changed order of volume and mounts for backward compatibility

Author: AndrewChubatiuk

.github/workflows/sandbox.yaml

@@ -58,5 +58,5 @@ jobs:
           delete-branch: true
           title: 'sandbox: update operator ${{ steps.update.outputs.IMAGE_TAG }}'
           body: |
-            Deploy [${{ steps.update.outputs.IMAGE_TAG }}"](https://github.com/VictoriaMetrics/operator/commit/${{ steps.update.outputs.IMAGE_TAG }}) to sandbox
+            Deploy [${{ steps.update.outputs.IMAGE_TAG }}](https://github.com/VictoriaMetrics/operator/commit/${{ steps.update.outputs.IMAGE_TAG }}) to sandbox
             > Auto-generated by `Github Actions Bot`

internal/controller/operator/factory/build/backup.go

@@ -21,7 +21,8 @@ func VMBackupManager(
 	ctx context.Context,
 	cr *vmv1beta1.VMBackup,
 	port string,
-	storagePath, dataVolumeName string,
+	storagePath string,
+	mounts []corev1.VolumeMount,
 	extraArgs map[string]string,
 	isCluster bool,
 	license *vmv1beta1.License,
@@ -85,16 +86,6 @@ func VMBackupManager(
 
 	var ports []corev1.ContainerPort
 	ports = append(ports, corev1.ContainerPort{Name: "http", Protocol: "TCP", ContainerPort: intstr.Parse(cr.Port).IntVal})
-
-	mounts := []corev1.VolumeMount{
-		{
-			Name:      dataVolumeName,
-			MountPath: storagePath,
-			ReadOnly:  false,
-		},
-	}
-	mounts = append(mounts, cr.VolumeMounts...)
-
 	if cr.CredentialsSecret != nil {
 		mounts = append(mounts, corev1.VolumeMount{
 			Name:      k8stools.SanitizeVolumeName("secret-" + cr.CredentialsSecret.Name),
@@ -171,9 +162,9 @@ func VMBackupManager(
 // VMRestore conditionally creates vmrestore container
 func VMRestore(
 	cr *vmv1beta1.VMBackup,
-	storagePath, dataVolumeName string,
+	storagePath string,
+	mounts []corev1.VolumeMount,
 ) (*corev1.Container, error) {
-
 	args := []string{
 		fmt.Sprintf("-storageDataPath=%s", storagePath),
 		"-eula",
@@ -198,15 +189,6 @@ func VMRestore(
 	var ports []corev1.ContainerPort
 	ports = append(ports, corev1.ContainerPort{Name: "http", Protocol: "TCP", ContainerPort: intstr.Parse(cr.Port).IntVal})
 
-	mounts := []corev1.VolumeMount{
-		{
-			Name:      dataVolumeName,
-			MountPath: storagePath,
-			ReadOnly:  false,
-		},
-	}
-	mounts = append(mounts, cr.VolumeMounts...)
-
 	if cr.CredentialsSecret != nil {
 		mounts = append(mounts, corev1.VolumeMount{
 			Name:      k8stools.SanitizeVolumeName("secret-" + cr.CredentialsSecret.Name),

internal/controller/operator/factory/build/container.go

@@ -2,6 +2,7 @@ package build
 
 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
@@ -15,6 +16,7 @@ import (
 )
 
 const probeTimeoutSeconds int32 = 5
+const DataVolumeName = "data"
 
 type probeCRD interface {
 	Probe() *vmv1beta1.EmbeddedProbes
@@ -536,46 +538,48 @@ func AddSyslogTLSConfigToVolumes(dstVolumes []corev1.Volume, dstMounts []corev1.
 	return dstVolumes, dstMounts
 }
 
-func StorageVolumeMountsTo(volumes []corev1.Volume, mounts []corev1.VolumeMount, pvcSrc *corev1.PersistentVolumeClaimVolumeSource, volumeName, storagePath string) ([]corev1.Volume, []corev1.VolumeMount) {
-	var alreadyMounted bool
+func StorageVolumeMountsTo(volumes []corev1.Volume, mounts []corev1.VolumeMount, pvcSrc *corev1.PersistentVolumeClaimVolumeSource, storagePath, dataVolumeName string) ([]corev1.Volume, []corev1.VolumeMount, error) {
+	foundMount := false
 	for _, volumeMount := range mounts {
-		if volumeMount.Name == volumeName {
-			alreadyMounted = true
-			break
+		rel, err := filepath.Rel(volumeMount.MountPath, storagePath)
+		if err == nil && !strings.HasPrefix(rel, "..") {
+			if volumeMount.Name == dataVolumeName {
+				foundMount = true
+				break
+			}
+			return nil, nil, fmt.Errorf(
+				"unexpected volume=%q mounted to path=%q, which is reserved for volume=%q, path=%q",
+				volumeMount.Name, volumeMount.MountPath, dataVolumeName, storagePath)
+		} else {
+			if volumeMount.Name != dataVolumeName {
+				continue
+			}
+			return nil, nil, fmt.Errorf(
+				"unexpected volume=%q mounted to path=%q, expected path=%q",
+				volumeMount.Name, volumeMount.MountPath, dataVolumeName)
 		}
 	}
-	if !alreadyMounted {
-		mounts = append(mounts, corev1.VolumeMount{
-			Name:      volumeName,
+	if !foundMount {
+		mounts = append([]corev1.VolumeMount{{
+			Name:      dataVolumeName,
 			MountPath: storagePath,
-		})
-	}
-	if pvcSrc != nil {
-		volumes = append(volumes, corev1.Volume{
-			Name: volumeName,
-			VolumeSource: corev1.VolumeSource{
-				PersistentVolumeClaim: pvcSrc,
-			},
-		})
-		return volumes, mounts
+		}}, mounts...)
 	}
 
-	var volumePresent bool
 	for _, volume := range volumes {
-		if volume.Name == volumeName {
-			volumePresent = true
-			break
+		if volume.Name == dataVolumeName {
+			return volumes, mounts, nil
 		}
 	}
-	if volumePresent {
-		return volumes, mounts
-	}
-
-	volumes = append(volumes, corev1.Volume{
-		Name: volumeName,
-		VolumeSource: corev1.VolumeSource{
-			EmptyDir: &corev1.EmptyDirVolumeSource{},
-		},
-	})
-	return volumes, mounts
+	var source corev1.VolumeSource
+	if pvcSrc != nil {
+		source.PersistentVolumeClaim = pvcSrc
+	} else {
+		source.EmptyDir = &corev1.EmptyDirVolumeSource{}
+	}
+	volumes = append([]corev1.Volume{{
+		Name:         dataVolumeName,
+		VolumeSource: source,
+	}}, volumes...)
+	return volumes, mounts, nil
 }

internal/controller/operator/factory/build/container_test.go

@@ -353,92 +353,86 @@ func TestAddSyslogArgsTo(t *testing.T) {
 func TestStorageVolumeMountsTo(t *testing.T) {
 	type opts struct {
 		pvcSrc          *corev1.PersistentVolumeClaimVolumeSource
-		volumeName      string
 		storagePath     string
 		volumes         []corev1.Volume
 		expectedVolumes []corev1.Volume
 		mounts          []corev1.VolumeMount
 		expectedMounts  []corev1.VolumeMount
+		wantErr         bool
 	}
 	f := func(o opts) {
 		t.Helper()
-		gotVolumes, gotMounts := StorageVolumeMountsTo(o.volumes, o.mounts, o.pvcSrc, o.volumeName, o.storagePath)
+		gotVolumes, gotMounts, err := StorageVolumeMountsTo(o.volumes, o.mounts, o.pvcSrc, o.storagePath, DataVolumeName)
 		assert.Equal(t, o.expectedMounts, gotMounts)
 		assert.Equal(t, o.expectedVolumes, gotVolumes)
+		if o.wantErr {
+			assert.Error(t, err)
+		} else {
+			assert.NoError(t, err)
+		}
 	}
 
 	// no PVC spec and no volumes and mounts
 	f(opts{
-		volumeName:  "test",
 		storagePath: "/test",
 		expectedVolumes: []corev1.Volume{{
-			Name: "test",
+			Name: DataVolumeName,
 			VolumeSource: corev1.VolumeSource{
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		}},
 		expectedMounts: []corev1.VolumeMount{{
-			Name:      "test",
+			Name:      DataVolumeName,
 			MountPath: "/test",
 		}},
 	})
 
 	// with PVC spec and no volumes and mounts
 	f(opts{
-		volumeName:  "test",
 		storagePath: "/test",
 		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
 			ClaimName: "test-claim",
 		},
 		expectedVolumes: []corev1.Volume{{
-			Name: "test",
+			Name: DataVolumeName,
 			VolumeSource: corev1.VolumeSource{
 				PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
 					ClaimName: "test-claim",
 				},
 			},
 		}},
 		expectedMounts: []corev1.VolumeMount{{
-			Name:      "test",
+			Name:      DataVolumeName,
 			MountPath: "/test",
 		}},
 	})
 
 	// with PVC spec and matching data volume
 	f(opts{
 		volumes: []corev1.Volume{{
-			Name: "test",
+			Name: DataVolumeName,
 			VolumeSource: corev1.VolumeSource{
 				AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
 					VolumeID: "aws-volume",
 				},
 			},
 		}},
-		volumeName:  "test",
 		storagePath: "/test",
 		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
 			ClaimName: "test-claim",
 		},
 		expectedVolumes: []corev1.Volume{
 			{
-				Name: "test",
+				Name: DataVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
 						VolumeID: "aws-volume",
 					},
 				},
 			},
-			{
-				Name: "test",
-				VolumeSource: corev1.VolumeSource{
-					PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-						ClaimName: "test-claim",
-					},
-				},
-			},
 		},
 		expectedMounts: []corev1.VolumeMount{{
-			Name:      "test",
+			Name:      DataVolumeName,
 			MountPath: "/test",
 		}},
 	})
@@ -453,31 +447,30 @@ func TestStorageVolumeMountsTo(t *testing.T) {
 				},
 			},
 		}},
-		volumeName:  "test",
 		storagePath: "/test",
 		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
 			ClaimName: "test-claim",
 		},
 		expectedVolumes: []corev1.Volume{
 			{
-				Name: "extra",
+				Name: DataVolumeName,
 				VolumeSource: corev1.VolumeSource{
-					AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
-						VolumeID: "aws-volume",
+					PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+						ClaimName: "test-claim",
 					},
 				},
 			},
 			{
-				Name: "test",
+				Name: "extra",
 				VolumeSource: corev1.VolumeSource{
-					PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-						ClaimName: "test-claim",
+					AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
+						VolumeID: "aws-volume",
 					},
 				},
 			},
 		},
 		expectedMounts: []corev1.VolumeMount{{
-			Name:      "test",
+			Name:      DataVolumeName,
 			MountPath: "/test",
 		}},
 	})
@@ -493,35 +486,76 @@ func TestStorageVolumeMountsTo(t *testing.T) {
 			},
 		}},
 		mounts: []corev1.VolumeMount{{
-			Name:      "test",
+			Name:      DataVolumeName,
 			MountPath: "/other-path",
 		}},
-		volumeName:  "test",
+		wantErr:     true,
 		storagePath: "/test",
 		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
 			ClaimName: "test-claim",
 		},
+	})
+
+	// with PVC spec and intersecting data volume mount
+	f(opts{
+		volumes: []corev1.Volume{{
+			Name: "extra",
+			VolumeSource: corev1.VolumeSource{
+				AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
+					VolumeID: "aws-volume",
+				},
+			},
+		}},
+		mounts: []corev1.VolumeMount{{
+			Name:      DataVolumeName,
+			MountPath: "/test",
+		}},
+		storagePath: "/test/data",
+		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
+			ClaimName: "test-claim",
+		},
 		expectedVolumes: []corev1.Volume{
 			{
-				Name: "extra",
+				Name: DataVolumeName,
 				VolumeSource: corev1.VolumeSource{
-					AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
-						VolumeID: "aws-volume",
+					PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+						ClaimName: "test-claim",
 					},
 				},
 			},
 			{
-				Name: "test",
+				Name: "extra",
 				VolumeSource: corev1.VolumeSource{
-					PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-						ClaimName: "test-claim",
+					AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
+						VolumeID: "aws-volume",
 					},
 				},
 			},
 		},
 		expectedMounts: []corev1.VolumeMount{{
+			Name:      DataVolumeName,
+			MountPath: "/test",
+		}},
+	})
+
+	// with PVC spec and intersecting volume mount and absent volume
+	f(opts{
+		volumes: []corev1.Volume{{
+			Name: "test",
+			VolumeSource: corev1.VolumeSource{
+				AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
+					VolumeID: "aws-volume",
+				},
+			},
+		}},
+		mounts: []corev1.VolumeMount{{
 			Name:      "test",
-			MountPath: "/other-path",
+			MountPath: "/test",
 		}},
+		storagePath: "/test/data",
+		pvcSrc: &corev1.PersistentVolumeClaimVolumeSource{
+			ClaimName: "test-claim",
+		},
+		wantErr: true,
 	})
 }