plumb service account token down to csi driver

kubernetes · Nov 12, 2020 · d2859cd · d2859cd
1 parent f4a156e
commit d2859cd
Show file tree

Hide file tree

Showing 80 changed files with 2,177 additions and 407 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/pkg/apis/storage/fuzzer/fuzzer.go b/pkg/apis/storage/fuzzer/fuzzer.go
@@ -87,6 +87,10 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 				obj.Spec.FSGroupPolicy = new(storage.FSGroupPolicy)
 				*obj.Spec.FSGroupPolicy = storage.ReadWriteOnceWithFSTypeFSGroupPolicy
 			}
+			if obj.Spec.RequiresRepublish == nil {
+				obj.Spec.RequiresRepublish = new(bool)
+				*(obj.Spec.RequiresRepublish) = false
+			}
 			if len(obj.Spec.VolumeLifecycleModes) == 0 {
 				obj.Spec.VolumeLifecycleModes = []storage.VolumeLifecycleMode{
 					storage.VolumeLifecyclePersistent,

diff --git a/pkg/apis/storage/types.go b/pkg/apis/storage/types.go
@@ -337,6 +337,43 @@ type CSIDriverSpec struct {
 	//
 	// +optional
 	StorageCapacity *bool
+
+	// TokenRequests indicates the CSI driver needs pods' service account
+	// tokens it is mounting volume for to do necessary authentication. Kubelet
+	// will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
+	// The CSI driver should parse and validate the following VolumeContext:
+	// "csi.storage.k8s.io/serviceAccount.tokens": {
+	//   "<audience>": {
+	//     "token": <token>,
+	//     "expirationTimestamp": <expiration timestamp in RFC3339>,
+	//   },
+	//   ...
+	// }
+	//
+	// Note: Audience in each TokenRequest should be different and at
+	// most one token is empty string. To receive a new token after expiry,
+	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
+	//
+	// This is an alpha feature and only available when the
+	// CSIServiceAccountToken feature is enabled.
+	//
+	// +optional
+	// +listType=atomic
+	TokenRequests []TokenRequest
+
+	// RequiresRepublish indicates the CSI driver wants `NodePublishVolume`
+	// being periodically called to reflect any possible change in the mounted
+	// volume. This field defaults to false.
+	//
+	// Note: After a successful initial NodePublishVolume call, subsequent calls
+	// to NodePublishVolume should only update the contents of the volume. New
+	// mount points will not be seen by a running container.
+	//
+	// This is an alpha feature and only available when the
+	// CSIServiceAccountToken feature is enabled.
+	//
+	// +optional
+	RequiresRepublish *bool
 }
 
 // FSGroupPolicy specifies if a CSI Driver supports modifying
@@ -374,6 +411,20 @@ const (
 // More modes may be added in the future.
 type VolumeLifecycleMode string
 
+// TokenRequest contains parameters of a service account token.
+type TokenRequest struct {
+	// Audience is the intended audience of the token in "TokenRequestSpec".
+	// It will default to the audiences of kube apiserver.
+	//
+	Audience string
+
+	// ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec".
+	// It has the same default value of "ExpirationSeconds" in "TokenRequestSpec."
+	//
+	// +optional
+	ExpirationSeconds *int64
+}
+
 const (
 	// VolumeLifecyclePersistent explicitly confirms that the driver implements
 	// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not

diff --git a/pkg/apis/storage/v1/BUILD b/pkg/apis/storage/v1/BUILD
@@ -58,5 +58,6 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//staging/src/k8s.io/component-base/featuregate/testing:go_default_library",
+        "//vendor/github.com/google/go-cmp/cmp:go_default_library",
     ],
 )
diff --git a/pkg/apis/storage/v1/defaults.go b/pkg/apis/storage/v1/defaults.go
@@ -60,4 +60,8 @@ func SetDefaults_CSIDriver(obj *storagev1.CSIDriver) {
 	if len(obj.Spec.VolumeLifecycleModes) == 0 && utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		obj.Spec.VolumeLifecycleModes = append(obj.Spec.VolumeLifecycleModes, storagev1.VolumeLifecyclePersistent)
 	}
+	if obj.Spec.RequiresRepublish == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
+		obj.Spec.RequiresRepublish = new(bool)
+		*(obj.Spec.RequiresRepublish) = false
+	}
 }
diff --git a/pkg/apis/storage/v1/defaults_test.go b/pkg/apis/storage/v1/defaults_test.go
@@ -20,6 +20,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -90,3 +91,48 @@ func TestSetDefaultVolumeBindingMode(t *testing.T) {
 		t.Errorf("Expected VolumeBindingMode to be defaulted to: %+v, got: %+v", defaultMode, outMode)
 	}
 }
+
+func TestSetDefaultCSIDriver(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, true)()
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, true)()
+
+	enabled := true
+	disabled := false
+	tests := []struct {
+		desc     string
+		field    string
+		wantSpec *storagev1.CSIDriverSpec
+	}{
+		{
+			desc:     "AttachRequired default to true",
+			field:    "AttachRequired",
+			wantSpec: &storagev1.CSIDriverSpec{AttachRequired: &enabled},
+		},
+		{
+			desc:     "PodInfoOnMount default to false",
+			field:    "PodInfoOnMount",
+			wantSpec: &storagev1.CSIDriverSpec{PodInfoOnMount: &disabled},
+		},
+		{
+			desc:     "VolumeLifecycleModes default to VolumeLifecyclePersistent",
+			field:    "VolumeLifecycleModes",
+			wantSpec: &storagev1.CSIDriverSpec{VolumeLifecycleModes: []storagev1.VolumeLifecycleMode{storagev1.VolumeLifecyclePersistent}},
+		},
+		{
+			desc:     "RequiresRepublish default to false",
+			field:    "RequiresRepublish",
+			wantSpec: &storagev1.CSIDriverSpec{RequiresRepublish: &disabled},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.desc, func(t *testing.T) {
+			gotSpec := roundTrip(t, runtime.Object(&storagev1.CSIDriver{})).(*storagev1.CSIDriver).Spec
+			got := reflect.Indirect(reflect.ValueOf(gotSpec)).FieldByName(test.field).Interface()
+			want := reflect.Indirect(reflect.ValueOf(test.wantSpec)).FieldByName(test.field).Interface()
+			if diff := cmp.Diff(want, got); diff != "" {
+				t.Errorf("CSIDriver defaults diff (-want +got):\n%s", diff)
+			}
+		})
+	}
+}