Merge pull request #813 from mythi/PR-2021-073

bart0sh · web-flow · commit c087bd238d66 · 2021-12-21T21:09:59.000+02:00
sgx: fix volumeMounts mutation
diff --git a/pkg/webhooks/sgx/sgx.go b/pkg/webhooks/sgx/sgx.go
@@ -124,12 +124,12 @@ func volumeMountExists(path string, container *corev1.Container) bool {
 	return false
 }
 
-func addVolumeMount(container *corev1.Container, volumeMount *corev1.VolumeMount) {
+func createNewVolumeMounts(container *corev1.Container, volumeMount *corev1.VolumeMount) []corev1.VolumeMount {
 	if container.VolumeMounts == nil {
-		container.VolumeMounts = make([]corev1.VolumeMount, 0)
+		return []corev1.VolumeMount{*volumeMount}
 	}
 
-	container.VolumeMounts = append(container.VolumeMounts, *volumeMount)
+	return append(container.VolumeMounts, *volumeMount)
 }
 
 // Handle implements controller-runtimes's admission.Handler inteface.
@@ -198,13 +198,16 @@ func (s *Mutator) Handle(ctx context.Context, req admission.Request) admission.R
 		switch quoteProvider {
 		// container mutate logic for Intel aesmd users
 		case aesmdQuoteProvKey:
-			// check if we already have a VolumeMount for this path -- let's not add it if it's there
+			// Check if we already have a VolumeMount for this path -- let's not add it if it's there.
+			// This needs to be an external function because of the linting complexity check. We lose
+			// one "if" this way.
 			if !volumeMountExists(aesmdSocketDirectoryPath, &pod.Spec.Containers[idx]) {
-				addVolumeMount(&pod.Spec.Containers[idx],
+				vms := createNewVolumeMounts(&pod.Spec.Containers[idx],
 					&corev1.VolumeMount{
 						Name:      aesmdSocketName,
 						MountPath: aesmdSocketDirectoryPath,
 					})
+				container.VolumeMounts = vms
 			}
 
 			if container.Name == aesmdQuoteProvKey {
diff --git a/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go b/test/e2e/sgxadmissionwebhook/sgxaadmissionwebhook.go
@@ -126,7 +126,7 @@ func describe() {
 		podSpec := createPodSpec([]string{"test"}, "aesmd")
 		podSpec.Spec.Volumes = make([]v1.Volume, 0)
 		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, v1.Volume{
-			Name: "/var/run/aesmd",
+			Name: "aesmd-socket",
 			VolumeSource: v1.VolumeSource{
 				EmptyDir: &v1.EmptyDirVolumeSource{
 					Medium: v1.StorageMediumMemory,
@@ -139,14 +139,14 @@ func describe() {
 			MountPath: "/var/run/aesmd",
 		})
 		pod := submitCustomPod(f, podSpec)
-		ginkgo.By("checking Volumes in the pod")
-		gomega.Expect(len(pod.Spec.Volumes)).To(gomega.Equal(1))
-		ginkgo.By("checking VolumeMounts in the container")
-		gomega.Expect(len(pod.Spec.Containers[0].VolumeMounts)).To(gomega.Equal(1))
+		ginkgo.By("checking the container volumes have been not mutated")
+		checkMutatedVolumes(f, pod, "aesmd-socket", v1.EmptyDirVolumeSource{})
 	})
 }
 
 func checkMutatedVolumes(f *framework.Framework, pod *v1.Pod, volumeName string, volumeType interface{}) {
+	gomega.Expect(len(pod.Spec.Volumes)).To(gomega.Equal(1))
+
 	switch reflect.TypeOf(volumeType).String() {
 	case "v1.HostPathVolumeSource":
 		gomega.Expect(pod.Spec.Volumes[0].HostPath).NotTo(gomega.BeNil())
@@ -157,6 +157,7 @@ func checkMutatedVolumes(f *framework.Framework, pod *v1.Pod, volumeName string,
 	}
 
 	for _, c := range pod.Spec.Containers {
+		gomega.Expect(len(c.VolumeMounts)).To(gomega.Equal(1))
 		gomega.Expect(c.VolumeMounts[0].Name).To(gomega.Equal(volumeName))
 	}
 }
