Ignore mount path for git-credentials secrets and mount as file

Ignore any mount-path annotations on secrets labelled 'controller.devfile.io/git-credential'. Instead, always mount the merged git credentials secret to `/.git-credentials`. Additionally, mount the credentials file as files rather than using subpath mounts, in order to ensure changes to the on-cluster secret can be propagated to the running workspace without requiring a restart. Signed-off-by: Angel Misevski <amisevsk@redhat.com>
amisevsk · Sep 1, 2022 · 3c47585 · 3c47585
1 parent e34bcf7
commit 3c47585
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 31 deletions.
diff --git a/pkg/provision/automount/gitconfig.go b/pkg/provision/automount/gitconfig.go
@@ -24,6 +24,8 @@ import (
 	k8sclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const mergedGitCredentialsMountPath = "/.git-credentials/"
+
 // ProvisionGitConfiguration takes care of mounting git credentials and a gitconfig into a devworkspace.
 func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string) (*Resources, error) {
 	credentialsSecrets, tlsConfigMaps, err := getGitResources(api, namespace)
@@ -45,12 +47,7 @@ func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string) (*Resource
 		return nil, &AutoMountError{IsFatal: true, Err: err}
 	}
 
-	credentialsMountPath, err := getCredentialsMountPath(credentialsSecrets)
-	if err != nil {
-		return nil, &AutoMountError{IsFatal: true, Err: err}
-	}
-
-	gitConfigMap, err := constructGitConfig(namespace, credentialsMountPath, tlsConfigMaps, baseGitConfig)
+	gitConfigMap, err := constructGitConfig(namespace, mergedGitCredentialsMountPath, tlsConfigMaps, baseGitConfig)
 	if err != nil {
 		return nil, &AutoMountError{IsFatal: true, Err: err}
 	}
@@ -79,7 +76,7 @@ func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string) (*Resource
 		return nil, &AutoMountError{IsFatal: false, Err: err}
 	}
 	resources := flattenAutomountResources([]Resources{
-		getAutomountSecret(credentialsMountPath, constants.DevWorkspaceMountAsSubpath, mergedCredentialsSecret),
+		getAutomountSecret(mergedGitCredentialsMountPath, constants.DevWorkspaceMountAsFile, mergedCredentialsSecret),
 		getAutomountConfigmap("/etc/", constants.DevWorkspaceMountAsSubpath, gitConfigMap),
 	})
 

diff --git a/pkg/provision/automount/templates.go b/pkg/provision/automount/templates.go
@@ -125,27 +125,3 @@ func mergeGitCredentials(namespace string, credentialSecrets []corev1.Secret) (*
 	}
 	return mergedCredentials, nil
 }
-
-// getCredentialsMountPath returns the mount path to be used by all git credentials secrets. If no secrets define a mountPath,
-// the root path ('/credentials') is used. If secrets define conflicting mountPaths, an error is returned and represents an invalid
-// configuration. If any secret defines a mountPath, that mountPath overrides the mountPath for all secrets that do not
-// define a mountPath. If there are no credentials secrets, the empty string is returned
-func getCredentialsMountPath(secrets []corev1.Secret) (string, error) {
-	if len(secrets) == 0 {
-		return "", nil
-	}
-	mountPath := ""
-	for _, secret := range secrets {
-		secretMountPath := secret.Annotations[constants.DevWorkspaceMountPathAnnotation]
-		if secretMountPath != "" {
-			if mountPath != "" && secretMountPath != mountPath {
-				return "", fmt.Errorf("auto-mounted git credentials have conflicting mountPaths: %s, %s", mountPath, secretMountPath)
-			}
-			mountPath = secretMountPath
-		}
-	}
-	if mountPath == "" {
-		mountPath = "/"
-	}
-	return mountPath, nil
-}