fix: remove volumes and mounts if access has expired (#107)

nicolst · web-flow · commit 537d5a8788e1 · 2025-04-11T12:59:19.000+02:00
* fix: use correct error target type

* fix: remove volumes and mounts if access has expired

* fix: account for the curvature of spacetime

* test: add some tests for volumes mutator
diff --git a/go.mod b/go.mod
@@ -7,6 +7,7 @@ require (
 	cloud.google.com/go/resourcemanager v1.10.5
 	cloud.google.com/go/storage v1.51.0
 	github.com/caarlos0/env/v11 v11.3.1
+	github.com/go-test/deep v1.1.1
 	github.com/onsi/ginkgo/v2 v2.23.3
 	github.com/onsi/gomega v1.36.3
 	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa
diff --git a/go.sum b/go.sum
@@ -77,6 +77,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
diff --git a/internal/controller/serviceaccount_controller.go b/internal/controller/serviceaccount_controller.go
@@ -146,7 +146,7 @@ func (r *ServiceAccountReconciler) removeIamBinding(ctx context.Context, group s
 	policy, err := r.Iam.Projects.ServiceAccounts.GetIamPolicy(gcpSaRef).OptionsRequestedPolicyVersion(3).Do()
 	if err != nil {
 		// We don't care about NotFound errors
-		var gErr googleapi.Error
+		var gErr *googleapi.Error
 		if errors.As(err, &gErr) && gErr.Code == http.StatusNotFound {
 			log.Info("service account no longer exists")
 			return ctrl.Result{}, nil
@@ -189,7 +189,7 @@ func (r *ServiceAccountReconciler) handleGcpSa(ctx context.Context, sa *corev1.S
 	policy, err := r.Iam.Projects.ServiceAccounts.GetIamPolicy(gcpSaRef).OptionsRequestedPolicyVersion(3).Do()
 	if err != nil {
 		// Ignore non-existent SAs, but log a warning
-		var gErr googleapi.Error
+		var gErr *googleapi.Error
 		if errors.As(err, &gErr) && gErr.Code == http.StatusNotFound {
 			log.Info("cannot set IAM policy on non-existent SA")
 			return ctrl.Result{}, nil
diff --git a/internal/controller/statefulset_webhook.go b/internal/controller/statefulset_webhook.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"slices"
 	"strings"
+	"time"
 
 	rm "cloud.google.com/go/resourcemanager/apiv3"
 	rmpb "cloud.google.com/go/resourcemanager/apiv3/resourcemanagerpb"
@@ -93,8 +94,6 @@ func (m *StatefulsetMutator) Handle(ctx context.Context, req admission.Request)
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
-	bucketMounts := getExtraBucketMounts(sfs.Annotations)
-
 	saAnnotations := map[string]string{
 		impersonateGroupAnnotation: group,
 		accessReasonAnnotation:     sfs.Annotations[accessReasonAnnotation],
@@ -130,20 +129,37 @@ func (m *StatefulsetMutator) Handle(ctx context.Context, req admission.Request)
 		}
 	}
 
-	if sharedBuckets, ok := sfs.Annotations[mountSharedBucketsAnnotation]; ok {
-		if err := m.addSharedBuckets(bucketMounts, sharedBuckets); err != nil {
-			log.Error(err, "failed to add shared buckets")
+	accessExpired := false
+	if groupConfig.ReasonRequired {
+		parsedDuration, err := time.ParseDuration(sfs.Annotations[requestedServiceDurationAnnotation])
+		if err != nil {
+			log.Error(err, "failed to parse requested duration", "durationAnnotation", sfs.Annotations[requestedServiceDurationAnnotation])
+			return admission.Denied("invalid requested duration format")
 		}
+
+		accessExpired = time.Now().After(sfs.CreationTimestamp.Add(parsedDuration))
 	}
 
-	// TODO: Use Dapla Team API for this?
-	if sfs.Annotations[mountStandardBucketsAnnotation] == "true" {
-		if err := m.addStandardBuckets(ctx, team, *groupConfig, bucketMounts); err != nil {
-			log.Error(err, "failed to add standard buckets")
+	if accessExpired {
+		removeBucketsFromPodSpec(&sfs.Spec.Template.Spec, serviceContainer)
+	} else {
+		bucketMounts := getExtraBucketMounts(sfs.Annotations)
+
+		if sharedBuckets, ok := sfs.Annotations[mountSharedBucketsAnnotation]; ok {
+			if err := m.addSharedBuckets(bucketMounts, sharedBuckets); err != nil {
+				log.Error(err, "failed to add shared buckets")
+			}
 		}
-	}
 
-	addBucketsToPodSpec(&sfs.Spec.Template.Spec, serviceContainer, bucketMounts, m.PrecreatorImage)
+		// TODO: Use Dapla Team API for this?
+		if sfs.Annotations[mountStandardBucketsAnnotation] == "true" {
+			if err := m.addStandardBuckets(ctx, team, *groupConfig, bucketMounts); err != nil {
+				log.Error(err, "failed to add standard buckets")
+			}
+		}
+
+		addBucketsToPodSpec(&sfs.Spec.Template.Spec, serviceContainer, bucketMounts, m.PrecreatorImage)
+	}
 
 	if m.IamProbeImage != "" && sfs.Annotations[iamProbeStatus] != iamProbeDone {
 		if err := m.launchIamProbe(ctx, sfs); err != nil {
diff --git a/internal/controller/volumes.go b/internal/controller/volumes.go
@@ -9,6 +9,10 @@ import (
 	"k8s.io/utils/ptr"
 )
 
+const (
+	precreatorContainerName = "bucket-folders-precreator"
+)
+
 func volumeNameIs(name string) func(v corev1.Volume) bool {
 	return func(v corev1.Volume) bool {
 		return v.Name == name
@@ -66,7 +70,7 @@ func addBucketsToPodSpec(podspec *corev1.PodSpec, container *corev1.Container, b
 	if modified {
 		precreator := corev1.Container{
 			Image: precreatorImage,
-			Name:  "bucket-folders-precreator",
+			Name:  precreatorContainerName,
 		}
 		for mountPoint, bucket := range bucketMounts {
 			volumeName := fmt.Sprintf("gcsfuse-%s", strings.ReplaceAll(mountPoint, "/", "--"))
@@ -84,3 +88,33 @@ func addBucketsToPodSpec(podspec *corev1.PodSpec, container *corev1.Container, b
 
 	return modified
 }
+
+func removeBucketsFromPodSpec(podspec *corev1.PodSpec, container *corev1.Container) (shouldUpdate bool) {
+	modified := false
+
+	podspec.Volumes = slices.DeleteFunc(podspec.Volumes, func(v corev1.Volume) bool {
+		if strings.HasPrefix(v.Name, "gcsfuse-") {
+			modified = true
+			return true
+		}
+		return false
+	})
+
+	container.VolumeMounts = slices.DeleteFunc(container.VolumeMounts, func(m corev1.VolumeMount) bool {
+		if strings.HasPrefix(m.Name, "gcsfuse-") {
+			modified = true
+			return true
+		}
+		return false
+	})
+
+	podspec.Containers = slices.DeleteFunc(podspec.Containers, func(c corev1.Container) bool {
+		if c.Name == precreatorContainerName {
+			modified = true
+			return true
+		}
+		return false
+	})
+
+	return modified
+}
diff --git a/internal/controller/volumes_test.go b/internal/controller/volumes_test.go
@@ -0,0 +1,187 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/go-test/deep"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestVolumeNameIs(t *testing.T) {
+	type TestCase struct {
+		Description string
+		Volume      corev1.Volume
+		Name        string
+		Expected    bool
+	}
+
+	tests := []TestCase{
+		{
+			Description: "Should return false if name does not match",
+			Volume:      corev1.Volume{Name: "my-volume"},
+			Name:        "abc",
+			Expected:    false,
+		},
+		{
+			Description: "Should return true if name matches",
+			Volume:      corev1.Volume{Name: "my-volume"},
+			Name:        "my-volume",
+			Expected:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Description, func(t *testing.T) {
+			if res := volumeNameIs(tt.Name)(tt.Volume); res != tt.Expected {
+				t.Errorf("volumeNameIs=%v, expected=%v", res, tt.Expected)
+			}
+		})
+	}
+}
+
+func TestVolumeMountNameIs(t *testing.T) {
+	type TestCase struct {
+		Description string
+		VolumeMount corev1.VolumeMount
+		Name        string
+		Expected    bool
+	}
+
+	tests := []TestCase{
+		{
+			Description: "Should return false if name does not match",
+			VolumeMount: corev1.VolumeMount{Name: "my-volume"},
+			Name:        "abc",
+			Expected:    false,
+		},
+		{
+			Description: "Should return true if name matches",
+			VolumeMount: corev1.VolumeMount{Name: "my-volume"},
+			Name:        "my-volume",
+			Expected:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Description, func(t *testing.T) {
+			if res := volumeMountNameIs(tt.Name)(tt.VolumeMount); res != tt.Expected {
+				t.Errorf("volumeMountNameIs=%v, expected=%v", res, tt.Expected)
+			}
+		})
+	}
+}
+
+func TestRemoveBucketsFromPodSpec(t *testing.T) {
+	type TestCase struct {
+		Description      string
+		PodSpec          corev1.PodSpec
+		ExpectedPodSpec  corev1.PodSpec
+		ExpectedModified bool
+	}
+
+	tests := []TestCase{
+		{
+			Description: "Should not change anything if no gcsfuse volumes/sidecars",
+			PodSpec: corev1.PodSpec{
+				Volumes: []corev1.Volume{
+					{
+						Name: "not-gcsfuse",
+					},
+				},
+				Containers: []corev1.Container{
+					{
+						Name: "not-gcsfuse",
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name: "not-gcsfuse",
+							},
+						},
+					},
+				},
+			},
+			ExpectedPodSpec: corev1.PodSpec{
+				Volumes: []corev1.Volume{
+					{
+						Name: "not-gcsfuse",
+					},
+				},
+				Containers: []corev1.Container{
+					{
+						Name: "not-gcsfuse",
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name: "not-gcsfuse",
+							},
+						},
+					},
+				},
+			},
+			ExpectedModified: false,
+		},
+		{
+			Description: "Should remove only relevant volumes and containers",
+			PodSpec: corev1.PodSpec{
+				Volumes: []corev1.Volume{
+					{
+						Name: "gcsfuse-1",
+					},
+					{
+						Name: "not-gcsfuse",
+					},
+					{
+						Name: "gcsfuse-2",
+					},
+				},
+				Containers: []corev1.Container{
+					{
+						Name: "not-gcsfuse",
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name: "gcsfuse-1",
+							},
+							{
+								Name: "not-gcsfuse",
+							},
+							{
+								Name: "gcsfuse-2",
+							},
+						},
+					},
+					{
+						Name: precreatorContainerName,
+					},
+				},
+			},
+			ExpectedPodSpec: corev1.PodSpec{
+				Volumes: []corev1.Volume{
+					{
+						Name: "not-gcsfuse",
+					},
+				},
+				Containers: []corev1.Container{
+					{
+						Name: "not-gcsfuse",
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name: "not-gcsfuse",
+							},
+						},
+					},
+				},
+			},
+			ExpectedModified: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Description, func(t *testing.T) {
+			if modified := removeBucketsFromPodSpec(&tt.PodSpec, &tt.PodSpec.Containers[0]); modified != tt.ExpectedModified {
+				t.Errorf("modified=%v, expected=%v", modified, tt.ExpectedModified)
+			}
+			if diff := deep.Equal(tt.PodSpec, tt.ExpectedPodSpec); diff != nil {
+				t.Errorf("modified PodSpec does not equal expected: %v", diff)
+			}
+		})
+	}
+
+}
