Skip to content

Commit 17b260e

Browse files
sharifelgamalsharifelgamal
committed
do not override existing environment variables
1 parent 08136ca commit 17b260e

File tree

1 file changed

+68
-44
lines changed

1 file changed

+68
-44
lines changed

server.go

Lines changed: 68 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -90,11 +90,16 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) {
9090
}
9191

9292
var patch []patchOperation
93+
var envVars []corev1.EnvVar
94+
95+
needsCreds := needsEnvVar(pod.Spec.Containers[0], "GOOGLE_APPLICATION_CREDENTIALS")
9396

9497
// Explicitly and silently exclude the kube-system namespace
9598
if pod.ObjectMeta.Namespace != metav1.NamespaceSystem {
99+
var v corev1.Volume
100+
var mount corev1.VolumeMount
96101
// Define the volume to mount in
97-
v := corev1.Volume{
102+
v = corev1.Volume{
98103
Name: "gcp-creds",
99104
VolumeSource: corev1.VolumeSource{
100105
HostPath: func() *corev1.HostPathVolumeSource {
@@ -111,65 +116,75 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) {
111116
}
112117

113118
// Mount the volume in
114-
mount := corev1.VolumeMount{
119+
mount = corev1.VolumeMount{
115120
Name: "gcp-creds",
116121
MountPath: "/google-app-creds.json",
117122
ReadOnly: true,
118123
}
119124

120125
// Define the env var
121-
e := corev1.EnvVar{
122-
Name: "GOOGLE_APPLICATION_CREDENTIALS",
123-
Value: "/google-app-creds.json",
126+
if needsCreds {
127+
e := corev1.EnvVar{
128+
Name: "GOOGLE_APPLICATION_CREDENTIALS",
129+
Value: "/google-app-creds.json",
130+
}
131+
envVars = append(envVars, e)
124132
}
125-
envVars := []corev1.EnvVar{e}
126133

127134
// If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps.
128135
if _, err := os.Stat("/var/lib/minikube/google_cloud_project"); err == nil {
129136
project, err := ioutil.ReadFile("/var/lib/minikube/google_cloud_project")
130137
if err == nil {
131138
// Set the project name for every variant of the project env var
132139
for _, a := range projectAliases {
133-
envVars = append(envVars, corev1.EnvVar{
134-
Name: a,
135-
Value: string(project),
136-
})
140+
if needsEnvVar(pod.Spec.Containers[0], a) {
141+
envVars = append(envVars, corev1.EnvVar{
142+
Name: a,
143+
Value: string(project),
144+
})
145+
}
137146
}
138147
}
139148
}
140149

141-
patch = append(patch, patchOperation{
142-
Op: "add",
143-
Path: "/spec/volumes",
144-
Value: append(pod.Spec.Volumes, v),
145-
})
146-
147-
for i, c := range pod.Spec.Containers {
148-
if len(c.VolumeMounts) == 0 {
149-
patch = append(patch, patchOperation{
150-
Op: "add",
151-
Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
152-
Value: []corev1.VolumeMount{mount},
153-
})
154-
} else {
155-
patch = append(patch, patchOperation{
156-
Op: "add",
157-
Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
158-
Value: append(c.VolumeMounts, mount),
159-
})
160-
}
161-
if len(c.Env) == 0 {
162-
patch = append(patch, patchOperation{
163-
Op: "add",
164-
Path: fmt.Sprintf("/spec/containers/%d/env", i),
165-
Value: envVars,
166-
})
167-
} else {
168-
patch = append(patch, patchOperation{
169-
Op: "add",
170-
Path: fmt.Sprintf("/spec/containers/%d/env", i),
171-
Value: append(c.Env, envVars...),
172-
})
150+
if needsCreds {
151+
patch = append(patch, patchOperation{
152+
Op: "add",
153+
Path: "/spec/volumes",
154+
Value: append(pod.Spec.Volumes, v),
155+
})
156+
}
157+
158+
if len(envVars) > 0 {
159+
for i, c := range pod.Spec.Containers {
160+
if needsCreds {
161+
if len(c.VolumeMounts) == 0 {
162+
patch = append(patch, patchOperation{
163+
Op: "add",
164+
Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
165+
Value: []corev1.VolumeMount{mount},
166+
})
167+
} else {
168+
patch = append(patch, patchOperation{
169+
Op: "add",
170+
Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
171+
Value: append(c.VolumeMounts, mount),
172+
})
173+
}
174+
}
175+
if len(c.Env) == 0 {
176+
patch = append(patch, patchOperation{
177+
Op: "add",
178+
Path: fmt.Sprintf("/spec/containers/%d/env", i),
179+
Value: envVars,
180+
})
181+
} else {
182+
patch = append(patch, patchOperation{
183+
Op: "add",
184+
Path: fmt.Sprintf("/spec/containers/%d/env", i),
185+
Value: append(c.Env, envVars...),
186+
})
187+
}
173188
}
174189
}
175190
}
@@ -261,13 +276,13 @@ func serviceaccountHandler(w http.ResponseWriter, r *http.Request) {
261276

262277
ips := corev1.LocalObjectReference{Name: "gcp-auth"}
263278
if len(sa.ImagePullSecrets) == 0 {
264-
patch = []patchOperation{patchOperation{
279+
patch = []patchOperation{{
265280
Op: "add",
266281
Path: "/imagePullSecrets",
267282
Value: []corev1.LocalObjectReference{ips},
268283
}}
269284
} else {
270-
patch = []patchOperation{patchOperation{
285+
patch = []patchOperation{{
271286
Op: "add",
272287
Path: "/imagePullSecrets",
273288
Value: append(sa.ImagePullSecrets, ips),
@@ -316,6 +331,15 @@ func serviceaccountHandler(w http.ResponseWriter, r *http.Request) {
316331
}
317332
}
318333

334+
func needsEnvVar(c corev1.Container, name string) bool {
335+
for _, e := range c.Env {
336+
if e.Name == name {
337+
return false
338+
}
339+
}
340+
return true
341+
}
342+
319343
func main() {
320344
log.Print("GCP Auth Webhook started!")
321345

0 commit comments

Comments
 (0)