Knative deployments do not generate proper volume mounts for secrets volumes

[jamesfalkner]

Describe the bug
When deploying as a knative service, the kubernetes/openshift extension does not generate secrets volume mounts properly.

Expected behavior
The declared secrets are mounted in the container running as a knative service

Actual behavior

[ERROR] Failed to execute goal io.quarkus:quarkus-maven-plugin:1.8.0.Final:build (default) on project infinispan-client-quickstart: Failed to build quarkus application: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
[ERROR]         [error]: Build step io.quarkus.kubernetes.deployment.KubernetesDeployer#deploy threw an exception: io.dekorate.deps.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://api.cluster-462c.462c.example.opentlc.com:6443/apis/serving.knative.dev/v1/namespaces/dgdemo/services. Message: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: volumeMount has no matching volume: spec.template.spec.containers[0].volumeMounts[0].name. Received status: Status(apiVersion=v1, code=400, details=null, kind=Status, message=admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: volumeMount has no matching volume: spec.template.spec.containers[0].volumeMounts[0].name, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=BadRequest, status=Failure, additionalProperties={}).

To Reproduce
Steps to reproduce the behavior:

1. Add the following to application.properties:

quarkus.kubernetes.deployment-target=knative
quarkus.knative.mounts.my-volume.path=/mnt
quarkus.knative.secret-volumes.my-volume.secret-name=clientcerts

Along with other necessary bits to deploy a Quarkus app as a knative service

2. Run mvn clean package -Pnative -DskipTests
3. Observe failure above
4. Observe values in target/kubernetes/knative.yml show that the volume mount is properly declared:

        volumeMounts:
        - mountPath: /mnt
          name: my-volume
          readOnly: false
          subPath: ""

**But there is no corresponding volume: declared on the Service object. **

When deploying as a regular non-knative deployment I do see the volume in openshift.yml:

      volumes:
      - name: my-volume
        secret:
          defaultMode: 384
          optional: false
          secretName: clientcerts

Configuration

quarkus.infinispan-client.server-list=example-infinispan:11222

# Auth
quarkus.infinispan-client.auth-server-name=example-infinispan
quarkus.infinispan-client.auth-realm=default
quarkus.infinispan-client.auth-username=developer
quarkus.infinispan-client.auth-password=XXXXXXX
quarkus.infinispan-client.sasl-mechanism=PLAIN
quarkus.infinispan-client.client-intelligence=BASIC

# cert stuff
quarkus.infinispan-client.trust-store=/mnt/clientcerts
quarkus.infinispan-client.trust-store-password=password
quarkus.infinispan-client.trust-store-type=jks

quarkus.openshift.mounts.my-volume.path=/mnt
quarkus.openshift.secret-volumes.my-volume.secret-name=clientcerts

quarkus.knative.mounts.my-volume.path=/mnt
quarkus.knative.secret-volumes.my-volume.secret-name=clientcerts


quarkus.native.container-build=true
quarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel:20.1-java11
quarkus.container-image.build=true
quarkus.kubernetes.deploy=true
quarkus.openshift.expose=true
quarkus.kubernetes-client.trust-certs=true
quarkus.kubernetes.deployment-target=knative
quarkus.container-image.registry=image-registry.openshift-image-registry.svc:5000
quarkus.container-image.group=dgdemo

Environment (please complete the following information):

• Output of uname -a or ver: Darwin jfalkner-OSX 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64 x86_64
• Output of java -version:

openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode)

• GraalVM version (if different from Java):

using Mandrel

• Quarkus version or git rev: 1.8.0.Final

• Build tool (ie. output of mvnw --version or gradlew --version):

Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-27T11:06:16-04:00)
Maven home: /Users/jfalkner/.m2/wrapper/dists/apache-maven-3.6.2-bin/795eh28tki48bv3l67maojf0ra/apache-maven-3.6.2
Java version: 11.0.6, vendor: AdoptOpenJDK, runtime: /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.6", arch: "x86_64", family: "mac"

[geoand]

cc @iocanel

[jbcodeforce]

Hi same issue for me the following:

quarkus.knative.mounts.user-cert.path=/deployments/certs/user
quarkus.knative.mounts.es-cert.path=/deployments/certs/server
quarkus.knative.secret-volumes.es-cert.secret-name=sandbox-rp-cluster-ca-cert
quarkus.knative.secret-volumes.user-cert.secret-name=sandbox-rp-tls-cred

Does not generate the volumes statements in the knative.yaml but

quarkus.openshift.mounts.es-cert.path=/deployments/certs/server
quarkus.openshift.secret-volumes.es-cert.secret-name=sandbox-rp-cluster-ca-cert
quarkus.openshift.mounts.user-cert.path=/deployments/certs/user
quarkus.openshift.secret-volumes.user-cert.secret-name=sandbox-rp-tls-cred
in the openshift.yml does create the expected volumes declarations.

Thank you

[iocanel]

This somehow slipped my attention. I'll have a look shortly

[iocanel]

It's a logical bug. All our existing volume decorators operate on PodSepc which of course does not exist in a knative Service.
I'll fix that ASAP.