From f08d33152160c26f7d7f47eeb14fa5c742b2230a Mon Sep 17 00:00:00 2001 From: Bence Csati <113284287+csatib02@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:08:44 +0100 Subject: [PATCH] fix: vault-log-level overwritten in pods (#327) * fix(pod.go): failing test for #290 Signed-off-by: Bence Csati * fix(pod.go) issue fix Signed-off-by: Bence Csati * fix(pod.go): minor fix Signed-off-by: Bence Csati * fix(pod.go): minor fix Signed-off-by: Bence Csati * fix: simplify log check Signed-off-by: Bence Csati * chore: comment Signed-off-by: Bence Csati --------- Signed-off-by: Bence Csati Signed-off-by: Bence Csati Co-authored-by: Ramiz Polic <32913827+ramizpolic@users.noreply.github.com> --- pkg/webhook/pod.go | 13 +++++- pkg/webhook/pod_test.go | 98 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go index c7a99152..1e83fc6e 100644 --- a/pkg/webhook/pod.go +++ b/pkg/webhook/pod.go @@ -358,7 +358,7 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co }) } - if vaultConfig.LogLevel != "" { + if !isLogLevelSet(container.Env) && vaultConfig.LogLevel != "" { container.Env = append(container.Env, []corev1.EnvVar{ { Name: "VAULT_LOG_LEVEL", @@ -916,3 +916,14 @@ func getConfigMapForVaultAgent(pod *corev1.Pod, vaultConfig VaultConfig) *corev1 }, } } + +// isLogLevelSet checks if the VAULT_LOG_LEVEL environment variable +// has already been set in the container, so it doesn't get overridden. +func isLogLevelSet(envVars []corev1.EnvVar) bool { + for _, envVar := range envVars { + if envVar.Name == "VAULT_LOG_LEVEL" { + return true + } + } + return false +} diff --git a/pkg/webhook/pod_test.go b/pkg/webhook/pod_test.go index 11e16c0e..8caccd46 100644 --- a/pkg/webhook/pod_test.go +++ b/pkg/webhook/pod_test.go @@ -466,6 +466,104 @@ func Test_mutatingWebhook_mutateContainers(t *testing.T) { mutated: true, wantErr: false, }, + { + name: "Mutate will not change the containers log level if it was already set", + fields: fields{ + k8sClient: fake.NewSimpleClientset(), + registry: &MockRegistry{ + Image: v1.Config{}, + }, + }, + args: args{ + containers: []corev1.Container{ + { + Name: "MyContainer", + Image: "myimage", + Command: []string{"/bin/bash"}, + Args: nil, + Env: []corev1.EnvVar{ + { + Name: "myvar", + Value: "vault:secrets", + }, + { + Name: "VAULT_LOG_LEVEL", + Value: "info", + }, + }, + }, + }, + vaultConfig: VaultConfig{ + Addr: "addr", + SkipVerify: false, + Path: "path", + Role: "role", + AuthMethod: "jwt", + IgnoreMissingSecrets: "ignoreMissingSecrets", + VaultEnvPassThrough: "vaultEnvPassThrough", + EnableJSONLog: "enableJSONLog", + ClientTimeout: 10 * time.Second, + LogLevel: "debug", + }, + }, + wantedContainers: []corev1.Container{ + { + Name: "MyContainer", + Image: "myimage", + Command: []string{"/vault/vault-env"}, + Args: []string{"/bin/bash"}, + VolumeMounts: []corev1.VolumeMount{{Name: "vault-env", MountPath: "/vault/"}}, + Env: []corev1.EnvVar{ + { + Name: "myvar", + Value: "vault:secrets", + }, + { + Name: "VAULT_LOG_LEVEL", + Value: "info", + }, + { + Name: "VAULT_ADDR", + Value: "addr", + }, + { + Name: "VAULT_SKIP_VERIFY", + Value: "false", + }, + { + Name: "VAULT_AUTH_METHOD", + Value: "jwt", + }, + { + Name: "VAULT_PATH", + Value: "path", + }, + { + Name: "VAULT_ROLE", + Value: "role", + }, + { + Name: "VAULT_IGNORE_MISSING_SECRETS", + Value: "ignoreMissingSecrets", + }, + { + Name: "VAULT_ENV_PASSTHROUGH", + Value: "vaultEnvPassThrough", + }, + { + Name: "VAULT_JSON_LOG", + Value: "enableJSONLog", + }, + { + Name: "VAULT_CLIENT_TIMEOUT", + Value: "10s", + }, + }, + }, + }, + mutated: true, + wantErr: false, + }, } for _, tt := range tests {