Only add query values not already present in the token

Signed-off-by: Somtochi Onyekwere <[email protected]>

docs/spec/v1beta2/buckets.md

@@ -532,6 +532,9 @@ data:
   sasKey: <base64>
 ```
 
+The query values from the `sasKey` data field in the Secrets gets merged with the `spec.endpoint` of the `Bucket`.
+If there are the same key is present in the both of them, The token takes precedence.
+
 Note that the Azure SAS Token has an expiry date and it should be updated before it expires so that Flux can
 continue to access Azure Storage.
 

pkg/azure/blob.go

@@ -378,8 +378,10 @@ func sasTokenFromSecret(ep string, secret *corev1.Secret) (string, error) {
 		//merge the query values in the endpoint wuth the token
 		epValues := epURL.Query()
 		for key, val := range epValues {
-			for _, str := range val {
-				values.Set(key, str)
+			if !values.Has(key) {
+				for _, str := range val {
+					values.Add(key, str)
+				}
 			}
 		}
 

pkg/azure/blob_test.go

@@ -339,6 +339,16 @@ func Test_sasTokenFromSecret(t *testing.T) {
 			},
 			want: "https://accountName.blob.windows.net?sv=2020-08-04&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
 		},
+		{
+			name:     "conflicting query values in token",
+			endpoint: "https://accountName.blob.windows.net?sv=2020-08-04&ss=abcde",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("sv=2019-07-06&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT"),
+				},
+			},
+			want: "https://accountName.blob.windows.net?sv=2019-07-06&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
+		},
 		{
 			name: "invalid sas token",
 			secret: &corev1.Secret{