From 717f9bc33f0373544dced8be38547a6e12b11cde Mon Sep 17 00:00:00 2001
From: Marton Soos <marton.soos@agilebits.com>
Date: Thu, 17 Feb 2022 17:49:28 +0100
Subject: [PATCH] Skip shadowed env variables

---
 pkg/onepassword/containers.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/onepassword/containers.go b/pkg/onepassword/containers.go
index c0910a8..3eca288 100644
--- a/pkg/onepassword/containers.go
+++ b/pkg/onepassword/containers.go
@@ -7,7 +7,10 @@ import (
 func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
+		envVariableNames := map[string]struct{}{}
+
 		for j := 0; j < len(envVariables); j++ {
+			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -18,6 +21,10 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 		envFromVariables := containers[i].EnvFrom
 		for j := 0; j < len(envFromVariables); j++ {
 			if envFromVariables[j].SecretRef != nil {
+				// Skip env variables that will be overwritten by Env
+				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
+					continue;
+				}
 				_, ok := secrets[envFromVariables[j].SecretRef.Name]
 				if ok {
 					return true
@@ -31,7 +38,10 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
+		envVariableNames := map[string]struct{}{}
+
 		for j := 0; j < len(envVariables); j++ {
+			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -42,6 +52,10 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
 		envFromVariables := containers[i].EnvFrom
 		for j := 0; j < len(envFromVariables); j++ {
 			if envFromVariables[j].SecretRef != nil {
+				// Skip env variables that will be overwritten by Env
+				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
+					continue;
+				}
 				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name]
 				if ok {
 					updatedDeploymentSecrets[secret.Name] = secret