Process EnvFileDir in file-based config mode (#2470)

Fixes vault secrets not being passed to workload pods when using
file-based configuration in the proxy runner.

The runWithFileBasedConfig function was loading the RunConfig from
the ConfigMap but never processing the EnvFileDir field. This caused
Vault Agent injected secrets to remain in the proxy pod at
/vault/secrets without being propagated to the workload StatefulSet.

The fix adds environment file processing when EnvFileDir is set,
matching the behavior of the flags-based configuration path. When the
operator detects Vault annotations, it sets EnvFileDir to
/vault/secrets in the RunConfig. The proxy runner now reads files from
that directory and merges them into config.EnvVars before deploying
the workload.

Fixes #2460

Author: jhrozek

cmd/thv-proxyrunner/app/execution.go

@@ -127,6 +127,15 @@ func runWithFileBasedConfig(
 		config.EnvVars = validatedEnvVars
 	}
 
+	// Process environment files from EnvFileDir if specified (e.g., for Vault secrets)
+	if config.EnvFileDir != "" {
+		updatedConfig, err := config.WithEnvFilesFromDirectory(config.EnvFileDir)
+		if err != nil {
+			return fmt.Errorf("failed to process environment files from directory %s: %v", config.EnvFileDir, err)
+		}
+		config = updatedConfig
+	}
+
 	// Apply image metadata overrides if needed (similar to what the builder does)
 	if imageMetadata != nil && config.Name == "" {
 		config.Name = imageMetadata.Name

cmd/thv-proxyrunner/app/run_test.go

@@ -1,10 +1,14 @@
 package app
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/stacklok/toolhive/pkg/runner"
 )
 
 func TestRunCmdFlagsAndParsing(t *testing.T) {
@@ -207,6 +211,35 @@ func TestRunWithFileBasedConfigBehavior(t *testing.T) {
 		k8sPodPatchFlag := cmd.Flag("k8s-pod-patch")
 		assert.NotNil(t, k8sPodPatchFlag, "k8s-pod-patch flag should exist for config file mode")
 	})
+
+	t.Run("EnvFileDir processing works with WithEnvFilesFromDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		// This test verifies the pattern used in the fix for issue #2460
+		// It simulates what happens when Vault secrets are injected
+
+		// Create temp directory with mock Vault secret files
+		tmpDir := t.TempDir()
+		err := os.WriteFile(filepath.Join(tmpDir, "api-key"), []byte("API_KEY=secret123"), 0644)
+		require.NoError(t, err)
+		err = os.WriteFile(filepath.Join(tmpDir, "db-password"), []byte("DB_PASSWORD=dbpass456"), 0644)
+		require.NoError(t, err)
+
+		// Create a RunConfig with EnvFileDir set (this is what the operator does)
+		config := &runner.RunConfig{
+			EnvFileDir: tmpDir,
+			EnvVars:    map[string]string{"EXISTING": "value"},
+		}
+
+		// Call WithEnvFilesFromDirectory (this is what the fix does)
+		updatedConfig, err := config.WithEnvFilesFromDirectory(config.EnvFileDir)
+		require.NoError(t, err)
+
+		// Verify env vars from files were merged
+		assert.Equal(t, "value", updatedConfig.EnvVars["EXISTING"], "Existing env var should be preserved")
+		assert.Equal(t, "secret123", updatedConfig.EnvVars["API_KEY"], "API_KEY from file should be loaded")
+		assert.Equal(t, "dbpass456", updatedConfig.EnvVars["DB_PASSWORD"], "DB_PASSWORD from file should be loaded")
+	})
 }
 
 func TestConfigFileModeIgnoresConfigFlags(t *testing.T) {