func mutatePods()

in admission-controller/pods.go [82:164]

• 78 lines of code
• 14 McCabe index (conditional complexity)

func mutatePods(ar v1.AdmissionReview) *v1.AdmissionResponse {
	shouldPatchPod := func(pod *corev1.Pod) bool {
               _, arn_ok :=  pod.ObjectMeta.Annotations["secrets.k8s.aws/secret-arn"]
               if arn_ok == false {
                  return false
               }

               if  len(pod.Spec.InitContainers) == 0 {
                  podsInitContainerPatch  =  `[
                  {"op":"add","path":"/spec/initContainers","value":[{"image":"%v","name":"secrets-init-container","imagePullPolicy": "Always","volumeMounts":[{"name":"secret-vol","mountPath":"/tmp"}],"env":[{"name": "SECRET_ARN","valueFrom": {"fieldRef": {"fieldPath": "metadata.annotations['secrets.k8s.aws/secret-arn']"}}}`
            }
               return !hasContainer(pod.Spec.InitContainers, "secrets-init-container")
        }
	return applyPodPatch(ar, shouldPatchPod, fmt.Sprintf(podsInitContainerPatch, sidecarImage))
}

func mutatePodsSidecar(ar v1.AdmissionReview) *v1.AdmissionResponse {
	if sidecarImage == "" {
		return &v1.AdmissionResponse{
			Allowed: false,
			Result: &metav1.Status{
				Status:  "Failure",
				Message: "No image specified by the sidecar-image parameter",
				Code:    500,
			},
		}
	}
	shouldPatchPod := func(pod *corev1.Pod) bool {
		return !hasContainer(pod.Spec.Containers, "webhook-added-sidecar")
	}
	return applyPodPatch(ar, shouldPatchPod, fmt.Sprintf(podsSidecarPatch, sidecarImage))
}

func hasContainer(containers []corev1.Container, containerName string) bool {
	for _, container := range containers {
		if container.Name == containerName {
			return true
		}
	}
	return false
}


func applyPodPatch(ar v1.AdmissionReview, shouldPatchPod func(*corev1.Pod) bool, patch string) *v1.AdmissionResponse {
	klog.V(2).Info("mutating pods")
	podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	if ar.Request.Resource != podResource {
		klog.Errorf("expect resource to be %s", podResource)
		return nil
	}
	raw := ar.Request.Object.Raw
	pod := corev1.Pod{}
	deserializer := codecs.UniversalDeserializer()
	if _, _, err := deserializer.Decode(raw, nil, &pod); err != nil {
		klog.Error(err)
		return toV1AdmissionResponse(err)
	}
	reviewResponse := v1.AdmissionResponse{}
	reviewResponse.Allowed = true
	if shouldPatchPod(&pod) {
                mount_path ,mount_path_ok := pod.ObjectMeta.Annotations["secrets.k8s.aws/mount-path"]
                secret_filename ,secret_filename_ok := pod.ObjectMeta.Annotations["secrets.k8s.aws/secret-filename"]
                var path = "{\"op\": \"add\",\"path\": \"/spec/containers/" 
                var value = "/volumeMounts/-\",\"value\": {\"mountPath\": \"/tmp/\",\"name\": \"secret-vol\"}}"
                if mount_path_ok == true { 
                    value = "/volumeMounts/-\",\"value\": {\"mountPath\":" + "\"" +  mount_path +"\""+ ",\"name\": \"secret-vol\"}}"
                }
                var vol_mounts = ""
                for i, _ := range pod.Spec.Containers {
                    if i == 0  {
                        vol_mounts = path + strconv.Itoa(i) + value
                        } else {
                        vol_mounts = vol_mounts + "," + path + strconv.Itoa(i) + value
                    }
                }
                if secret_filename_ok == true  {
                   patch = patch + ",{\"name\":\"SECRET_FILENAME\",\"value\":"+ "\"" + secret_filename + "\"}"
                }
                if  len(pod.Spec.InitContainers) == 0 {
                  patch = patch + `],"resources":{}}]},{"op":"add","path":"/spec/volumes/-","value":{"emptyDir": {"medium": "Memory"},"name": "secret-vol"}}` + "," + vol_mounts + "]"
                } else  {
                patch = patch + `],"resources":{}}},{"op":"add","path":"/spec/volumes/-","value":{"emptyDir": {"medium": "Memory"},"name": "secret-vol"}}` + "," + vol_mounts + "]"
                }