[Backport release/2.0.x] fix(dataplane): fix DataPlane's volume and volume mounts patching when specified by user (#2425) (#2460)

Co-authored-by: Patryk Małek <patryk.malek@konghq.com>

Author: sandromodarelli

.github/workflows/tests.yaml

@@ -588,6 +588,8 @@ jobs:
         KONG_CONTROLLER_OUT: stdout
         GOTESTSUM_JUNITFILE: integration-tests-bluegreen.xml
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        KONG_TEST_KONNECT_ACCESS_TOKEN: ${{ secrets.KONG_TEST_KONNECT_ACCESS_TOKEN }}
+        KONG_TEST_KONNECT_SERVER_URL: us.api.konghq.tech
 
     - name: upload diagnostics
       if: always()

CHANGELOG.md

@@ -34,6 +34,13 @@
 - [v0.1.1](#v011)
 - [v0.1.0](#v010)
 
+## Unreleased
+
+### Fixes
+
+- Fix `DataPlane`'s volumes and volume mounts patching when specified by user
+  [#2425](https://github.com/Kong/kong-operator/pull/2425)
+
 ## [v2.0.4]
 
 > Release date: 2025-10-03
@@ -78,7 +85,7 @@
 
 > Release date: 2025-09-17
 
-## Fixes
+### Fixes
 
 - Fix incorrect error handling during cluster CA secret creation.
   [#2250](https://github.com/Kong/kong-operator/pull/2250)
@@ -238,7 +245,7 @@
 - `kong/kong-gateway` v3.11 is the default proxy image.
   [#2212](https://github.com/Kong/kong-operator/pull/2212)
 
-### Fixed
+### Fixes
 
 - Do not check "Programmed" condition in status of `Gateway` listeners in
   extracting certificates in controlplane's translation of Kong configuration.
@@ -270,7 +277,7 @@
 
 > Release date: 2025-07-11
 
-### Fixed
+### Fixes
 
 - Ignore the `ForbiddenError` in `sdk-konnect-go` returned from running CRUD
   operations against Konnect APIs. This prevents endless reconciliation when an
@@ -696,7 +703,7 @@
   flag or the `GATEWAY_OPERATOR_ENABLE_CONTROLLER_KONNECT` env var is set.
   [#738](https://github.com/kong/kong-operator/pull/738)
 
-### Fixed
+### Fixes
 
 - Fixed `ControlPlane` cluster wide resources not migrating to new ownership labels
   (introduced in 1.3.0) when upgrading the operator from 1.2 (or older) to 1.3.0.

Dockerfile

@@ -2,7 +2,7 @@
 # Builder
 # ------------------------------------------------------------------------------
 
-FROM --platform=$BUILDPLATFORM golang:1.25.1@sha256:8305f5fa8ea63c7b5bc85bd223ccc62941f852318ebfbd22f53bbd0b358c07e1 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25.3@sha256:7d73c4c57127279b23f3f70cbb368bf0fe08f7ab32af5daf5764173d25e78b74 AS builder
 
 WORKDIR /workspace
 ARG GOPATH

controller/dataplane/controller_reconciler_utils_test.go

@@ -108,8 +108,10 @@ func TestDeploymentBuilder(t *testing.T) {
 									Spec: corev1.PodSpec{
 										Volumes: []corev1.Volume{
 											{
-												// NOTE: we need to provide the existing entry in the slice
+												// NOTE: we can provide the existing entry in the slice
 												// to prevent merging the provided new entry with existing entries.
+												// Next test case shows that we can also not provide it and it will
+												// still work as expected (although the order may change).
 												Name: consts.ClusterCertificateVolume,
 											},
 											{
@@ -207,6 +209,111 @@ func TestDeploymentBuilder(t *testing.T) {
 				)
 			},
 		},
+		{
+			name: "new DataPlane with custom secret (without specifying the base certificate volume or volume mount)",
+			dataPlane: &operatorv1beta1.DataPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret-volume",
+					Namespace: "default",
+				},
+				Spec: operatorv1beta1.DataPlaneSpec{
+					DataPlaneOptions: operatorv1beta1.DataPlaneOptions{
+						Deployment: operatorv1beta1.DataPlaneDeploymentOptions{
+							DeploymentOptions: operatorv1beta1.DeploymentOptions{
+								PodTemplateSpec: &corev1.PodTemplateSpec{
+									Spec: corev1.PodSpec{
+										Volumes: []corev1.Volume{
+											{
+												Name: "test-volume",
+												VolumeSource: corev1.VolumeSource{
+													Secret: &corev1.SecretVolumeSource{
+														SecretName: "test-secret",
+													},
+												},
+											},
+										},
+										Containers: []corev1.Container{
+											{
+												Name: consts.DataPlaneProxyContainerName,
+												VolumeMounts: []corev1.VolumeMount{
+													{
+														Name:      "test-volume",
+														MountPath: "/var/test/",
+														ReadOnly:  true,
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			certSecretName: "certificate",
+			testBody: func(t *testing.T, reconciler Reconciler, dataPlane *operatorv1beta1.DataPlane, certSecretName string) {
+				ctx := t.Context()
+
+				deploymentBuilder := NewDeploymentBuilder(logr.Discard(), reconciler.Client).
+					WithClusterCertificate(certSecretName).
+					WithAdditionalLabels(deploymentLiveLabels)
+
+				deployment, res, err := deploymentBuilder.BuildAndDeploy(ctx, dataPlane, enforceConfig, validateDataPlaneImage)
+				require.NoError(t, err)
+				require.Equal(t, op.Created, res)
+				require.Len(t, deployment.Spec.Template.Spec.Volumes, 2)
+				require.Len(t, deployment.Spec.Template.Spec.Containers, 1)
+				require.Len(t, deployment.Spec.Template.Spec.Containers[0].VolumeMounts, 2)
+
+				certificateVolume := corev1.Volume{}
+				certificateVolume.Secret = &corev1.SecretVolumeSource{}
+				// Fill in the defaults for the volume after setting the secret volume source
+				// field. This prevents setting the empty dir volume source field which
+				// would conflict with the secret volume source field.
+				k8sresources.SetDefaultsVolume(&certificateVolume)
+				certificateVolume.Name = consts.ClusterCertificateVolume
+				certificateVolume.Secret.SecretName = "certificate"
+				certificateVolume.Secret.Items = []corev1.KeyToPath{
+					{
+						Key:  "tls.crt",
+						Path: "tls.crt",
+					},
+					{
+						Key:  "tls.key",
+						Path: "tls.key",
+					},
+					{
+						Key:  "ca.crt",
+						Path: "ca.crt",
+					},
+				}
+
+				testVolume := corev1.Volume{}
+				testVolume.Secret = &corev1.SecretVolumeSource{}
+				// Fill in the defaults for the volume after setting the secret volume source
+				// field. This prevents setting the empty dir volume source field which
+				// would conflict with the secret volume source field.
+				k8sresources.SetDefaultsVolume(&testVolume)
+				testVolume.Name = "test-volume"
+				testVolume.Secret.SecretName = "test-secret"
+
+				require.Equal(t, []corev1.VolumeMount{
+					{
+						Name:      "test-volume",
+						MountPath: "/var/test/",
+						ReadOnly:  true,
+					},
+					{
+						Name:      consts.ClusterCertificateVolume,
+						MountPath: consts.ClusterCertificateVolumeMountPath,
+						ReadOnly:  true,
+					},
+				},
+					deployment.Spec.Template.Spec.Containers[0].VolumeMounts,
+				)
+			},
+		},
 		{
 			name: "existing DataPlane deployment gets updated with expected spec.Strategy",
 			dataPlane: &operatorv1beta1.DataPlane{