feat: Mouning resources should not cause workspace restart

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

Author: tolusha

controllers/workspace/devworkspace_controller.go

@@ -455,7 +455,10 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 
 	// Add automount resources into devfile containers
-	err = automount.ProvisionAutoMountResourcesInto(devfilePodAdditions, clusterAPI, workspace.Namespace, home.PersistUserHomeEnabled(workspace))
+	// Determine if workspace is transitioning from stopped state
+	// This is true when the workspace phase is not Starting or Running (i.e., it's Stopped, Failed, or empty)
+	isWorkspaceStarted := workspace.Status.Phase == dw.DevWorkspaceStatusStarting || workspace.Status.Phase == dw.DevWorkspaceStatusRunning
+	err = automount.ProvisionAutoMountResourcesInto(devfilePodAdditions, clusterAPI, workspace.Namespace, home.PersistUserHomeEnabled(workspace), isWorkspaceStarted)
 	if shouldReturn, reconcileResult, reconcileErr := r.checkDWError(workspace, err, "Failed to process automount resources", metrics.ReasonBadRequest, reqLogger, &reconcileStatus); shouldReturn {
 		return reconcileResult, reconcileErr
 	}

pkg/constants/attributes.go

@@ -171,4 +171,10 @@ const (
 	//           controller.devfile.io/restore-source-image: "registry.example.com/backups/my-workspace:20241111-123456"
 	//
 	WorkspaceRestoreSourceImageAttribute = "controller.devfile.io/restore-source-image"
+
+	// MountOnStartOnlyAttribute is an attribute applied to Kubernetes resources to indicate that they should only
+	// be mounted to a workspace when it starts from a stopped state. When this attribute is set to "true", newly created
+	// or updated resources will not be automatically mounted to running workspaces, preventing unwanted workspace
+	// restarts.
+	MountOnStartOnlyAttribute = "controller.devfile.io/mount-on-start-only"
 )

pkg/provision/automount/common.go

@@ -42,8 +42,14 @@ type Resources struct {
 	EnvFromSource []corev1.EnvFromSource
 }
 
-func ProvisionAutoMountResourcesInto(podAdditions *v1alpha1.PodAdditions, api sync.ClusterAPI, namespace string, persistentHome bool) error {
-	resources, err := getAutomountResources(api, namespace)
+func ProvisionAutoMountResourcesInto(
+	podAdditions *v1alpha1.PodAdditions,
+	api sync.ClusterAPI,
+	namespace string,
+	persistentHome bool,
+	isWorkspaceStarted bool,
+) error {
+	resources, err := getAutomountResources(api, namespace, isWorkspaceStarted)
 
 	if err != nil {
 		return err
@@ -76,18 +82,18 @@ func ProvisionAutoMountResourcesInto(podAdditions *v1alpha1.PodAdditions, api sy
 	return nil
 }
 
-func getAutomountResources(api sync.ClusterAPI, namespace string) (*Resources, error) {
-	gitCMAutoMountResources, err := ProvisionGitConfiguration(api, namespace)
+func getAutomountResources(api sync.ClusterAPI, namespace string, isWorkspaceStarted bool) (*Resources, error) {
+	gitCMAutoMountResources, err := ProvisionGitConfiguration(api, namespace, isWorkspaceStarted)
 	if err != nil {
 		return nil, err
 	}
 
-	cmAutoMountResources, err := getDevWorkspaceConfigmaps(namespace, api)
+	cmAutoMountResources, err := getDevWorkspaceConfigmaps(namespace, api, isWorkspaceStarted)
 	if err != nil {
 		return nil, err
 	}
 
-	secretAutoMountResources, err := getDevWorkspaceSecrets(namespace, api)
+	secretAutoMountResources, err := getDevWorkspaceSecrets(namespace, api, isWorkspaceStarted)
 	if err != nil {
 		return nil, err
 	}
@@ -104,7 +110,7 @@ func getAutomountResources(api sync.ClusterAPI, namespace string) (*Resources, e
 	}
 	dropItemsFieldFromVolumes(mergedResources.Volumes)
 
-	pvcAutoMountResources, err := getAutoMountPVCs(namespace, api)
+	pvcAutoMountResources, err := getAutoMountPVCs(namespace, api, isWorkspaceStarted)
 	if err != nil {
 		return nil, err
 	}

pkg/provision/automount/common_persistenthome_test.go

@@ -56,7 +56,7 @@ func TestProvisionAutomountResourcesIntoPersistentHomeEnabled(t *testing.T) {
 				Client: fake.NewClientBuilder().WithObjects(tt.Input.allObjects...).Build(),
 			}
 
-			err := ProvisionAutoMountResourcesInto(podAdditions, testAPI, testNamespace, true)
+			err := ProvisionAutoMountResourcesInto(podAdditions, testAPI, testNamespace, true, false)
 
 			if !assert.NoError(t, err, "Unexpected error") {
 				return

pkg/provision/automount/common_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/yaml"
@@ -126,7 +127,7 @@ func TestProvisionAutomountResourcesInto(t *testing.T) {
 			}
 			// Note: this test does not allow for returning AutoMountError with isFatal: false (i.e. no retrying)
 			// and so is not suitable for testing automount features that provision cluster resources (yet)
-			err := ProvisionAutoMountResourcesInto(podAdditions, testAPI, testNamespace, false)
+			err := ProvisionAutoMountResourcesInto(podAdditions, testAPI, testNamespace, false, false)
 			if tt.Output.ErrRegexp != nil {
 				if !assert.Error(t, err, "Expected an error but got none") {
 					return
@@ -407,3 +408,220 @@ func loadTestCaseOrPanic(t *testing.T, testPath string) testCase {
 	test.TestPath = testPath
 	return test
 }
+
+func TestShouldNotMountSecretWithMountOnStartOnlyIfWorkspaceStarted(t *testing.T) {
+	testSecret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-secret",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-as":            "file",
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+		Data: map[string][]byte{
+			"data": []byte("test"),
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testSecret).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is started (isWorkspaceStarted=true), secret with mount-on-start-only should be skipped
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, true)
+	assert.NoError(t, err)
+	assert.Empty(t, testPodAdditions.Volumes)
+	assert.Empty(t, testPodAdditions.Containers[0].VolumeMounts)
+}
+
+func TestMountSecretWithMountOnStartOnlyIfWorkspaceNotStarted(t *testing.T) {
+	testSecret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-secret",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-as":            "file",
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+		Data: map[string][]byte{
+			"data": []byte("test"),
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testSecret).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is not started (isWorkspaceStarted=false), secret with mount-on-start-only should be mounted
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, false)
+	assert.NoError(t, err)
+	assert.Len(t, testPodAdditions.Volumes, 1)
+	assert.Len(t, testPodAdditions.Containers[0].VolumeMounts, 1)
+	assert.Equal(t, "test-secret", testPodAdditions.Volumes[0].Name)
+}
+
+func TestShouldNotMountConfigMapWithMountOnStartOnlyIfWorkspaceStarted(t *testing.T) {
+	testConfigMap := corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-cm",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-as":            "file",
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+		Data: map[string]string{
+			"data": "test",
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testConfigMap).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is started (isWorkspaceStarted=true), configmap with mount-on-start-only should be skipped
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, true)
+	assert.NoError(t, err)
+	assert.Empty(t, testPodAdditions.Volumes)
+	assert.Empty(t, testPodAdditions.Containers[0].VolumeMounts)
+}
+
+func TestMountConfigMapWithMountOnStartOnlyIfWorkspaceNotStarted(t *testing.T) {
+	testConfigMap := corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-cm",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-as":            "file",
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+		Data: map[string]string{
+			"data": "test",
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testConfigMap).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is not started (isWorkspaceStarted=false), configmap with mount-on-start-only should be mounted
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, false)
+	assert.NoError(t, err)
+	assert.Len(t, testPodAdditions.Volumes, 1)
+	assert.Len(t, testPodAdditions.Containers[0].VolumeMounts, 1)
+	assert.Equal(t, "test-cm", testPodAdditions.Volumes[0].Name)
+}
+
+func TestShouldNotMountPVCWithMountOnStartOnlyIfWorkspaceStarted(t *testing.T) {
+	testPVC := corev1.PersistentVolumeClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pvc",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testPVC).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is started (isWorkspaceStarted=true), PVC with mount-on-start-only should be skipped
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, true)
+	assert.NoError(t, err)
+	assert.Empty(t, testPodAdditions.Volumes)
+	assert.Empty(t, testPodAdditions.Containers[0].VolumeMounts)
+}
+
+func TestMountPVCWithMountOnStartOnlyIfWorkspaceNotStarted(t *testing.T) {
+	testPVC := corev1.PersistentVolumeClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pvc",
+			Namespace: testNamespace,
+			Labels: map[string]string{
+				"controller.devfile.io/mount-to-devworkspace": "true",
+			},
+			Annotations: map[string]string{
+				"controller.devfile.io/mount-path":          "/test/path",
+				"controller.devfile.io/mount-on-start-only": "true",
+			},
+		},
+	}
+
+	testAPI := sync.ClusterAPI{
+		Client: fake.NewClientBuilder().WithObjects(&testPVC).Build(),
+	}
+
+	testPodAdditions := &v1alpha1.PodAdditions{
+		Containers: []corev1.Container{{
+			Name:  "test-container",
+			Image: "test-image",
+		}},
+	}
+
+	// When workspace is not started (isWorkspaceStarted=false), PVC with mount-on-start-only should be mounted
+	err := ProvisionAutoMountResourcesInto(testPodAdditions, testAPI, testNamespace, false, false)
+	assert.NoError(t, err)
+	assert.Len(t, testPodAdditions.Volumes, 1)
+	assert.Len(t, testPodAdditions.Containers[0].VolumeMounts, 1)
+	assert.Equal(t, common.AutoMountPVCVolumeName("test-pvc"), testPodAdditions.Volumes[0].Name)
+}

pkg/provision/automount/configmap.go

@@ -29,7 +29,7 @@ import (
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 )
 
-func getDevWorkspaceConfigmaps(namespace string, api sync.ClusterAPI) (*Resources, error) {
+func getDevWorkspaceConfigmaps(namespace string, api sync.ClusterAPI, isWorkspaceStarted bool) (*Resources, error) {
 	configmaps := &corev1.ConfigMapList{}
 	if err := api.Client.List(api.Ctx, configmaps, k8sclient.InNamespace(namespace), k8sclient.MatchingLabels{
 		constants.DevWorkspaceMountLabel: "true",
@@ -42,6 +42,13 @@ func getDevWorkspaceConfigmaps(namespace string, api sync.ClusterAPI) (*Resource
 		if msg := checkAutomountVolumeForPotentialError(&configmap); msg != "" {
 			return nil, &dwerrors.FailError{Message: msg}
 		}
+
+		// Skip mounting if mount-on-start-only is set to "true" and workspace has been already started
+		mountOnStartOnly := configmap.Annotations[constants.MountOnStartOnlyAttribute] == "true"
+		if isWorkspaceStarted && mountOnStartOnly {
+			continue
+		}
+
 		mountAs := configmap.Annotations[constants.DevWorkspaceMountAsAnnotation]
 		mountPath := configmap.Annotations[constants.DevWorkspaceMountPathAnnotation]
 		if mountPath == "" {

pkg/provision/automount/gitconfig.go

@@ -26,8 +26,8 @@ import (
 const mergedGitCredentialsMountPath = "/.git-credentials/"
 
 // ProvisionGitConfiguration takes care of mounting git credentials and a gitconfig into a devworkspace.
-func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string) (*Resources, error) {
-	credentialsSecrets, tlsConfigMaps, err := getGitResources(api, namespace)
+func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string, isWorkspaceStarted bool) (*Resources, error) {
+	credentialsSecrets, tlsConfigMaps, err := getGitResources(api, namespace, isWorkspaceStarted)
 	if err != nil {
 		return nil, err
 	}
@@ -69,7 +69,7 @@ func ProvisionGitConfiguration(api sync.ClusterAPI, namespace string) (*Resource
 	return &resources, nil
 }
 
-func getGitResources(api sync.ClusterAPI, namespace string) (credentialSecrets []corev1.Secret, tlsConfigMaps []corev1.ConfigMap, err error) {
+func getGitResources(api sync.ClusterAPI, namespace string, isWorkspaceStarted bool) (credentialSecrets []corev1.Secret, tlsConfigMaps []corev1.ConfigMap, err error) {
 	credentialsLabelSelector := k8sclient.MatchingLabels{
 		constants.DevWorkspaceGitCredentialLabel: "true",
 	}
@@ -82,8 +82,13 @@ func getGitResources(api sync.ClusterAPI, namespace string) (credentialSecrets [
 		return nil, nil, err
 	}
 	var secrets []corev1.Secret
-	if len(secretList.Items) > 0 {
-		secrets = secretList.Items
+	for _, secret := range secretList.Items {
+		// Skip mounting if mount-on-start-only is set to "true" and workspace has been already started
+		mountOnStartOnly := secret.Annotations[constants.MountOnStartOnlyAttribute] == "true"
+		if isWorkspaceStarted && mountOnStartOnly {
+			continue
+		}
+		secrets = append(secrets, secret)
 	}
 	sortSecrets(secrets)
 
@@ -92,8 +97,13 @@ func getGitResources(api sync.ClusterAPI, namespace string) (credentialSecrets [
 		return nil, nil, err
 	}
 	var configmaps []corev1.ConfigMap
-	if len(configmapList.Items) > 0 {
-		configmaps = configmapList.Items
+	for _, configmap := range configmapList.Items {
+		// Skip mounting if mount-on-start-only is set to "true" and workspace has been already started
+		mountOnStartOnly := configmap.Annotations[constants.MountOnStartOnlyAttribute] == "true"
+		if isWorkspaceStarted && mountOnStartOnly {
+			continue
+		}
+		configmaps = append(configmaps, configmap)
 	}
 	sortConfigmaps(configmaps)