sgx: fix volumeMounts mutation

The changes made by addVolumeMount() were overriden when the
intermediate container variable was assigned to the pod and
thus the volumeMount changes were lost.

Fix it by making the volumeMount changes to the intermediate
container that is then assigned to the final pod.

Also, make the latest e2e test case to use the
checkMutatedVolumes() helper and fix the illegal Volume
name.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>

Author: mythi

pkg/webhooks/sgx/sgx.go

@@ -124,12 +124,12 @@ func volumeMountExists(path string, container *corev1.Container) bool {
 	return false
 }
 
-func addVolumeMount(container *corev1.Container, volumeMount *corev1.VolumeMount) {
+func createNewVolumeMounts(container *corev1.Container, volumeMount *corev1.VolumeMount) []corev1.VolumeMount {
 	if container.VolumeMounts == nil {
-		container.VolumeMounts = make([]corev1.VolumeMount, 0)
+		return []corev1.VolumeMount{*volumeMount}
 	}
 
-	container.VolumeMounts = append(container.VolumeMounts, *volumeMount)
+	return append(container.VolumeMounts, *volumeMount)
 }
 
 // Handle implements controller-runtimes's admission.Handler inteface.
@@ -198,13 +198,16 @@ func (s *Mutator) Handle(ctx context.Context, req admission.Request) admission.R
 		switch quoteProvider {
 		// container mutate logic for Intel aesmd users
 		case aesmdQuoteProvKey:
-			// check if we already have a VolumeMount for this path -- let's not add it if it's there
+			// Check if we already have a VolumeMount for this path -- let's not add it if it's there.
+			// This needs to be an external function because of the linting complexity check. We lose
+			// one "if" this way.
 			if !volumeMountExists(aesmdSocketDirectoryPath, &pod.Spec.Containers[idx]) {
-				addVolumeMount(&pod.Spec.Containers[idx],
+				vms := createNewVolumeMounts(&pod.Spec.Containers[idx],
 					&corev1.VolumeMount{
 						Name:      aesmdSocketName,
 						MountPath: aesmdSocketDirectoryPath,
 					})
+				container.VolumeMounts = vms
 			}
 
 			if container.Name == aesmdQuoteProvKey {

test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go

@@ -126,7 +126,7 @@ func describe() {
 		podSpec := createPodSpec([]string{"test"}, "aesmd")
 		podSpec.Spec.Volumes = make([]v1.Volume, 0)
 		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, v1.Volume{
-			Name: "/var/run/aesmd",
+			Name: "aesmd-socket",
 			VolumeSource: v1.VolumeSource{
 				EmptyDir: &v1.EmptyDirVolumeSource{
 					Medium: v1.StorageMediumMemory,
@@ -139,14 +139,14 @@ func describe() {
 			MountPath: "/var/run/aesmd",
 		})
 		pod := submitCustomPod(f, podSpec)
-		ginkgo.By("checking Volumes in the pod")
-		gomega.Expect(len(pod.Spec.Volumes)).To(gomega.Equal(1))
-		ginkgo.By("checking VolumeMounts in the container")
-		gomega.Expect(len(pod.Spec.Containers[0].VolumeMounts)).To(gomega.Equal(1))
+		ginkgo.By("checking the container volumes have been not mutated")
+		checkMutatedVolumes(f, pod, "aesmd-socket", v1.EmptyDirVolumeSource{})
 	})
 }
 
 func checkMutatedVolumes(f *framework.Framework, pod *v1.Pod, volumeName string, volumeType interface{}) {
+	gomega.Expect(len(pod.Spec.Volumes)).To(gomega.Equal(1))
+
 	switch reflect.TypeOf(volumeType).String() {
 	case "v1.HostPathVolumeSource":
 		gomega.Expect(pod.Spec.Volumes[0].HostPath).NotTo(gomega.BeNil())
@@ -157,6 +157,7 @@ func checkMutatedVolumes(f *framework.Framework, pod *v1.Pod, volumeName string,
 	}
 
 	for _, c := range pod.Spec.Containers {
+		gomega.Expect(len(c.VolumeMounts)).To(gomega.Equal(1))
 		gomega.Expect(c.VolumeMounts[0].Name).To(gomega.Equal(volumeName))
 	}
 }