Add unique home volumes for init/sidecar (hashicorp#170)

* Add unique home volumes for init/sidecar * Add mount filter, better variable name
RemcoBuddelmeijer · Aug 20, 2020 · fe09ae6 · fe09ae6
1 parent db77804
commit fe09ae6
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 19 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -357,7 +357,7 @@ func (a *Agent) Patch() ([]byte, error) {
 	// Add a volume for the token sink
 	a.Patches = append(a.Patches, addVolumes(
 		a.Pod.Spec.Volumes,
-		[]corev1.Volume{a.ContainerTokenVolume()},
+		a.ContainerTokenVolume(),
 		"/spec/volumes")...)
 
 	// Add our volume that will be shared by the containers

diff --git a/agent-inject/agent/container_init_sidecar.go b/agent-inject/agent/container_init_sidecar.go
@@ -14,7 +14,7 @@ import (
 func (a *Agent) ContainerInitSidecar() (corev1.Container, error) {
 	volumeMounts := []corev1.VolumeMount{
 		{
-			Name:      tokenVolumeName,
+			Name:      tokenVolumeNameInit,
 			MountPath: tokenVolumePath,
 			ReadOnly:  false,
 		},

diff --git a/agent-inject/agent/container_sidecar.go b/agent-inject/agent/container_sidecar.go
@@ -30,7 +30,7 @@ func (a *Agent) ContainerSidecar() (corev1.Container, error) {
 			ReadOnly:  true,
 		},
 		{
-			Name:      tokenVolumeName,
+			Name:      tokenVolumeNameSidecar,
 			MountPath: tokenVolumePath,
 			ReadOnly:  false,
 		},

diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go
@@ -57,7 +57,7 @@ func TestContainerSidecarVolume(t *testing.T) {
 				ReadOnly:  true,
 			},
 			corev1.VolumeMount{
-				Name:      tokenVolumeName,
+				Name:      tokenVolumeNameSidecar,
 				MountPath: tokenVolumePath,
 				ReadOnly:  false,
 			},

diff --git a/agent-inject/agent/container_volume.go b/agent-inject/agent/container_volume.go
@@ -8,14 +8,15 @@ import (
 )
 
 const (
-	tokenVolumeName     = "home"
-	tokenVolumePath     = "/home/vault"
-	configVolumeName    = "vault-config"
-	configVolumePath    = "/vault/configs"
-	secretVolumeName    = "vault-secrets"
-	tlsSecretVolumeName = "vault-tls-secrets"
-	tlsSecretVolumePath = "/vault/tls"
-	secretVolumePath    = "/vault/secrets"
+	tokenVolumeNameInit    = "home-init"
+	tokenVolumeNameSidecar = "home-sidecar"
+	tokenVolumePath        = "/home/vault"
+	configVolumeName       = "vault-config"
+	configVolumePath       = "/vault/configs"
+	secretVolumeName       = "vault-secrets"
+	tlsSecretVolumeName    = "vault-tls-secrets"
+	tlsSecretVolumePath    = "/vault/tls"
+	secretVolumePath       = "/vault/secrets"
 )
 
 func (a *Agent) getUniqueMountPaths() []string {
@@ -60,15 +61,32 @@ func (a *Agent) ContainerVolumes() []corev1.Volume {
 
 // ContainerTokenVolume returns a volume to mount the
 // home directory where the token sink will write to.
-func (a *Agent) ContainerTokenVolume() corev1.Volume {
-	return corev1.Volume{
-		Name: tokenVolumeName,
-		VolumeSource: corev1.VolumeSource{
-			EmptyDir: &corev1.EmptyDirVolumeSource{
-				Medium: "Memory",
+func (a *Agent) ContainerTokenVolume() []corev1.Volume {
+	var vols []corev1.Volume
+	if a.PrePopulate {
+		initVol := corev1.Volume{
+			Name: tokenVolumeNameInit,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{
+					Medium: "Memory",
+				},
 			},
-		},
+		}
+		vols = append(vols, initVol)
 	}
+	if !a.PrePopulateOnly {
+		sidecarVol := corev1.Volume{
+			Name: tokenVolumeNameSidecar,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{
+					Medium: "Memory",
+				},
+			},
+		}
+		vols = append(vols, sidecarVol)
+	}
+
+	return vols
 }
 
 // ContainerConfigMapVolume returns a volume to mount a config map

diff --git a/agent-inject/handler_test.go b/agent-inject/handler_test.go
@@ -138,6 +138,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/volumes",
@@ -187,6 +191,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/volumes",
@@ -243,6 +251,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/volumes",
@@ -296,6 +308,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/volumes",
@@ -353,6 +369,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/volumes",