Fix task pod failure with duplicate sa secrets

This fix a problem that if duplicate secret used in service account, task pod cannot start due to the following errors: Pod "xxx" is invalid: spec.containers[0].volumeMounts[12].mountPath: Invalid value: "/tekton/creds-secrets/xxxxx": must be unique. Signed-off-by: Tianpeng Wang <tpwang@alauda.io>
tektoncd · Apr 8, 2022 · 15a37c9 · 15a37c9
1 parent e46259e
commit 15a37c9
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/pkg/pod/creds_init.go b/pkg/pod/creds_init.go
@@ -71,11 +71,20 @@ func credsInit(ctx context.Context, serviceAccountName, namespace string, kubecl
 
 	var volumeMounts []corev1.VolumeMount
 	var volumes []corev1.Volume
-	args := []string{}
+	var args []string
+	// Track duplicated secrets, prevent errors like this:
+	//  Pod "xxx" is invalid: spec.containers[0].volumeMounts[12].mountPath: Invalid value:
+	//  "/tekton/creds-secrets/demo-docker-credentials": must be unique
+	visitedSecrets := make(map[string]struct{})
 	for _, secretEntry := range sa.Secrets {
 		if secretEntry.Name == "" {
 			continue
 		}
+		if _, ok := visitedSecrets[secretEntry.Name]; ok {
+			continue
+		}
+		visitedSecrets[secretEntry.Name] = struct{}{}
+
 		secret, err := kubeclient.CoreV1().Secrets(namespace).Get(ctx, secretEntry.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, nil, nil, err

diff --git a/pkg/pod/creds_init_test.go b/pkg/pod/creds_init_test.go
@@ -119,6 +119,39 @@ func TestCredsInit(t *testing.T) {
 			MountPath: "/tekton/creds-secrets/my-creds",
 		}},
 		ctx: context.Background(),
+	}, {
+		desc: "service account has duplicate dockerconfigjson secret and no HOME env var passed in; initialize creds in /tekton/creds",
+		objs: []runtime.Object{
+			&corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{Name: serviceAccountName, Namespace: namespace},
+				Secrets: []corev1.ObjectReference{{
+					Name: "my-docker-creds",
+				}, {
+					Name: "my-docker-creds",
+				}, {
+					Name: "my-docker-creds",
+				}},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-docker-creds",
+					Namespace: namespace,
+				},
+				Type: "kubernetes.io/dockerconfigjson",
+				Data: map[string][]byte{
+					".dockerconfigjson": []byte("ewogICJhdXRocyI6IHsKICAgICJleGFtcGxlLmNvbSI6IHsKICAgICAgInVzZXJuYW1lIjogImRlbW8iLAogICAgICAicGFzc3dvcmQiOiAidGVzdCIKICB9Cn0KCg=="),
+				},
+			},
+		},
+		envVars: []corev1.EnvVar{},
+		wantArgs: []string{
+			"-docker-config=my-docker-creds",
+		},
+		wantVolumeMounts: []corev1.VolumeMount{{
+			Name:      "tekton-internal-secret-volume-my-docker-creds-9l9zj",
+			MountPath: "/tekton/creds-secrets/my-docker-creds",
+		}},
+		ctx: context.Background(),
 	}, {
 		desc: "service account with secret and HOME env var passed in",
 		objs: []runtime.Object{