		vaultSecretPath = fmt.Sprintf("secret/%s", utils.RandName("test"))
 	})
 
 	AfterEach(func() {
 		_ = utils.DeleteDeployment(ctx, kubeClient, testNamespace, deploymentName)
 		_ = utils.DeleteConfigMap(ctx, kubeClient, testNamespace, configMapName)
 		_ = utils.DeleteSecret(ctx, kubeClient, testNamespace, secretName)
+		if csiClient != nil {
+			_ = utils.DeleteSecretProviderClass(ctx, csiClient, testNamespace, spcName)
+		}
+		_ = utils.DeleteVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath)
 	})
 
 	Context("with reloader.stakater.com/auto=true annotation", func() {
@@ -225,6 +235,176 @@ var _ = Describe("Auto Reload Annotation Tests", func() {
 		})
 	})
 
+	Context("with secretproviderclass.reloader.stakater.com/auto=true annotation", Label("csi"), func() {
+		BeforeEach(func() {
+			if !utils.IsCSIDriverInstalled(ctx, csiClient) {
+				Skip("CSI secrets store driver not installed")
+			}
+			if !utils.IsVaultProviderInstalled(ctx, kubeClient) {
+				Skip("Vault CSI provider not installed")
+			}
+		})
+
+		It("should reload Deployment when SecretProviderClassPodStatus changes", func() {
+			By("Creating a secret in Vault")
+			err := utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "initial-value-v1"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a SecretProviderClass pointing to Vault secret")
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName,
+				vaultSecretPath, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a Deployment with secretproviderclass auto=true annotation")
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
+				utils.WithCSIVolume(spcName),
+				utils.WithAnnotations(utils.BuildSecretProviderClassAutoAnnotation()),
+			)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be ready")
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Finding the SPCPS created by CSI driver")
+			spcpsName, err := utils.FindSPCPSForDeployment(ctx, csiClient, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+			GinkgoWriter.Printf("Found SPCPS: %s\n", spcpsName)
+
+			By("Getting initial SPCPS version")
+			initialVersion, err := utils.GetSPCPSVersion(ctx, csiClient, testNamespace, spcpsName)
+			Expect(err).NotTo(HaveOccurred())
+			GinkgoWriter.Printf("Initial SPCPS version: %s\n", initialVersion)
+
+			By("Updating the Vault secret")
+			err = utils.UpdateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "updated-value-v2"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for CSI driver to sync the new secret version")
+			err = utils.WaitForSPCPSVersionChange(ctx, csiClient, testNamespace, spcpsName, initialVersion, 10*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+			GinkgoWriter.Println("CSI driver synced new secret version")
+
+			By("Waiting for Deployment to be reloaded")
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeTrue(), "Deployment should have been reloaded for Vault secret change")
+		})
+
+		It("should NOT reload Deployment when ConfigMap changes (only SPC auto enabled)", func() {
+			By("Creating a secret in Vault")
+			err := utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "initial-value-v1"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a SecretProviderClass pointing to Vault secret")
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName,
+				vaultSecretPath, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a ConfigMap")
+			_, err = utils.CreateConfigMap(ctx, kubeClient, testNamespace, configMapName,
+				map[string]string{"key": "initial"}, nil)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a Deployment with CSI volume AND ConfigMap, but only SPC auto annotation")
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
+				utils.WithCSIVolume(spcName),
+				utils.WithConfigMapEnvFrom(configMapName),
+				utils.WithAnnotations(utils.BuildSecretProviderClassAutoAnnotation()),
+			)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be ready")
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Finding the SPCPS created by CSI driver")
+			spcpsName, err := utils.FindSPCPSForDeployment(ctx, csiClient, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Updating the ConfigMap (should NOT trigger reload with SPC auto only)")
+			err = utils.UpdateConfigMap(ctx, kubeClient, testNamespace, configMapName,
+				map[string]string{"key": "updated"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying Deployment was NOT reloaded for ConfigMap change")
+			time.Sleep(utils.NegativeTestWait)
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ShortTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeFalse(), "Deployment with SPC auto only should NOT have been reloaded for ConfigMap change")
+
+			By("Getting initial SPCPS version")
+			initialVersion, err := utils.GetSPCPSVersion(ctx, csiClient, testNamespace, spcpsName)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Updating the Vault secret (should trigger reload)")
+			err = utils.UpdateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "updated-value-v2"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for CSI driver to sync the new secret version")
+			err = utils.WaitForSPCPSVersionChange(ctx, csiClient, testNamespace, spcpsName, initialVersion, 10*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be reloaded for SPC change")
+			reloaded, err = utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeTrue(), "Deployment should have been reloaded for Vault secret change")
+		})
+
+		It("should reload when using combined auto=true annotation for SPC", func() {
+			By("Creating a secret in Vault")
+			err := utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "initial-value-v1"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a SecretProviderClass pointing to Vault secret")
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName,
+				vaultSecretPath, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a Deployment with CSI volume and general auto=true annotation")
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
+				utils.WithCSIVolume(spcName),
+				utils.WithAnnotations(utils.BuildAutoTrueAnnotation()),
+			)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be ready")
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Finding the SPCPS created by CSI driver")
+			spcpsName, err := utils.FindSPCPSForDeployment(ctx, csiClient, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Getting initial SPCPS version")
+			initialVersion, err := utils.GetSPCPSVersion(ctx, csiClient, testNamespace, spcpsName)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Updating the Vault secret")
+			err = utils.UpdateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath,
+				map[string]string{"api_key": "updated-value-v2"})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for CSI driver to sync the new secret version")
+			err = utils.WaitForSPCPSVersionChange(ctx, csiClient, testNamespace, spcpsName, initialVersion, 10*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be reloaded")
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeTrue(), "Deployment with auto=true should have been reloaded for Vault secret change")
+		})
+	})
+
 	Context("with auto annotation and explicit reload annotation together", func() {
 		It("should reload when auto-detected resource changes", func() {
 			configMapName2 := utils.RandName("cm2")

test/e2e/annotations/combination_test.go

@@ -5,6 +5,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )
 

test/e2e/annotations/exclude_test.go

@@ -1,10 +1,12 @@
 package annotations
 
 import (
+	"fmt"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )
 
@@ -15,7 +17,6 @@ var _ = Describe("Exclude Annotation Tests", func() {
 		configMapName2 string
 		secretName     string
 		secretName2    string
-		excludeNS      string
 	)
 
 	BeforeEach(func() {
@@ -24,35 +25,29 @@ var _ = Describe("Exclude Annotation Tests", func() {
 		configMapName2 = utils.RandName("cm2")
 		secretName = utils.RandName("secret")
 		secretName2 = utils.RandName("secret2")
-		excludeNS = "exclude-" + utils.RandName("ns")
-
-		// Create test namespace
-		err := utils.CreateNamespace(ctx, kubeClient, excludeNS)
-		Expect(err).NotTo(HaveOccurred())
 	})
 
 	AfterEach(func() {
-		_ = utils.DeleteDeployment(ctx, kubeClient, excludeNS, deploymentName)
-		_ = utils.DeleteConfigMap(ctx, kubeClient, excludeNS, configMapName)
-		_ = utils.DeleteConfigMap(ctx, kubeClient, excludeNS, configMapName2)
-		_ = utils.DeleteSecret(ctx, kubeClient, excludeNS, secretName)
-		_ = utils.DeleteSecret(ctx, kubeClient, excludeNS, secretName2)
-		_ = utils.DeleteNamespace(ctx, kubeClient, excludeNS)
+		_ = utils.DeleteDeployment(ctx, kubeClient, testNamespace, deploymentName)
+		_ = utils.DeleteConfigMap(ctx, kubeClient, testNamespace, configMapName)
+		_ = utils.DeleteConfigMap(ctx, kubeClient, testNamespace, configMapName2)
+		_ = utils.DeleteSecret(ctx, kubeClient, testNamespace, secretName)
+		_ = utils.DeleteSecret(ctx, kubeClient, testNamespace, secretName2)
 	})
 
 	Context("ConfigMap exclude annotation", func() {
 		It("should NOT reload when excluded ConfigMap changes", func() {
 			By("Creating two ConfigMaps")
-			_, err := utils.CreateConfigMap(ctx, kubeClient, excludeNS, configMapName,
+			_, err := utils.CreateConfigMap(ctx, kubeClient, testNamespace, configMapName,
 				map[string]string{"key": "initial"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
-			_, err = utils.CreateConfigMap(ctx, kubeClient, excludeNS, configMapName2,
+			_, err = utils.CreateConfigMap(ctx, kubeClient, testNamespace, configMapName2,
 				map[string]string{"key2": "initial2"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a Deployment with auto=true and configmaps.exclude annotation")
-			_, err = utils.CreateDeployment(ctx, kubeClient, excludeNS, deploymentName,
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
 				utils.WithConfigMapEnvFrom(configMapName),
 				utils.WithConfigMapEnvFrom(configMapName2),
 				utils.WithAnnotations(utils.MergeAnnotations(
@@ -63,17 +58,17 @@ var _ = Describe("Exclude Annotation Tests", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be ready")
-			err = utils.WaitForDeploymentReady(ctx, kubeClient, excludeNS, deploymentName, utils.DeploymentReady)
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Updating the excluded ConfigMap")
-			err = utils.UpdateConfigMap(ctx, kubeClient, excludeNS, configMapName,
+			err = utils.UpdateConfigMap(ctx, kubeClient, testNamespace, configMapName,
 				map[string]string{"key": "updated"})
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Verifying Deployment was NOT reloaded (excluded ConfigMap)")
 			time.Sleep(utils.NegativeTestWait)
-			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, excludeNS, deploymentName,
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
 				utils.AnnotationLastReloadedFrom, utils.ShortTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(reloaded).To(BeFalse(), "Deployment should NOT reload when excluded ConfigMap changes")
@@ -81,16 +76,16 @@ var _ = Describe("Exclude Annotation Tests", func() {
 
 		It("should reload when non-excluded ConfigMap changes", func() {
 			By("Creating two ConfigMaps")
-			_, err := utils.CreateConfigMap(ctx, kubeClient, excludeNS, configMapName,
+			_, err := utils.CreateConfigMap(ctx, kubeClient, testNamespace, configMapName,
 				map[string]string{"key": "initial"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
-			_, err = utils.CreateConfigMap(ctx, kubeClient, excludeNS, configMapName2,
+			_, err = utils.CreateConfigMap(ctx, kubeClient, testNamespace, configMapName2,
 				map[string]string{"key2": "initial2"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a Deployment with auto=true and configmaps.exclude annotation")
-			_, err = utils.CreateDeployment(ctx, kubeClient, excludeNS, deploymentName,
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
 				utils.WithConfigMapEnvFrom(configMapName),
 				utils.WithConfigMapEnvFrom(configMapName2),
 				utils.WithAnnotations(utils.MergeAnnotations(
@@ -101,16 +96,16 @@ var _ = Describe("Exclude Annotation Tests", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be ready")
-			err = utils.WaitForDeploymentReady(ctx, kubeClient, excludeNS, deploymentName, utils.DeploymentReady)
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Updating the non-excluded ConfigMap")
-			err = utils.UpdateConfigMap(ctx, kubeClient, excludeNS, configMapName2,
+			err = utils.UpdateConfigMap(ctx, kubeClient, testNamespace, configMapName2,
 				map[string]string{"key2": "updated2"})
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be reloaded")
-			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, excludeNS, deploymentName,
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
 				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(reloaded).To(BeTrue(), "Deployment should reload when non-excluded ConfigMap changes")
@@ -120,16 +115,16 @@ var _ = Describe("Exclude Annotation Tests", func() {
 	Context("Secret exclude annotation", func() {
 		It("should NOT reload when excluded Secret changes", func() {
 			By("Creating two Secrets")
-			_, err := utils.CreateSecretFromStrings(ctx, kubeClient, excludeNS, secretName,
+			_, err := utils.CreateSecretFromStrings(ctx, kubeClient, testNamespace, secretName,
 				map[string]string{"password": "initial"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
-			_, err = utils.CreateSecretFromStrings(ctx, kubeClient, excludeNS, secretName2,
+			_, err = utils.CreateSecretFromStrings(ctx, kubeClient, testNamespace, secretName2,
 				map[string]string{"password2": "initial2"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a Deployment with auto=true and secrets.exclude annotation")
-			_, err = utils.CreateDeployment(ctx, kubeClient, excludeNS, deploymentName,
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
 				utils.WithSecretEnvFrom(secretName),
 				utils.WithSecretEnvFrom(secretName2),
 				utils.WithAnnotations(utils.MergeAnnotations(
@@ -140,17 +135,17 @@ var _ = Describe("Exclude Annotation Tests", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be ready")
-			err = utils.WaitForDeploymentReady(ctx, kubeClient, excludeNS, deploymentName, utils.DeploymentReady)
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Updating the excluded Secret")
-			err = utils.UpdateSecretFromStrings(ctx, kubeClient, excludeNS, secretName,
+			err = utils.UpdateSecretFromStrings(ctx, kubeClient, testNamespace, secretName,
 				map[string]string{"password": "updated"})
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Verifying Deployment was NOT reloaded (excluded Secret)")
 			time.Sleep(utils.NegativeTestWait)
-			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, excludeNS, deploymentName,
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
 				utils.AnnotationLastReloadedFrom, utils.ShortTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(reloaded).To(BeFalse(), "Deployment should NOT reload when excluded Secret changes")
@@ -158,16 +153,16 @@ var _ = Describe("Exclude Annotation Tests", func() {
 
 		It("should reload when non-excluded Secret changes", func() {
 			By("Creating two Secrets")
-			_, err := utils.CreateSecretFromStrings(ctx, kubeClient, excludeNS, secretName,
+			_, err := utils.CreateSecretFromStrings(ctx, kubeClient, testNamespace, secretName,
 				map[string]string{"password": "initial"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
-			_, err = utils.CreateSecretFromStrings(ctx, kubeClient, excludeNS, secretName2,
+			_, err = utils.CreateSecretFromStrings(ctx, kubeClient, testNamespace, secretName2,
 				map[string]string{"password2": "initial2"}, nil)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a Deployment with auto=true and secrets.exclude annotation")
-			_, err = utils.CreateDeployment(ctx, kubeClient, excludeNS, deploymentName,
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
 				utils.WithSecretEnvFrom(secretName),
 				utils.WithSecretEnvFrom(secretName2),
 				utils.WithAnnotations(utils.MergeAnnotations(
@@ -178,19 +173,159 @@ var _ = Describe("Exclude Annotation Tests", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be ready")
-			err = utils.WaitForDeploymentReady(ctx, kubeClient, excludeNS, deploymentName, utils.DeploymentReady)
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Updating the non-excluded Secret")
-			err = utils.UpdateSecretFromStrings(ctx, kubeClient, excludeNS, secretName2,
+			err = utils.UpdateSecretFromStrings(ctx, kubeClient, testNamespace, secretName2,
 				map[string]string{"password2": "updated2"})
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Deployment to be reloaded")
-			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, excludeNS, deploymentName,
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
 				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(reloaded).To(BeTrue(), "Deployment should reload when non-excluded Secret changes")
 		})
 	})
+
+	Context("SecretProviderClass exclude annotation", Label("csi"), func() {
+		var (
+			spcName          string
+			spcName2         string
+			vaultSecretPath  string
+			vaultSecretPath2 string
+		)
+
+		BeforeEach(func() {
+			if !utils.IsCSIDriverInstalled(ctx, csiClient) {
+				Skip("CSI secrets store driver not installed")
+			}
+			if !utils.IsVaultProviderInstalled(ctx, kubeClient) {
+				Skip("Vault CSI provider not installed")
+			}
+			spcName = utils.RandName("spc")
+			spcName2 = utils.RandName("spc2")
+			vaultSecretPath = fmt.Sprintf("secret/%s", utils.RandName("test"))
+			vaultSecretPath2 = fmt.Sprintf("secret/%s", utils.RandName("test2"))
+		})
+
+		AfterEach(func() {
+			_ = utils.DeleteSecretProviderClass(ctx, csiClient, testNamespace, spcName)
+			_ = utils.DeleteSecretProviderClass(ctx, csiClient, testNamespace, spcName2)
+			_ = utils.DeleteVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath)
+			_ = utils.DeleteVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath2)
+		})
+
+		It("should NOT reload when excluded SecretProviderClassPodStatus changes", func() {
+			By("Creating Vault secret for the excluded SPC")
+			err := utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath, map[string]string{
+				"api_key": "initial-excluded-value",
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating SecretProviderClass pointing to Vault secret")
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName, vaultSecretPath, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a Deployment with auto=true and secretproviderclasses.exclude annotation")
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
+				utils.WithCSIVolume(spcName),
+				utils.WithAnnotations(utils.MergeAnnotations(
+					utils.BuildAutoTrueAnnotation(),
+					utils.BuildSecretProviderClassExcludeAnnotation(spcName),
+				)),
+			)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be ready")
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Finding the SPCPS created by CSI driver")
+			spcpsName, err := utils.FindSPCPSForDeployment(ctx, csiClient, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Getting initial SPCPS version")
+			initialVersion, err := utils.GetSPCPSVersion(ctx, csiClient, testNamespace, spcpsName)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Updating the Vault secret for excluded SPC")
+			err = utils.UpdateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath, map[string]string{
+				"api_key": "updated-excluded-value",
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for CSI driver to sync (SPCPS version change)")
+			err = utils.WaitForSPCPSVersionChange(ctx, csiClient, testNamespace, spcpsName, initialVersion, 10*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying Deployment was NOT reloaded (excluded SPC)")
+			time.Sleep(utils.NegativeTestWait)
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ShortTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeFalse(), "Deployment should NOT reload when excluded SecretProviderClassPodStatus changes")
+		})
+
+		It("should reload when non-excluded SecretProviderClassPodStatus changes", func() {
+			By("Creating two Vault secrets")
+			err := utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath, map[string]string{
+				"api_key": "initial-excluded-value",
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			err = utils.CreateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath2, map[string]string{
+				"api_key": "initial-nonexcluded-value",
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating two SecretProviderClasses")
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName, vaultSecretPath, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			_, err = utils.CreateSecretProviderClassWithSecret(ctx, csiClient, testNamespace, spcName2, vaultSecretPath2, "api_key")
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Creating a Deployment with auto=true and secretproviderclasses.exclude for first SPC only")
+			_, err = utils.CreateDeployment(ctx, kubeClient, testNamespace, deploymentName,
+				utils.WithCSIVolume(spcName),
+				utils.WithCSIVolume(spcName2),
+				utils.WithAnnotations(utils.MergeAnnotations(
+					utils.BuildAutoTrueAnnotation(),
+					utils.BuildSecretProviderClassExcludeAnnotation(spcName),
+				)),
+			)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be ready")
+			err = utils.WaitForDeploymentReady(ctx, kubeClient, testNamespace, deploymentName, utils.DeploymentReady)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Finding the SPCPS for non-excluded SPC")
+			// We need to find SPCPS for the non-excluded SPC (spcName2)
+			spcpsName2, err := utils.FindSPCPSForSPC(ctx, csiClient, testNamespace, spcName2, 30*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Getting initial SPCPS version for non-excluded SPC")
+			initialVersion, err := utils.GetSPCPSVersion(ctx, csiClient, testNamespace, spcpsName2)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Updating the Vault secret for non-excluded SPC")
+			err = utils.UpdateVaultSecret(ctx, kubeClient, restConfig, vaultSecretPath2, map[string]string{
+				"api_key": "updated-nonexcluded-value",
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for CSI driver to sync (SPCPS version change)")
+			err = utils.WaitForSPCPSVersionChange(ctx, csiClient, testNamespace, spcpsName2, initialVersion, 10*time.Second)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Waiting for Deployment to be reloaded")
+			reloaded, err := utils.WaitForDeploymentReloaded(ctx, kubeClient, testNamespace, deploymentName,
+				utils.AnnotationLastReloadedFrom, utils.ReloadTimeout)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(reloaded).To(BeTrue(), "Deployment should reload when non-excluded SecretProviderClassPodStatus changes")
+		})
+	})
 })

test/e2e/annotations/pause_period_test.go

@@ -5,6 +5,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )
 
@@ -58,7 +59,7 @@ var _ = Describe("Pause Period Tests", func() {
 
 			By("Verifying Deployment has paused-at annotation")
 			paused, err := utils.WaitForDeploymentPaused(ctx, kubeClient, testNamespace, deploymentName,
-				"utils.AnnotationDeploymentPausedAt", utils.ShortTimeout)
+				utils.AnnotationDeploymentPausedAt, utils.ShortTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(paused).To(BeTrue(), "Deployment should have paused-at annotation after reload")
 		})
@@ -94,7 +95,7 @@ var _ = Describe("Pause Period Tests", func() {
 			By("Verifying Deployment does NOT have paused-at annotation")
 			time.Sleep(utils.NegativeTestWait)
 			paused, err := utils.WaitForDeploymentPaused(ctx, kubeClient, testNamespace, deploymentName,
-				"utils.AnnotationDeploymentPausedAt", utils.ShortTimeout)
+				utils.AnnotationDeploymentPausedAt, utils.ShortTimeout)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(paused).To(BeFalse(), "Deployment should NOT have paused-at annotation without pause-period")
 		})

test/e2e/annotations/resource_ignore_test.go

@@ -5,6 +5,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )
 

test/e2e/annotations/search_match_test.go

@@ -5,6 +5,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	"github.com/stakater/Reloader/test/e2e/utils"
 )