Skip to content

Commit

Permalink
fix: mutate containers with a startup probe
Browse files Browse the repository at this point in the history
mutate-probes annotation didn't mutate ENV passed to a startup probe
add test for Liveness, Readiness and Startup probe separately

Signed-off-by: Kamil Swoboda <kswoboda@getresponse.com>
  • Loading branch information
Kaswob committed May 16, 2024
1 parent 4f7d6ee commit eb470cd
Show file tree
Hide file tree
Showing 2 changed files with 137 additions and 1 deletion.
6 changes: 6 additions & 0 deletions pkg/webhook/pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,12 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co
container.ReadinessProbe.Exec.Command = []string{"/vault/vault-env"}
container.ReadinessProbe.Exec.Command = append(container.ReadinessProbe.Exec.Command, rProbeCmd...)
}
// mutate StartupProbe
if container.StartupProbe != nil && container.StartupProbe.Exec != nil {
sProbeCmd := container.StartupProbe.Exec.Command
container.StartupProbe.Exec.Command = []string{"/vault/vault-env"}
container.StartupProbe.Exec.Command = append(container.StartupProbe.Exec.Command, sProbeCmd...)
}
}

container.VolumeMounts = append(container.VolumeMounts, []corev1.VolumeMount{
Expand Down
132 changes: 131 additions & 1 deletion pkg/webhook/pod_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ func Test_mutatingWebhook_mutateContainers(t *testing.T) {
wantErr: false,
},
{
name: "Will mutate container with probes",
name: "Will mutate container with liveness probe",
fields: fields{
k8sClient: fake.NewSimpleClientset(),
registry: &MockRegistry{
Expand Down Expand Up @@ -288,6 +288,136 @@ func Test_mutatingWebhook_mutateContainers(t *testing.T) {
mutated: true,
wantErr: false,
},
{
name: "Will mutate container with readiness probe",
fields: fields{
k8sClient: fake.NewSimpleClientset(),
registry: &MockRegistry{
Image: v1.Config{},
},
},
args: args{
containers: []corev1.Container{
{
Name: "MyContainer",
Image: "myimage",
Command: []string{"/bin/bash"},
Args: nil,
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
Exec: &corev1.ExecAction{
Command: []string{"/bin/bash"},
},
},
},
Env: []corev1.EnvVar{
{
Name: "myvar",
Value: "vault:secrets",
},
},
},
},
vaultConfig: VaultConfig{
MutateProbes: true,
},
},
wantedContainers: []corev1.Container{
{
Name: "MyContainer",
Image: "myimage",
Command: []string{"/vault/vault-env"},
Args: []string{"/bin/bash"},
VolumeMounts: []corev1.VolumeMount{{Name: "vault-env", MountPath: "/vault/"}},
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
Exec: &corev1.ExecAction{
Command: []string{"/vault/vault-env", "/bin/bash"},
},
},
},
Env: []corev1.EnvVar{
{Name: "myvar", Value: "vault:secrets"},
{Name: "VAULT_ADDR", Value: ""},
{Name: "VAULT_SKIP_VERIFY", Value: "false"},
{Name: "VAULT_AUTH_METHOD", Value: ""},
{Name: "VAULT_PATH", Value: ""},
{Name: "VAULT_ROLE", Value: ""},
{Name: "VAULT_IGNORE_MISSING_SECRETS", Value: ""},
{Name: "VAULT_ENV_PASSTHROUGH", Value: ""},
{Name: "VAULT_JSON_LOG", Value: ""},
{Name: "VAULT_CLIENT_TIMEOUT", Value: "0s"},
},
},
},
mutated: true,
wantErr: false,
},
{
name: "Will mutate container with startup probe",
fields: fields{
k8sClient: fake.NewSimpleClientset(),
registry: &MockRegistry{
Image: v1.Config{},
},
},
args: args{
containers: []corev1.Container{
{
Name: "MyContainer",
Image: "myimage",
Command: []string{"/bin/bash"},
Args: nil,
StartupProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
Exec: &corev1.ExecAction{
Command: []string{"/bin/bash"},
},
},
},
Env: []corev1.EnvVar{
{
Name: "myvar",
Value: "vault:secrets",
},
},
},
},
vaultConfig: VaultConfig{
MutateProbes: true,
},
},
wantedContainers: []corev1.Container{
{
Name: "MyContainer",
Image: "myimage",
Command: []string{"/vault/vault-env"},
Args: []string{"/bin/bash"},
VolumeMounts: []corev1.VolumeMount{{Name: "vault-env", MountPath: "/vault/"}},
StartupProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
Exec: &corev1.ExecAction{
Command: []string{"/vault/vault-env", "/bin/bash"},
},
},
},
Env: []corev1.EnvVar{
{Name: "myvar", Value: "vault:secrets"},
{Name: "VAULT_ADDR", Value: ""},
{Name: "VAULT_SKIP_VERIFY", Value: "false"},
{Name: "VAULT_AUTH_METHOD", Value: ""},
{Name: "VAULT_PATH", Value: ""},
{Name: "VAULT_ROLE", Value: ""},
{Name: "VAULT_IGNORE_MISSING_SECRETS", Value: ""},
{Name: "VAULT_ENV_PASSTHROUGH", Value: ""},
{Name: "VAULT_JSON_LOG", Value: ""},
{Name: "VAULT_CLIENT_TIMEOUT", Value: "0s"},
},
},
},
mutated: true,
wantErr: false,
},
{
name: "Will mutate container with no container-command, no entrypoint",
fields: fields{
Expand Down

0 comments on commit eb470cd

Please sign in to comment.