don't remount volumes if they already exist

Makefile

@@ -1,12 +1,13 @@
 REGISTRY?=gcr.io/k8s-minikube
-VERSION=v0.0.7
+VERSION=v0.0.8
 GOOS?=$(shell go env GOOS)
 
 build: ## Build the gcp-auth-webhook binary
 	CGO_ENABLED=0 GOOS=linux go build -o out/gcp-auth-webhook server.go
 
 .PHONY: image
 image: ## Create and push multiarch manifest and images
+	@read -p "This will build and push $(REGISTRY)/gcp-auth-webhook:$(VERSION). Do you want to proceed? (Y/N): " confirm && echo $$confirm | grep -iq "^[yY]" || exit 1;
 	curl -L https://github.com/google/ko/releases/download/v0.8.3/ko_0.8.3_$(GOOS)_x86_64.tar.gz | tar xzf - ko && chmod +x ./ko
 	KO_DOCKER_REPO=$(REGISTRY) ./ko publish -B . --platform all -t $(VERSION)
 	rm ./ko

server.go

@@ -129,11 +129,20 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) {
 			envVars = append(envVars, e)
 
 			// add the volume in the list of patches
-			patch = append(patch, patchOperation{
-				Op:    "add",
-				Path:  "/spec/volumes",
-				Value: append(pod.Spec.Volumes, v),
-			})
+			addVolume := true
+			for _, vl := range pod.Spec.Volumes {
+				if vl.Name == v.Name {
+					addVolume = false
+					break
+				}
+			}
+			if addVolume {
+				patch = append(patch, patchOperation{
+					Op:    "add",
+					Path:  "/spec/volumes",
+					Value: append(pod.Spec.Volumes, v),
+				})
+			}
 		}
 
 		// If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps.
@@ -162,11 +171,20 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) {
 							Value: []corev1.VolumeMount{mount},
 						})
 					} else {
-						patch = append(patch, patchOperation{
-							Op:    "add",
-							Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
-							Value: append(c.VolumeMounts, mount),
-						})
+						addMount := true
+						for _, vm := range c.VolumeMounts {
+							if vm.Name == mount.Name {
+								addMount = false
+								break
+							}
+						}
+						if addMount {
+							patch = append(patch, patchOperation{
+								Op:    "add",
+								Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
+								Value: append(c.VolumeMounts, mount),
+							})
+						}
 					}
 				}
 				if len(c.Env) == 0 {
@@ -269,21 +287,32 @@ func serviceaccountHandler(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// Make sure the gcp-auth secret exists before adding it as a pull secret
+	hasSecret := false
+	for _, s := range sa.Secrets {
+		if s.Name == "gcp-auth" {
+			hasSecret = true
+			break
+		}
+	}
+
 	var patch []patchOperation
 
-	ips := corev1.LocalObjectReference{Name: "gcp-auth"}
-	if len(sa.ImagePullSecrets) == 0 {
-		patch = []patchOperation{{
-			Op:    "add",
-			Path:  "/imagePullSecrets",
-			Value: []corev1.LocalObjectReference{ips},
-		}}
-	} else {
-		patch = []patchOperation{{
-			Op:    "add",
-			Path:  "/imagePullSecrets",
-			Value: append(sa.ImagePullSecrets, ips),
-		}}
+	if hasSecret {
+		ips := corev1.LocalObjectReference{Name: "gcp-auth"}
+		if len(sa.ImagePullSecrets) == 0 {
+			patch = []patchOperation{{
+				Op:    "add",
+				Path:  "/imagePullSecrets",
+				Value: []corev1.LocalObjectReference{ips},
+			}}
+		} else {
+			patch = []patchOperation{{
+				Op:    "add",
+				Path:  "/imagePullSecrets",
+				Value: append(sa.ImagePullSecrets, ips),
+			}}
+		}
 	}
 
 	patchBytes, err := json.Marshal(patch)