Merge pull request #25285 from ingvagabund/extend-secrets-volumes-wit…

…h-path-control Automatic merge from submit-queue Extend secrets volumes with path control As per [1] this PR extends secrets mapped into volume with: * key-to-path mapping the same way as is for configmap. E.g. ``` { "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "mypod", "namespace": "default" }, "spec": { "containers": [{ "name": "mypod", "image": "redis", "volumeMounts": [{ "name": "foo", "mountPath": "/etc/foo", "readOnly": true }] }], "volumes": [{ "name": "foo", "secret": { "secretName": "mysecret", "items": [{ "key": "username", "path": "my-username" }] } }] } } ``` Here the ``spec.volumes[0].secret.items`` added changing original target ``/etc/foo/username`` to ``/etc/foo/my-username``. * secondly, refactoring ``pkg/volumes/secrets/secrets.go`` volume plugin to use ``AtomicWritter`` to project a secret into file. [1] https://github.com/kubernetes/kubernetes/blob/master/docs/design/configmap.md#changes-to-secret
kubernetes · May 21, 2016 · eb733cb · eb733cb
2 parents 62a8394 + e3aa900
commit eb733cb
Show file tree

Hide file tree

Showing 20 changed files with 638 additions and 238 deletions.
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json
@@ -1405,6 +1405,31 @@
      "secretName": {
       "type": "string",
       "description": "Name of the secret in the pod's namespace to use. More info: http://releases.k8s.io/HEAD/docs/user-guide/volumes.md#secrets"
+     },
+     "items": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.KeyToPath"
+      },
+      "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the '..' path or start with '..'."
+     }
+    }
+   },
+   "v1.KeyToPath": {
+    "id": "v1.KeyToPath",
+    "description": "Maps a string key to a path within a volume.",
+    "required": [
+     "key",
+     "path"
+    ],
+    "properties": {
+     "key": {
+      "type": "string",
+      "description": "The key to project."
+     },
+     "path": {
+      "type": "string",
+      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
      }
     }
    },
@@ -1780,24 +1805,6 @@
      }
     }
    },
-   "v1.KeyToPath": {
-    "id": "v1.KeyToPath",
-    "description": "Maps a string key to a path within a volume.",
-    "required": [
-     "key",
-     "path"
-    ],
-    "properties": {
-     "key": {
-      "type": "string",
-      "description": "The key to project."
-     },
-     "path": {
-      "type": "string",
-      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
-     }
-    }
-   },
    "v1.Container": {
     "id": "v1.Container",
     "description": "A single application container that you want to run within a pod.",

diff --git a/api/swagger-spec/batch_v1.json b/api/swagger-spec/batch_v1.json
@@ -1410,6 +1410,31 @@
      "secretName": {
       "type": "string",
       "description": "Name of the secret in the pod's namespace to use. More info: http://releases.k8s.io/HEAD/docs/user-guide/volumes.md#secrets"
+     },
+     "items": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.KeyToPath"
+      },
+      "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the '..' path or start with '..'."
+     }
+    }
+   },
+   "v1.KeyToPath": {
+    "id": "v1.KeyToPath",
+    "description": "Maps a string key to a path within a volume.",
+    "required": [
+     "key",
+     "path"
+    ],
+    "properties": {
+     "key": {
+      "type": "string",
+      "description": "The key to project."
+     },
+     "path": {
+      "type": "string",
+      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
      }
     }
    },
@@ -1785,24 +1810,6 @@
      }
     }
    },
-   "v1.KeyToPath": {
-    "id": "v1.KeyToPath",
-    "description": "Maps a string key to a path within a volume.",
-    "required": [
-     "key",
-     "path"
-    ],
-    "properties": {
-     "key": {
-      "type": "string",
-      "description": "The key to project."
-     },
-     "path": {
-      "type": "string",
-      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
-     }
-    }
-   },
    "v1.Container": {
     "id": "v1.Container",
     "description": "A single application container that you want to run within a pod.",

diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json
@@ -6717,6 +6717,31 @@
      "secretName": {
       "type": "string",
       "description": "Name of the secret in the pod's namespace to use. More info: http://releases.k8s.io/HEAD/docs/user-guide/volumes.md#secrets"
+     },
+     "items": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.KeyToPath"
+      },
+      "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the '..' path or start with '..'."
+     }
+    }
+   },
+   "v1.KeyToPath": {
+    "id": "v1.KeyToPath",
+    "description": "Maps a string key to a path within a volume.",
+    "required": [
+     "key",
+     "path"
+    ],
+    "properties": {
+     "key": {
+      "type": "string",
+      "description": "The key to project."
+     },
+     "path": {
+      "type": "string",
+      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
      }
     }
    },
@@ -7092,24 +7117,6 @@
      }
     }
    },
-   "v1.KeyToPath": {
-    "id": "v1.KeyToPath",
-    "description": "Maps a string key to a path within a volume.",
-    "required": [
-     "key",
-     "path"
-    ],
-    "properties": {
-     "key": {
-      "type": "string",
-      "description": "The key to project."
-     },
-     "path": {
-      "type": "string",
-      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
-     }
-    }
-   },
    "v1.Container": {
     "id": "v1.Container",
     "description": "A single application container that you want to run within a pod.",

diff --git a/api/swagger-spec/v1.json b/api/swagger-spec/v1.json
@@ -17018,6 +17018,31 @@
      "secretName": {
       "type": "string",
       "description": "Name of the secret in the pod's namespace to use. More info: http://releases.k8s.io/HEAD/docs/user-guide/volumes.md#secrets"
+     },
+     "items": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.KeyToPath"
+      },
+      "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the '..' path or start with '..'."
+     }
+    }
+   },
+   "v1.KeyToPath": {
+    "id": "v1.KeyToPath",
+    "description": "Maps a string key to a path within a volume.",
+    "required": [
+     "key",
+     "path"
+    ],
+    "properties": {
+     "key": {
+      "type": "string",
+      "description": "The key to project."
+     },
+     "path": {
+      "type": "string",
+      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
      }
     }
    },
@@ -17103,24 +17128,6 @@
      }
     }
    },
-   "v1.KeyToPath": {
-    "id": "v1.KeyToPath",
-    "description": "Maps a string key to a path within a volume.",
-    "required": [
-     "key",
-     "path"
-    ],
-    "properties": {
-     "key": {
-      "type": "string",
-      "description": "The key to project."
-     },
-     "path": {
-      "type": "string",
-      "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'."
-     }
-    }
-   },
    "v1.Container": {
     "id": "v1.Container",
     "description": "A single application container that you want to run within a pod.",

diff --git a/docs/api-reference/batch/v1/definitions.html b/docs/api-reference/batch/v1/definitions.html
@@ -2513,6 +2513,13 @@ <h3 id="_v1_secretvolumesource">v1.SecretVolumeSource</h3>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -3979,7 +3986,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2016-05-06 14:18:34 UTC
+Last updated 2016-05-18 12:33:08 UTC
 </div>
 </div>
 </body>

diff --git a/docs/api-reference/extensions/v1beta1/definitions.html b/docs/api-reference/extensions/v1beta1/definitions.html
@@ -2303,6 +2303,13 @@ <h3 id="_v1_secretvolumesource">v1.SecretVolumeSource</h3>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -5969,7 +5976,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2016-05-10 20:28:46 UTC
+Last updated 2016-05-18 12:32:45 UTC
 </div>
 </div>
 </body>

diff --git a/docs/api-reference/v1/definitions.html b/docs/api-reference/v1/definitions.html
@@ -2848,6 +2848,13 @@ <h3 id="_v1_secretvolumesource">v1.SecretVolumeSource</h3>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -7860,7 +7867,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2016-05-10 14:28:49 UTC
+Last updated 2016-05-18 12:32:13 UTC
 </div>
 </div>
 </body>

diff --git a/pkg/api/deep_copy_generated.go b/pkg/api/deep_copy_generated.go
@@ -2748,6 +2748,17 @@ func DeepCopy_api_SecretList(in SecretList, out *SecretList, c *conversion.Clone
 
 func DeepCopy_api_SecretVolumeSource(in SecretVolumeSource, out *SecretVolumeSource, c *conversion.Cloner) error {
 	out.SecretName = in.SecretName
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]KeyToPath, len(in))
+		for i := range in {
+			if err := DeepCopy_api_KeyToPath(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
 	return nil
 }