Ensure volumes with volume mounts referencing protected cert paths get replaced

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

internal/operator-controller/rukpak/render/registryv1/generators/generators.go

@@ -31,11 +31,9 @@ const (
 	tlsKeyPath = "tls.key"
 )
 
-var certVolumeMounts = map[string]corev1.VolumeMount{
-	"webhook-cert": {
-		Name:      "webhook-cert",
-		MountPath: "/tmp/k8s-webhook-server/serving-certs",
-	},
+// volume mount name -> mount path
+var certVolumeMounts = map[string]string{
+	"webhook-cert": "/tmp/k8s-webhook-server/serving-certs",
 }
 
 // BundleCSVDeploymentGenerator generates all deployments defined in rv1's cluster service version (CSV). The generated
@@ -481,11 +479,20 @@ func getWebhookServicePort(wh v1alpha1.WebhookDescription) corev1.ServicePort {
 }
 
 func addCertVolumesToDeployment(dep *appsv1.Deployment, certSecretInfo render.CertSecretInfo) {
+	volumeMountsToReplace := sets.New(slices.Collect(maps.Keys(certVolumeMounts))...)
+	certVolumeMountPaths := sets.New(slices.Collect(maps.Values(certVolumeMounts))...)
+	for _, c := range dep.Spec.Template.Spec.Containers {
+		for _, containerVolumeMount := range c.VolumeMounts {
+			if certVolumeMountPaths.Has(containerVolumeMount.MountPath) {
+				volumeMountsToReplace.Insert(containerVolumeMount.Name)
+			}
+		}
+	}
+
 	// update pod volumes
 	dep.Spec.Template.Spec.Volumes = slices.Concat(
 		slices.DeleteFunc(dep.Spec.Template.Spec.Volumes, func(v corev1.Volume) bool {
-			_, ok := certVolumeMounts[v.Name]
-			return ok
+			return volumeMountsToReplace.Has(v.Name)
 		}),
 		[]corev1.Volume{
 			{
@@ -513,15 +520,18 @@ func addCertVolumesToDeployment(dep *appsv1.Deployment, certSecretInfo render.Ce
 	for i := range dep.Spec.Template.Spec.Containers {
 		dep.Spec.Template.Spec.Containers[i].VolumeMounts = slices.Concat(
 			slices.DeleteFunc(dep.Spec.Template.Spec.Containers[i].VolumeMounts, func(v corev1.VolumeMount) bool {
-				_, ok := certVolumeMounts[v.Name]
-				return ok
+				return volumeMountsToReplace.Has(v.Name)
 			}),
-			slices.SortedFunc(
-				maps.Values(certVolumeMounts),
-				func(a corev1.VolumeMount, b corev1.VolumeMount) int {
-					return cmp.Compare(a.Name, b.Name)
-				},
-			),
+			func() []corev1.VolumeMount {
+				volumeMounts := make([]corev1.VolumeMount, 0, len(certVolumeMounts))
+				for _, name := range slices.Sorted(maps.Keys(certVolumeMounts)) {
+					volumeMounts = append(volumeMounts, corev1.VolumeMount{
+						Name:      name,
+						MountPath: certVolumeMounts[name],
+					})
+				}
+				return volumeMounts
+			}(),
 		)
 	}
 }

internal/operator-controller/rukpak/render/registryv1/generators/generators_test.go

@@ -194,19 +194,34 @@ func Test_BundleCSVDeploymentGenerator_WithCertWithCertProvider_Succeeds(t *test
 											EmptyDir: &corev1.EmptyDirVolumeSource{},
 										},
 									},
-									// expect webhook-cert volume to be injected
+									// this volume should be replaced by the webhook-cert volume
+									// because it has a volume mount targeting the protected path
+									// /tmp/k8s-webhook-server/serving-certs
+									{
+										Name: "some-webhook-cert-mount",
+										VolumeSource: corev1.VolumeSource{
+											EmptyDir: &corev1.EmptyDirVolumeSource{},
+										},
+									},
 								},
 								Containers: []corev1.Container{
 									{
 										Name: "container-1",
 										VolumeMounts: []corev1.VolumeMount{
+											// the mount path for this volume mount will be replaced with
+											// /tmp/k8s-webhook-server/serving-certs
 											{
 												Name:      "webhook-cert",
 												MountPath: "/webhook-cert-path",
 											}, {
 												Name:      "some-other-mount",
 												MountPath: "/some/other/mount/path",
 											},
+											// this volume mount will be removed
+											{
+												Name:      "some-webhook-cert-mount",
+												MountPath: "/tmp/k8s-webhook-server/serving-certs",
+											},
 										},
 									},
 									{