func buildPodTemplate()

in pkg/controller/beat/common/pod.go [76:227]

• 129 lines of code
• 18 McCabe index (conditional complexity)

func buildPodTemplate(
	params DriverParams,
	defaultImage container.Image,
	configHash hash.Hash32,
) (corev1.PodTemplateSpec, error) {
	podTemplate := params.GetPodTemplate()

	keystoreResources, err := keystore.ReconcileResources(
		params.Context,
		params,
		&params.Beat,
		namer,
		params.Beat.GetIdentityLabels(),
		initContainerParameters(params.Beat.Spec.Type),
	)
	if err != nil {
		return podTemplate, err
	}

	spec := &params.Beat.Spec
	dataVolume := createDataVolume(params)
	vols := []volume.VolumeLike{
		volume.NewSecretVolume(
			ConfigSecretName(spec.Type, params.Beat.Name),
			ConfigVolumeName,
			ConfigMountPath,
			ConfigFileName,
			0444),
		dataVolume,
	}

	for _, assoc := range params.Beat.GetAssociations() {
		assocConf, err := assoc.AssociationConf()
		if err != nil {
			return corev1.PodTemplateSpec{}, err
		}
		if !assocConf.CAIsConfigured() {
			continue
		}
		caSecretName := assocConf.GetCASecretName()
		caVolume := volume.NewSecretVolumeWithMountPath(
			caSecretName,
			fmt.Sprintf("%s-certs", assoc.AssociationType()),
			certificatesDir(assoc),
		)
		vols = append(vols, caVolume)
	}

	volumes := make([]corev1.Volume, 0, len(vols))
	volumeMounts := make([]corev1.VolumeMount, 0, len(vols))
	var initContainers []corev1.Container
	var sideCars []corev1.Container

	for _, v := range vols {
		volumes = append(volumes, v.Volume())
		volumeMounts = append(volumeMounts, v.VolumeMount())
	}

	if keystoreResources != nil {
		_, _ = configHash.Write([]byte(keystoreResources.Hash))
		volumes = append(volumes, keystoreResources.Volume)
		initContainers = append(initContainers, keystoreResources.InitContainer)
	}

	if monitoring.IsLogsDefined(&params.Beat) {
		sideCar, err := beat_stackmon.Filebeat(params.Context, params.Client, &params.Beat, params.Beat.Spec.Version)
		if err != nil {
			return podTemplate, err
		}
		// name of container must be adjusted from default, or it will not be added to
		// pod template builder because of duplicative names.
		sideCar.Container.Name = "logs-monitoring-sidecar"
		if _, err := reconciler.ReconcileSecret(params.Context, params.Client, sideCar.ConfigSecret, &params.Beat); err != nil {
			return podTemplate, err
		}
		// Add shared volume for logs consumption.
		volumeMounts = append(volumeMounts, corev1.VolumeMount{
			Name:      "filebeat-logs",
			ReadOnly:  false,
			MountPath: "/usr/share/filebeat/logs",
		})
		volumes = append(volumes, sideCar.Volumes...)
		if runningAsRoot(params.Beat) {
			sideCar.Container.SecurityContext = &corev1.SecurityContext{
				RunAsUser: ptr.To[int64](0),
			}
		}
		sideCars = append(sideCars, sideCar.Container)
	}

	if monitoring.IsMetricsDefined(&params.Beat) {
		sideCar, err := beat_stackmon.MetricBeat(params.Context, params.Client, &params.Beat)
		if err != nil {
			return podTemplate, err
		}
		// name of container must be adjusted from default, or it will not be added to
		// pod template builder because of duplicative names.
		sideCar.Container.Name = "metrics-monitoring-sidecar"
		if _, err := reconciler.ReconcileSecret(params.Context, params.Client, sideCar.ConfigSecret, &params.Beat); err != nil {
			return podTemplate, err
		}
		// Add shared volume for Unix socket between containers.
		volumeMounts = append(volumeMounts, corev1.VolumeMount{
			Name:      "shared-data",
			ReadOnly:  false,
			MountPath: "/var/shared",
		})
		volumes = append(volumes, sideCar.Volumes...)
		if runningAsRoot(params.Beat) {
			sideCar.Container.SecurityContext = &corev1.SecurityContext{
				RunAsUser: ptr.To[int64](0),
			}
		}
		sideCars = append(sideCars, sideCar.Container)
	}

	labels := maps.Merge(params.Beat.GetIdentityLabels(), map[string]string{
		VersionLabelName: spec.Version})

	annotations := map[string]string{
		ConfigHashAnnotationName: fmt.Sprint(configHash.Sum32()),
	}

	v, err := version.Parse(spec.Version)
	if err != nil {
		return corev1.PodTemplateSpec{}, err // error unlikely and should have been caught during validation
	}

	builder := defaults.NewPodTemplateBuilder(podTemplate, spec.Type).
		WithLabels(labels).
		WithAnnotations(annotations).
		WithResources(defaultResources).
		WithDockerImage(spec.Image, container.ImageRepository(defaultImage, v)).
		WithVolumes(volumes...).
		WithVolumeMounts(volumeMounts...).
		WithInitContainers(initContainers...).
		WithInitContainerDefaults().
		WithContainers(sideCars...)

	// If logs monitoring is enabled, remove the "-e" argument from the main container
	// if it exists, and do not include the "-e" startup option for the Beat so that
	// it does not log only to stderr, and writes log file for filebeat to consume.
	if monitoring.IsLogsDefined(&params.Beat) {
		if main := builder.MainContainer(); main != nil {
			removeLogToStderrOption(main)
		}
		builder = builder.WithArgs("-c", ConfigMountPath)
		return builder.PodTemplate, nil
	}

	return builder.WithArgs("-e", "-c", ConfigMountPath).PodTemplate, nil
}