Use projected volumes for sinkbinding trust bundles (knative#7630) (#538

) When there are multiple trust bundle ConfigMaps the only option to mount on the same directory is to use projected volumes. Signed-off-by: Pierangelo Di Pilato <[email protected]> Co-authored-by: Pierangelo Di Pilato <[email protected]>
openshift-knative · Feb 20, 2024 · aa20ab9 · aa20ab9
1 parent e8845b7
commit aa20ab9
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 102 deletions.
diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go b/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go
@@ -301,6 +301,23 @@ func TestSinkBindingUndo(t *testing.T) {
 									},
 								},
 							},
+							{
+								Name: "kne-bundle-volume",
+								VolumeSource: corev1.VolumeSource{
+									Projected: &corev1.ProjectedVolumeSource{
+										Sources: []corev1.VolumeProjection{
+											{
+												ConfigMap: &corev1.ConfigMapProjection{
+													LocalObjectReference: corev1.LocalObjectReference{
+														Name: "knative-eventing-bundle",
+													},
+												},
+											},
+										},
+										DefaultMode: nil,
+									},
+								},
+							},
 						},
 						Containers: []corev1.Container{{
 							Name:  "blah",
@@ -311,6 +328,11 @@ func TestSinkBindingUndo(t *testing.T) {
 									MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 29),
 									ReadOnly:  true,
 								},
+								{
+									Name:      "kne-bundle-volume",
+									MountPath: "/knative-custom-certs",
+									ReadOnly:  true,
+								},
 							},
 						}},
 					},
@@ -554,93 +576,19 @@ func TestSinkBindingDo(t *testing.T) {
 					Spec: corev1.PodSpec{
 						Volumes: []corev1.Volume{
 							{
-								Name: "kne-bundle-knative-eventing-bundle" + strings.Repeat("a", 29),
-								VolumeSource: corev1.VolumeSource{
-									ConfigMap: &corev1.ConfigMapVolumeSource{
-										LocalObjectReference: corev1.LocalObjectReference{
-											Name: "knative-eventing-bundle" + strings.Repeat("a", 29),
-										},
-									},
-								},
-							},
-						},
-						Containers: []corev1.Container{{
-							Name:  "blah",
-							Image: "busybox",
-							Env: []corev1.EnvVar{{
-								Name:  "K_SINK",
-								Value: destination.URI.String(),
-							}, {
-								Name:  "K_CA_CERTS",
-								Value: caCert,
-							}, {
-								Name:  "K_CE_OVERRIDES",
-								Value: `{"extensions":{"foo":"bar"}}`,
-							}},
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									Name:      "kne-bundle-knative-eventing-bundle" + strings.Repeat("a", 29),
-									MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 29),
-									ReadOnly:  true,
-								},
-							},
-						}},
-					},
-				},
-			},
-		},
-		in: &duckv1.WithPod{
-			Spec: duckv1.WithPodSpec{
-				Template: duckv1.PodSpecable{
-					Spec: corev1.PodSpec{
-						Containers: []corev1.Container{{
-							Name:  "blah",
-							Image: "busybox",
-							Env: []corev1.EnvVar{{
-								Name:  "K_SINK",
-								Value: destination.URI.String(),
-							}, {
-								Name:  "K_CA_CERTS",
-								Value: caCert,
-							}, {
-								Name:  "K_CE_OVERRIDES",
-								Value: `{"extensions":{"foo":"bar"}}`,
-							}},
-						}},
-					},
-				},
-			},
-		},
-		configMaps: []*corev1.ConfigMap{
-			{
-				TypeMeta: metav1.TypeMeta{},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "knative-eventing",
-					Name:      "knative-eventing-bundle" + strings.Repeat("a", 29),
-					Labels: map[string]string{
-						"networking.knative.dev/trust-bundle": "true",
-					},
-				},
-				Immutable: nil,
-				Data: map[string]string{
-					"knative-eventing-bundle.pem": "something",
-				},
-			},
-		},
-	}, {
-		name: "add trust bundles - long CM name",
-		want: &duckv1.WithPod{
-			Spec: duckv1.WithPodSpec{
-				Template: duckv1.PodSpecable{
-					Spec: corev1.PodSpec{
-						Volumes: []corev1.Volume{
-							{
-								Name: "kne-bundle-7840a1e43e73e2ce40d1180208cba2a6knative-eventing-bun",
+								Name: "kne-bundle-volume",
 								VolumeSource: corev1.VolumeSource{
-									ConfigMap: &corev1.ConfigMapVolumeSource{
-										LocalObjectReference: corev1.LocalObjectReference{
-											Name: "knative-eventing-bundle" + strings.Repeat("a", 30),
+									Projected: &corev1.ProjectedVolumeSource{
+										Sources: []corev1.VolumeProjection{
+											{
+												ConfigMap: &corev1.ConfigMapProjection{
+													LocalObjectReference: corev1.LocalObjectReference{
+														Name: "knative-eventing-bundle",
+													},
+												},
+											},
 										},
+										DefaultMode: nil,
 									},
 								},
 							},
@@ -660,8 +608,8 @@ func TestSinkBindingDo(t *testing.T) {
 							}},
 							VolumeMounts: []corev1.VolumeMount{
 								{
-									Name:      "kne-bundle-7840a1e43e73e2ce40d1180208cba2a6knative-eventing-bun",
-									MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 30),
+									Name:      "kne-bundle-volume",
+									MountPath: "/knative-custom-certs",
 									ReadOnly:  true,
 								},
 							},
@@ -697,7 +645,7 @@ func TestSinkBindingDo(t *testing.T) {
 				TypeMeta: metav1.TypeMeta{},
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "knative-eventing",
-					Name:      "knative-eventing-bundle" + strings.Repeat("a", 30),
+					Name:      "knative-eventing-bundle",
 					Labels: map[string]string{
 						"networking.knative.dev/trust-bundle": "true",
 					},

diff --git a/pkg/eventingtls/eventingtls.go b/pkg/eventingtls/eventingtls.go
@@ -203,7 +203,7 @@ func loadCertPool(config ClientConfig) (*x509.CertPool, error) {
 		return nil, err
 	}
 
-	_ = filepath.WalkDir(fmt.Sprintf("/%s", TrustBundleMountPath), func(path string, d fs.DirEntry, err error) error {
+	_ = filepath.WalkDir(TrustBundleMountPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() {
 			return nil
 		}

diff --git a/pkg/eventingtls/trust_bundle.go b/pkg/eventingtls/trust_bundle.go
@@ -37,7 +37,7 @@ const (
 	// TrustBundleLabelSelector is the ConfigMap label selector for trust bundles.
 	TrustBundleLabelSelector = "networking.knative.dev/trust-bundle=true"
 
-	TrustBundleMountPath = "knative-custom-certs"
+	TrustBundleMountPath = "/knative-custom-certs"
 
 	TrustBundleVolumeNamePrefix = "kne-bundle-"
 )
@@ -147,31 +147,72 @@ func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj
 	}
 
 	pt = pt.DeepCopy()
+	sources := make([]corev1.VolumeProjection, 0, len(cms))
 	for _, cm := range cms {
-		volumeName := kmeta.ChildName(TrustBundleVolumeNamePrefix, cm.Name)
-		pt.Volumes = append(pt.Volumes, corev1.Volume{
-			Name: volumeName,
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: &corev1.ConfigMapVolumeSource{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: cm.Name,
-					},
+		sources = append(sources, corev1.VolumeProjection{
+			ConfigMap: &corev1.ConfigMapProjection{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: cm.Name,
 				},
 			},
 		})
+	}
+	if len(sources) == 0 {
+		return pt, nil
+	}
+
+	volumeName := fmt.Sprintf("%s%s", TrustBundleVolumeNamePrefix, "volume")
+	vs := corev1.VolumeSource{
+		Projected: &corev1.ProjectedVolumeSource{
+			Sources: sources,
+		},
+	}
+
+	found := false
+	for i, v := range pt.Volumes {
+		if v.Name == volumeName {
+			found = true
+			pt.Volumes[i].VolumeSource = vs
+			break
+		}
+	}
+	if !found {
+		pt.Volumes = append(pt.Volumes, corev1.Volume{
+			Name:         volumeName,
+			VolumeSource: vs,
+		})
+	}
 
-		for i := range pt.Containers {
+	for i := range pt.Containers {
+		found = false
+		for _, v := range pt.Containers[i].VolumeMounts {
+			if v.Name == volumeName {
+				found = true
+				break
+			}
+		}
+		if !found {
 			pt.Containers[i].VolumeMounts = append(pt.Containers[i].VolumeMounts, corev1.VolumeMount{
 				Name:      volumeName,
 				ReadOnly:  true,
-				MountPath: fmt.Sprintf("/%s/%s", TrustBundleMountPath, cm.Name),
+				MountPath: TrustBundleMountPath,
 			})
 		}
-		for i := range pt.InitContainers {
+	}
+
+	for i := range pt.InitContainers {
+		found = false
+		for _, v := range pt.InitContainers[i].VolumeMounts {
+			if v.Name == volumeName {
+				found = true
+				break
+			}
+		}
+		if !found {
 			pt.InitContainers[i].VolumeMounts = append(pt.InitContainers[i].VolumeMounts, corev1.VolumeMount{
 				Name:      volumeName,
 				ReadOnly:  true,
-				MountPath: fmt.Sprintf("/%s/%s", TrustBundleMountPath, cm.Name),
+				MountPath: TrustBundleMountPath,
 			})
 		}
 	}