mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
SecretVolume using secret manager
This commit is contained in:
Wojciech Tyczynski
parent
23694f9939
commit
bf7138652f
@ -620,3 +620,9 @@ func (adc *attachDetachController) GetHostIP() (net.IP, error) {
|
|||||||
func (adc *attachDetachController) GetNodeAllocatable() (v1.ResourceList, error) {
|
func (adc *attachDetachController) GetNodeAllocatable() (v1.ResourceList, error) {
|
||||||
return v1.ResourceList{}, nil
|
return v1.ResourceList{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (adc *attachDetachController) GetSecretFunc() func(namespace, name string) (*v1.Secret, error) {
|
||||||
|
return func(_, _ string) (*v1.Secret, error) {
|
||||||
|
return nil, fmt.Errorf("GetSecret unsupported in attachDetachController")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -80,3 +80,9 @@ func (ctrl *PersistentVolumeController) GetHostIP() (net.IP, error) {
|
|||||||
func (ctrl *PersistentVolumeController) GetNodeAllocatable() (v1.ResourceList, error) {
|
func (ctrl *PersistentVolumeController) GetNodeAllocatable() (v1.ResourceList, error) {
|
||||||
return v1.ResourceList{}, nil
|
return v1.ResourceList{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (adc *PersistentVolumeController) GetSecretFunc() func(namespace, name string) (*v1.Secret, error) {
|
||||||
|
return func(_, _ string) (*v1.Secret, error) {
|
||||||
|
return nil, fmt.Errorf("GetSecret unsupported in PersistentVolumeController")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -727,7 +727,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
|
|||||||
kubeDeps.Recorder)
|
kubeDeps.Recorder)
|
||||||
|
|
||||||
klet.volumePluginMgr, err =
|
klet.volumePluginMgr, err =
|
||||||
NewInitializedVolumePluginMgr(klet, kubeDeps.VolumePlugins)
|
NewInitializedVolumePluginMgr(klet, secretManager, kubeDeps.VolumePlugins)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -249,7 +249,7 @@ func newTestKubeletWithImageList(
|
|||||||
|
|
||||||
plug := &volumetest.FakeVolumePlugin{PluginName: "fake", Host: nil}
|
plug := &volumetest.FakeVolumePlugin{PluginName: "fake", Host: nil}
|
||||||
kubelet.volumePluginMgr, err =
|
kubelet.volumePluginMgr, err =
|
||||||
NewInitializedVolumePluginMgr(kubelet, []volume.VolumePlugin{plug})
|
NewInitializedVolumePluginMgr(kubelet, fakeSecretManager, []volume.VolumePlugin{plug})
|
||||||
require.NoError(t, err, "Failed to initialize VolumePluginMgr")
|
require.NoError(t, err, "Failed to initialize VolumePluginMgr")
|
||||||
|
|
||||||
kubelet.mounter = &mount.FakeMounter{}
|
kubelet.mounter = &mount.FakeMounter{}
|
||||||
|
|||||||
@ -60,8 +60,9 @@ func TestRunOnce(t *testing.T) {
|
|||||||
Usage: 9 * mb,
|
Usage: 9 * mb,
|
||||||
Capacity: 10 * mb,
|
Capacity: 10 * mb,
|
||||||
}, nil)
|
}, nil)
|
||||||
|
fakeSecretManager := secret.NewFakeManager()
|
||||||
podManager := kubepod.NewBasicPodManager(
|
podManager := kubepod.NewBasicPodManager(
|
||||||
podtest.NewFakeMirrorClient(), secret.NewFakeManager())
|
podtest.NewFakeMirrorClient(), fakeSecretManager)
|
||||||
diskSpaceManager, _ := newDiskSpaceManager(cadvisor, DiskSpacePolicy{})
|
diskSpaceManager, _ := newDiskSpaceManager(cadvisor, DiskSpacePolicy{})
|
||||||
fakeRuntime := &containertest.FakeRuntime{}
|
fakeRuntime := &containertest.FakeRuntime{}
|
||||||
basePath, err := utiltesting.MkTmpdir("kubelet")
|
basePath, err := utiltesting.MkTmpdir("kubelet")
|
||||||
@ -92,7 +93,7 @@ func TestRunOnce(t *testing.T) {
|
|||||||
|
|
||||||
plug := &volumetest.FakeVolumePlugin{PluginName: "fake", Host: nil}
|
plug := &volumetest.FakeVolumePlugin{PluginName: "fake", Host: nil}
|
||||||
kb.volumePluginMgr, err =
|
kb.volumePluginMgr, err =
|
||||||
NewInitializedVolumePluginMgr(kb, []volume.VolumePlugin{plug})
|
NewInitializedVolumePluginMgr(kb, fakeSecretManager, []volume.VolumePlugin{plug})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("failed to initialize VolumePluginMgr: %v", err)
|
t.Fatalf("failed to initialize VolumePluginMgr: %v", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -24,6 +24,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/api/v1"
|
"k8s.io/kubernetes/pkg/api/v1"
|
||||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||||
"k8s.io/kubernetes/pkg/cloudprovider"
|
"k8s.io/kubernetes/pkg/cloudprovider"
|
||||||
|
"k8s.io/kubernetes/pkg/kubelet/secret"
|
||||||
"k8s.io/kubernetes/pkg/util/io"
|
"k8s.io/kubernetes/pkg/util/io"
|
||||||
"k8s.io/kubernetes/pkg/util/mount"
|
"k8s.io/kubernetes/pkg/util/mount"
|
||||||
"k8s.io/kubernetes/pkg/volume"
|
"k8s.io/kubernetes/pkg/volume"
|
||||||
@ -37,10 +38,12 @@ import (
|
|||||||
// plugins - used to initialize volumePluginMgr
|
// plugins - used to initialize volumePluginMgr
|
||||||
func NewInitializedVolumePluginMgr(
|
func NewInitializedVolumePluginMgr(
|
||||||
kubelet *Kubelet,
|
kubelet *Kubelet,
|
||||||
|
secretManager secret.Manager,
|
||||||
plugins []volume.VolumePlugin) (*volume.VolumePluginMgr, error) {
|
plugins []volume.VolumePlugin) (*volume.VolumePluginMgr, error) {
|
||||||
kvh := &kubeletVolumeHost{
|
kvh := &kubeletVolumeHost{
|
||||||
kubelet: kubelet,
|
kubelet: kubelet,
|
||||||
volumePluginMgr: volume.VolumePluginMgr{},
|
volumePluginMgr: volume.VolumePluginMgr{},
|
||||||
|
secretManager: secretManager,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := kvh.volumePluginMgr.InitPlugins(plugins, kvh); err != nil {
|
if err := kvh.volumePluginMgr.InitPlugins(plugins, kvh); err != nil {
|
||||||
@ -62,6 +65,7 @@ func (kvh *kubeletVolumeHost) GetPluginDir(pluginName string) string {
|
|||||||
type kubeletVolumeHost struct {
|
type kubeletVolumeHost struct {
|
||||||
kubelet *Kubelet
|
kubelet *Kubelet
|
||||||
volumePluginMgr volume.VolumePluginMgr
|
volumePluginMgr volume.VolumePluginMgr
|
||||||
|
secretManager secret.Manager
|
||||||
}
|
}
|
||||||
|
|
||||||
func (kvh *kubeletVolumeHost) GetPodVolumeDir(podUID types.UID, pluginName string, volumeName string) string {
|
func (kvh *kubeletVolumeHost) GetPodVolumeDir(podUID types.UID, pluginName string, volumeName string) string {
|
||||||
@ -132,3 +136,7 @@ func (kvh *kubeletVolumeHost) GetNodeAllocatable() (v1.ResourceList, error) {
|
|||||||
}
|
}
|
||||||
return node.Status.Allocatable, nil
|
return node.Status.Allocatable, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (kvh *kubeletVolumeHost) GetSecretFunc() func(namespace, name string) (*v1.Secret, error) {
|
||||||
|
return kvh.secretManager.GetSecret
|
||||||
|
}
|
||||||
|
|||||||
@ -213,8 +213,11 @@ type VolumeHost interface {
|
|||||||
// Returns host IP or nil in the case of error.
|
// Returns host IP or nil in the case of error.
|
||||||
GetHostIP() (net.IP, error)
|
GetHostIP() (net.IP, error)
|
||||||
|
|
||||||
// Returns node allocatable
|
// Returns node allocatable.
|
||||||
GetNodeAllocatable() (v1.ResourceList, error)
|
GetNodeAllocatable() (v1.ResourceList, error)
|
||||||
|
|
||||||
|
// Returns a function that returns a secret.
|
||||||
|
GetSecretFunc() func(namespace, name string) (*v1.Secret, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// VolumePluginMgr tracks registered plugins.
|
// VolumePluginMgr tracks registered plugins.
|
||||||
|
|||||||
@ -23,7 +23,6 @@ go_library(
|
|||||||
"//pkg/volume:go_default_library",
|
"//pkg/volume:go_default_library",
|
||||||
"//pkg/volume/util:go_default_library",
|
"//pkg/volume/util:go_default_library",
|
||||||
"//vendor:github.com/golang/glog",
|
"//vendor:github.com/golang/glog",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
|
||||||
"//vendor:k8s.io/apimachinery/pkg/types",
|
"//vendor:k8s.io/apimachinery/pkg/types",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|||||||
@ -22,7 +22,6 @@ import (
|
|||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"k8s.io/kubernetes/pkg/api/v1"
|
"k8s.io/kubernetes/pkg/api/v1"
|
||||||
ioutil "k8s.io/kubernetes/pkg/util/io"
|
ioutil "k8s.io/kubernetes/pkg/util/io"
|
||||||
@ -44,6 +43,7 @@ const (
|
|||||||
// secretPlugin implements the VolumePlugin interface.
|
// secretPlugin implements the VolumePlugin interface.
|
||||||
type secretPlugin struct {
|
type secretPlugin struct {
|
||||||
host volume.VolumeHost
|
host volume.VolumeHost
|
||||||
|
getSecret func(namespace, name string) (*v1.Secret, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ volume.VolumePlugin = &secretPlugin{}
|
var _ volume.VolumePlugin = &secretPlugin{}
|
||||||
@ -60,6 +60,7 @@ func getPath(uid types.UID, volName string, host volume.VolumeHost) string {
|
|||||||
|
|
||||||
func (plugin *secretPlugin) Init(host volume.VolumeHost) error {
|
func (plugin *secretPlugin) Init(host volume.VolumeHost) error {
|
||||||
plugin.host = host
|
plugin.host = host
|
||||||
|
plugin.getSecret = host.GetSecretFunc()
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -97,6 +98,7 @@ func (plugin *secretPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volu
|
|||||||
source: *spec.Volume.Secret,
|
source: *spec.Volume.Secret,
|
||||||
pod: *pod,
|
pod: *pod,
|
||||||
opts: &opts,
|
opts: &opts,
|
||||||
|
getSecret: plugin.getSecret,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -148,6 +150,7 @@ type secretVolumeMounter struct {
|
|||||||
source v1.SecretVolumeSource
|
source v1.SecretVolumeSource
|
||||||
pod v1.Pod
|
pod v1.Pod
|
||||||
opts *volume.VolumeOptions
|
opts *volume.VolumeOptions
|
||||||
|
getSecret func(namespace, name string) (*v1.Secret, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ volume.Mounter = &secretVolumeMounter{}
|
var _ volume.Mounter = &secretVolumeMounter{}
|
||||||
@ -188,12 +191,7 @@ func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
kubeClient := b.plugin.host.GetKubeClient()
|
secret, err := b.getSecret(b.pod.Namespace, b.source.SecretName)
|
||||||
if kubeClient == nil {
|
|
||||||
return fmt.Errorf("Cannot setup secret volume %v because kube client is not configured", b.volName)
|
|
||||||
}
|
|
||||||
|
|
||||||
secret, err := kubeClient.Core().Secrets(b.pod.Namespace).Get(b.source.SecretName, metav1.GetOptions{})
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Couldn't get secret %v/%v", b.pod.Namespace, b.source.SecretName)
|
glog.Errorf("Couldn't get secret %v/%v", b.pod.Namespace, b.source.SecretName)
|
||||||
return err
|
return err
|
||||||
|
|||||||
@ -127,6 +127,12 @@ func (f *fakeVolumeHost) GetNodeAllocatable() (v1.ResourceList, error) {
|
|||||||
return v1.ResourceList{}, nil
|
return v1.ResourceList{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (f *fakeVolumeHost) GetSecretFunc() func(namespace, name string) (*v1.Secret, error) {
|
||||||
|
return func(namespace, name string) (*v1.Secret, error) {
|
||||||
|
return f.kubeClient.Core().Secrets(namespace).Get(name, metav1.GetOptions{})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func ProbeVolumePlugins(config VolumeConfig) []VolumePlugin {
|
func ProbeVolumePlugins(config VolumeConfig) []VolumePlugin {
|
||||||
if _, ok := config.OtherAttributes["fake-property"]; ok {
|
if _, ok := config.OtherAttributes["fake-property"]; ok {
|
||||||
return []VolumePlugin{
|
return []VolumePlugin{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user