From 40bb82a5b83aa99bf46adcbc1455240ef0bec3f4 Mon Sep 17 00:00:00 2001 From: Jonathan Basseri Date: Wed, 30 Sep 2020 13:28:22 -0700 Subject: [PATCH 1/2] Update quobyte client API to v0.1.8 This update picks up https://github.com/quobyte/api/pull/19 which adds the needed `SetTransport` option. With this update, we can add the IP deny list into quobyte operations. --- go.mod | 4 +- go.sum | 4 +- vendor/github.com/quobyte/api/README.md | 4 ++ vendor/github.com/quobyte/api/quobyte.go | 4 ++ vendor/github.com/quobyte/api/rpc_client.go | 8 +++- vendor/github.com/quobyte/api/types.go | 46 ++++++++++++--------- vendor/modules.txt | 4 +- 7 files changed, 47 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index 9fcf52e564e..6cc3f1b4364 100644 --- a/go.mod +++ b/go.mod @@ -82,7 +82,7 @@ require ( github.com/prometheus/client_golang v1.7.1 github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.10.0 - github.com/quobyte/api v0.1.2 + github.com/quobyte/api v0.1.8 github.com/robfig/cron v1.1.0 github.com/spf13/afero v1.2.2 github.com/spf13/cobra v1.1.1 @@ -401,7 +401,7 @@ replace ( github.com/prometheus/client_model => github.com/prometheus/client_model v0.2.0 github.com/prometheus/common => github.com/prometheus/common v0.10.0 github.com/prometheus/procfs => github.com/prometheus/procfs v0.1.3 - github.com/quobyte/api => github.com/quobyte/api v0.1.2 + github.com/quobyte/api => github.com/quobyte/api v0.1.8 github.com/remyoudompheng/bigfft => github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446 github.com/robfig/cron => github.com/robfig/cron v1.1.0 github.com/rogpeppe/fastuuid => github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af diff --git a/go.sum b/go.sum index 38c1f02a9bf..c1269e61674 100644 --- a/go.sum +++ b/go.sum @@ -425,8 +425,8 @@ github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lN github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/quobyte/api v0.1.2 h1:lPHLsuvtjFyk8WhC4uHoHRkScijIHcffTWBBP+YpzYo= -github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI= +github.com/quobyte/api v0.1.8 h1:+sOX1gIlC/OaLipqVZWrHgly9Kh9Qo8OygeS0mWAg30= +github.com/quobyte/api v0.1.8/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= github.com/robfig/cron v1.1.0 h1:jk4/Hud3TTdcrJgUOBgsqrZBarcxl6ADIjSC2iniwLY= github.com/robfig/cron v1.1.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= diff --git a/vendor/github.com/quobyte/api/README.md b/vendor/github.com/quobyte/api/README.md index 642468aedbc..1b7451f0148 100644 --- a/vendor/github.com/quobyte/api/README.md +++ b/vendor/github.com/quobyte/api/README.md @@ -24,6 +24,10 @@ func main() { RootUserID: "root", RootGroupID: "root", ConfigurationName: "BASE", + Labels: []quobyte_api.Label{ + {Name: "label1", Value: "value1"}, + {Name: "label2", Value: "value2"}, + }, } volumeUUID, err := client.CreateVolume(req) diff --git a/vendor/github.com/quobyte/api/quobyte.go b/vendor/github.com/quobyte/api/quobyte.go index e9179dbdf43..c5e36d7fc7b 100644 --- a/vendor/github.com/quobyte/api/quobyte.go +++ b/vendor/github.com/quobyte/api/quobyte.go @@ -32,6 +32,10 @@ func (client *QuobyteClient) GetAPIRetryPolicy() string { return client.apiRetryPolicy } +func (client *QuobyteClient) SetTransport(t http.RoundTripper) { + client.client.Transport = t +} + // NewQuobyteClient creates a new Quobyte API client func NewQuobyteClient(url string, username string, password string) *QuobyteClient { return &QuobyteClient{ diff --git a/vendor/github.com/quobyte/api/rpc_client.go b/vendor/github.com/quobyte/api/rpc_client.go index 7cab3842ae0..b5ea3694629 100644 --- a/vendor/github.com/quobyte/api/rpc_client.go +++ b/vendor/github.com/quobyte/api/rpc_client.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "errors" + "fmt" "io" "log" "math/rand" @@ -112,7 +113,12 @@ func (client QuobyteClient) sendRequest(method string, request interface{}, resp defer resp.Body.Close() if resp.StatusCode < 200 || resp.StatusCode > 299 { - log.Printf("Warning: HTTP status code for request is %s\n", strconv.Itoa(resp.StatusCode)) + log.Printf("Warning: HTTP status code for request is %s\n", + strconv.Itoa(resp.StatusCode)) + if resp.StatusCode == 401 { + return errors.New("Unable to authenticate with Quobyte API service") + } + return fmt.Errorf("JsonRPC failed with error code %d", resp.StatusCode) } return decodeResponse(resp.Body, &response) } diff --git a/vendor/github.com/quobyte/api/types.go b/vendor/github.com/quobyte/api/types.go index 6682012c610..d15a71bfa76 100644 --- a/vendor/github.com/quobyte/api/types.go +++ b/vendor/github.com/quobyte/api/types.go @@ -1,25 +1,31 @@ package quobyte type retryPolicy struct { - RetryPolicy string `json:"retry,omitempty"` + RetryPolicy string `json:"retry,omitempty"` } // CreateVolumeRequest represents a CreateVolumeRequest type CreateVolumeRequest struct { - Name string `json:"name,omitempty"` - RootUserID string `json:"root_user_id,omitempty"` - RootGroupID string `json:"root_group_id,omitempty"` - ReplicaDeviceIDS []uint64 `json:"replica_device_ids,string,omitempty"` - ConfigurationName string `json:"configuration_name,omitempty"` - AccessMode uint32 `json:"access_mode,string,omitempty"` - TenantID string `json:"tenant_id,omitempty"` - retryPolicy + Name string `json:"name,omitempty"` + RootUserID string `json:"root_user_id,omitempty"` + RootGroupID string `json:"root_group_id,omitempty"` + ReplicaDeviceIDS []uint64 `json:"replica_device_ids,string,omitempty"` + ConfigurationName string `json:"configuration_name,omitempty"` + Labels []Label `json:"label,omitempty"` + AccessMode uint32 `json:"access_mode,uint32,omitempty"` + TenantID string `json:"tenant_id,omitempty"` + retryPolicy +} + +type Label struct { + Name string `json:"name,string,omitempty"` + Value string `json:"value,string,omitempty"` } type resolveVolumeNameRequest struct { - VolumeName string `json:"volume_name,omitempty"` - TenantDomain string `json:"tenant_domain,omitempty"` - retryPolicy + VolumeName string `json:"volume_name,omitempty"` + TenantDomain string `json:"tenant_domain,omitempty"` + retryPolicy } type resolveTenantNameRequest struct { @@ -35,8 +41,8 @@ type volumeUUID struct { } type getClientListRequest struct { - TenantDomain string `json:"tenant_domain,omitempty"` - retryPolicy + TenantDomain string `json:"tenant_domain,omitempty"` + retryPolicy } type GetClientListResponse struct { @@ -67,13 +73,13 @@ type quota struct { } type setQuotaRequest struct { - Quotas []*quota `json:"quotas,omitempty"` - retryPolicy + Quotas []*quota `json:"quotas,omitempty"` + retryPolicy } type getTenantRequest struct { - TenantIDs []string `json:"tenant_id,omitempty"` - retryPolicy + TenantIDs []string `json:"tenant_id,omitempty"` + retryPolicy } type GetTenantResponse struct { @@ -94,8 +100,8 @@ type TenantDomainConfigurationVolumeAccess struct { } type setTenantRequest struct { - Tenants *TenantDomainConfiguration `json:"tenant,omitempty"` - retryPolicy + Tenants *TenantDomainConfiguration `json:"tenant,omitempty"` + retryPolicy } type setTenantResponse struct { diff --git a/vendor/modules.txt b/vendor/modules.txt index c596c25ba89..a0eb55d9b54 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -975,10 +975,10 @@ github.com/prometheus/procfs # github.com/prometheus/procfs => github.com/prometheus/procfs v0.1.3 github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/quobyte/api v0.1.2 => github.com/quobyte/api v0.1.2 +# github.com/quobyte/api v0.1.8 => github.com/quobyte/api v0.1.8 ## explicit github.com/quobyte/api -# github.com/quobyte/api => github.com/quobyte/api v0.1.2 +# github.com/quobyte/api => github.com/quobyte/api v0.1.8 # github.com/remyoudompheng/bigfft => github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446 # github.com/robfig/cron v1.1.0 => github.com/robfig/cron v1.1.0 ## explicit From dfe6ea6df681eb8c2dcf47663988b82e0a4e9350 Mon Sep 17 00:00:00 2001 From: Jonathan Basseri Date: Wed, 30 Sep 2020 17:16:31 -0700 Subject: [PATCH 2/2] Use FilteredDialContext with quobyte API This injects the filtered DialContext behavior from VolumeHost into the quobyte plugin, which allows us to configure a host deny list for the plugin. There should be no change in timeouts, because we are able to use the same default transport settings as before. --- pkg/volume/quobyte/BUILD | 1 + pkg/volume/quobyte/quobyte.go | 28 ++++++++++++++++++++++------ pkg/volume/quobyte/quobyte_util.go | 15 ++++++++++++--- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/pkg/volume/quobyte/BUILD b/pkg/volume/quobyte/BUILD index e0f6c52266c..99adcb43860 100644 --- a/pkg/volume/quobyte/BUILD +++ b/pkg/volume/quobyte/BUILD @@ -15,6 +15,7 @@ go_library( ], importpath = "k8s.io/kubernetes/pkg/volume/quobyte", deps = [ + "//pkg/proxy/util:go_default_library", "//pkg/volume:go_default_library", "//pkg/volume/util:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", diff --git a/pkg/volume/quobyte/quobyte.go b/pkg/volume/quobyte/quobyte.go index 927e62a5039..60f8f500c8c 100644 --- a/pkg/volume/quobyte/quobyte.go +++ b/pkg/volume/quobyte/quobyte.go @@ -32,6 +32,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/util" ) @@ -65,6 +66,9 @@ const ( ) func (plugin *quobytePlugin) Init(host volume.VolumeHost) error { + if host == nil { + return errors.New("host must not be nil") + } plugin.host = host return nil } @@ -304,7 +308,8 @@ func (unmounter *quobyteUnmounter) TearDownAt(dir string) error { type quobyteVolumeDeleter struct { *quobyteMounter - pv *v1.PersistentVolume + pv *v1.PersistentVolume + dialOptions *proxyutil.FilteredDialOptions } func (plugin *quobytePlugin) NewDeleter(spec *volume.Spec) (volume.Deleter, error) { @@ -320,6 +325,9 @@ func (plugin *quobytePlugin) newDeleterInternal(spec *volume.Spec) (volume.Delet if err != nil { return nil, err } + if plugin.host == nil { + return nil, errors.New("host must not be nil") + } return &quobyteVolumeDeleter{ quobyteMounter: &quobyteMounter{ @@ -334,7 +342,8 @@ func (plugin *quobytePlugin) newDeleterInternal(spec *volume.Spec) (volume.Delet registry: source.Registry, readOnly: readOnly, }, - pv: spec.PersistentVolume, + pv: spec.PersistentVolume, + dialOptions: plugin.host.GetFilteredDialOptions(), }, nil } @@ -343,19 +352,24 @@ func (plugin *quobytePlugin) NewProvisioner(options volume.VolumeOptions) (volum } func (plugin *quobytePlugin) newProvisionerInternal(options volume.VolumeOptions) (volume.Provisioner, error) { + if plugin.host == nil { + return nil, errors.New("host must not be nil") + } return &quobyteVolumeProvisioner{ quobyteMounter: &quobyteMounter{ quobyte: &quobyte{ plugin: plugin, }, }, - options: options, + options: options, + dialOptions: plugin.host.GetFilteredDialOptions(), }, nil } type quobyteVolumeProvisioner struct { *quobyteMounter - options volume.VolumeOptions + options volume.VolumeOptions + dialOptions *proxyutil.FilteredDialOptions } func (provisioner *quobyteVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopologies []v1.TopologySelectorTerm) (*v1.PersistentVolume, error) { @@ -409,7 +423,8 @@ func (provisioner *quobyteVolumeProvisioner) Provision(selectedNode *v1.Node, al provisioner.volume = fmt.Sprintf("kubernetes-dynamic-pvc-%s", uuid.New().String()) manager := &quobyteVolumeManager{ - config: cfg, + config: cfg, + dialOptions: provisioner.dialOptions, } vol, sizeGB, err := manager.createVolume(provisioner, createQuota) @@ -449,7 +464,8 @@ func (deleter *quobyteVolumeDeleter) Delete() error { return err } manager := &quobyteVolumeManager{ - config: cfg, + config: cfg, + dialOptions: deleter.dialOptions, } err = manager.deleteVolume(deleter) if err != nil { diff --git a/pkg/volume/quobyte/quobyte_util.go b/pkg/volume/quobyte/quobyte_util.go index 96ecdc429e0..a5857a8243a 100644 --- a/pkg/volume/quobyte/quobyte_util.go +++ b/pkg/volume/quobyte/quobyte_util.go @@ -18,19 +18,22 @@ package quobyte import ( "net" + "net/http" "os" "path/filepath" "strings" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" volumehelpers "k8s.io/cloud-provider/volume/helpers" + proxyutil "k8s.io/kubernetes/pkg/proxy/util" quobyteapi "github.com/quobyte/api" "k8s.io/klog/v2" ) type quobyteVolumeManager struct { - config *quobyteAPIConfig + config *quobyteAPIConfig + dialOptions *proxyutil.FilteredDialOptions } func (manager *quobyteVolumeManager) createVolume(provisioner *quobyteVolumeProvisioner, createQuota bool) (quobyte *v1.QuobyteVolumeSource, size int, err error) { @@ -77,11 +80,17 @@ func (manager *quobyteVolumeManager) deleteVolume(deleter *quobyteVolumeDeleter) } func (manager *quobyteVolumeManager) createQuobyteClient() *quobyteapi.QuobyteClient { - return quobyteapi.NewQuobyteClient( + client := quobyteapi.NewQuobyteClient( manager.config.quobyteAPIServer, manager.config.quobyteUser, manager.config.quobytePassword, ) + // quobyte client library @v0.1.7 uses a zero-value http.Client with a nil + // transport which is equivalent to using http.DefaultTransport. + rt := http.DefaultTransport.(*http.Transport).Clone() + rt.DialContext = proxyutil.NewFilteredDialContext(rt.DialContext, nil, manager.dialOptions) + client.SetTransport(rt) + return client } func (mounter *quobyteMounter) pluginDirIsMounted(pluginDir string) (bool, error) {