add unit test and new returned error from updateSecret

pkg/cluster/sync.go

@@ -1181,12 +1181,16 @@ func (c *Cluster) updateSecret(
 	} else {
 		// username might not match if password rotation has been disabled again
 		if secretUsername != string(secret.Data["username"]) {
-			*retentionUsers = append(*retentionUsers, secretUsername)
+			if len(string(secret.Data["username"])) != len(secretUsername) {
-			secret.Data["username"] = []byte(secretUsername)
+				*retentionUsers = append(*retentionUsers, secretUsername)
-			secret.Data["password"] = []byte(util.RandomPassword(constants.PasswordLength))
+				secret.Data["username"] = []byte(secretUsername)
-			secret.Data["nextRotation"] = []byte{}
+				secret.Data["password"] = []byte(util.RandomPassword(constants.PasswordLength))
-			updateSecret = true
+				secret.Data["nextRotation"] = []byte{}
-			updateSecretMsg = fmt.Sprintf("secret %s does not contain the role %s - updating username and resetting password", secretName, secretUsername)
+				updateSecret = true
+				updateSecretMsg = fmt.Sprintf("secret does not contain the role %s - updating username and resetting password", secretUsername)
+			} else {
+				return secret, fmt.Errorf("could not update secret because of user name mismatch: expected: %s, got: %s", secretUsername, string(secret.Data["username"]))
+			}
 		}
 	}
 
@@ -1216,18 +1220,18 @@ func (c *Cluster) updateSecret(
 	if updateSecret {
 		c.logger.Infof("%s", updateSecretMsg)
 		if secret, err = c.KubeClient.Secrets(secret.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
-			return secret, fmt.Errorf("could not update secret %s: %v", secretName, err)
+			return secret, fmt.Errorf("could not update secret: %v", err)
 		}
 	}
 
 	if changed, _ := c.compareAnnotations(secret.Annotations, generatedSecret.Annotations, nil); changed {
 		patchData, err := metaAnnotationsPatch(generatedSecret.Annotations)
 		if err != nil {
-			return secret, fmt.Errorf("could not form patch for secret %q annotations: %v", secret.Name, err)
+			return secret, fmt.Errorf("could not form patch for secret annotations: %v", err)
 		}
 		secret, err = c.KubeClient.Secrets(secret.Namespace).Patch(context.TODO(), secret.Name, types.MergePatchType, []byte(patchData), metav1.PatchOptions{})
 		if err != nil {
-			return secret, fmt.Errorf("could not patch annotations for secret %q: %v", secret.Name, err)
+			return secret, fmt.Errorf("could not patch annotations for secret: %v", err)
 		}
 	}
 

pkg/cluster/sync_test.go

@@ -963,4 +963,37 @@ func TestUpdateSecret(t *testing.T) {
 	if currentUsername != appUser {
 		t.Errorf("%s: updated secret does not contain expected username: expected %s, got %s", testName, appUser, currentUsername)
 	}
+
+	// test error cases
+	pg.Spec.Users["prepared-owner-user"] = acidv1.UserFlags{}
+	pg.Spec.PreparedDatabases = map[string]acidv1.PreparedDatabase{"prepared": {DefaultUsers: true}}
+
+	var errCluster = New(
+		Config{
+			OpConfig: config.Config{
+				Auth: config.Auth{
+					SuperUsername:       "postgres",
+					ReplicationUsername: "standby",
+					SecretNameTemplate:  secretTemplate,
+				},
+				Resources: config.Resources{
+					ClusterLabels:    map[string]string{"application": "spilo"},
+					ClusterNameLabel: "cluster-name",
+				},
+			},
+		}, client, pg, logger, eventRecorder)
+
+	errCluster.Name = clusterName
+	errCluster.Namespace = namespace
+	errCluster.pgUsers = map[string]spec.PgUser{}
+
+	// init all users
+	errCluster.initUsers()
+	// create secrets and fail because of user name mismatch
+	err = errCluster.syncSecrets()
+	assert.Error(t, err)
+
+	// the order of secrets to sync is not deterministic, check only first part of the error message
+	expectedError := fmt.Sprintf("syncing secret %s failed: could not update secret because of user name mismatch", "default/prepared-owner-user.acid-test-cluster.credentials")
+	assert.Contains(t, err.Error(), expectedError)
 }