Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend secrets volumes with path control #25285

Merged
merged 2 commits into from
May 21, 2016
Merged

Extend secrets volumes with path control #25285

merged 2 commits into from
May 21, 2016
+638 −238

Conversation

ingvagabund
Copy link
Contributor

@ingvagabund ingvagabund commented May 6, 2016
edited
Loading

As per [1] this PR extends secrets mapped into volume with:

  • key-to-path mapping the same way as is for configmap. E.g.
{
 "apiVersion": "v1",
 "kind": "Pod",
  "metadata": {
    "name": "mypod",
    "namespace": "default"
  },
  "spec": {
    "containers": [{
      "name": "mypod",
      "image": "redis",
      "volumeMounts": [{
        "name": "foo",
        "mountPath": "/etc/foo",
        "readOnly": true
      }]
    }],
    "volumes": [{
      "name": "foo",
      "secret": {
        "secretName": "mysecret",
        "items": [{
          "key": "username",
          "path": "my-username"
        }]
      }
    }]
  }
}

Here the spec.volumes[0].secret.items added changing original target /etc/foo/username to /etc/foo/my-username.

  • secondly, refactoring pkg/volumes/secrets/secrets.go volume plugin to use AtomicWritter to project a secret into file.

[1] https://github.com/kubernetes/kubernetes/blob/master/docs/design/configmap.md#changes-to-secret

@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note-label-needed labels May 6, 2016
@pmorie pmorie mentioned this pull request May 7, 2016
Open
@pmorie
Copy link
Member

pmorie commented May 7, 2016

#24744

@pmorie pmorie added area/volumes release-note Denotes a PR that will be considered when it comes time to generate release notes. labels May 7, 2016
@pmorie pmorie added this to the v1.3 milestone May 7, 2016
@pmorie pmorie self-assigned this May 7, 2016
@pmorie
Copy link
Member

pmorie commented May 7, 2016

@bgrant0607 for API review

pmorie
pmorie reviewed May 7, 2016
View reviewed changes
pkg/volume/secret/secret.go
payload := make(map[string][]byte, len(secret.Data))

if len(mappings) == 0 {
for name, data := range secret.Data {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I frequently wish that go allowed interface specifications to contain fields or had a mixin mechanism that allow type-unspecific use of fields with a specific type signature.

@pmorie
Copy link
Member

pmorie commented May 7, 2016

@ingvagabund looks great so far, will you add an e2e as well?

@pmorie
Copy link
Member

pmorie commented May 7, 2016

@ingvagabund also, doc changes to kubernetes.github.io in a follow-up PR in that project.

@ingvagabund
Copy link
Contributor Author

Docs updated kubernetes/website#478

@ingvagabund ingvagabund mentioned this pull request May 7, 2016
Merged
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 8, 2016
@ingvagabund ingvagabund force-pushed the extend-secrets-volumes-with-path-control branch 2 times, most recently from f6261da to 5da56d6 Compare May 11, 2016 12:18
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 11, 2016
@pmorie pmorie mentioned this pull request May 11, 2016
Merged
@ingvagabund
Copy link
Contributor Author

File permissions are changing as well:
Originally, the secret file had 0444 permissions. With introduction of key-to-path mapping, the secret root directory can contain subdirectories as well. Thus, the rule is like this:

  1. the secret volume is created as EmptyDir volume with 777 permissions for the target directory

    stat -c "%a %n" /etc/foo
1777 /etc/foo

  2. the AtomicWriter creates timestamp directory with 755 permissions

    stat -c "%a %n" /etc/foo/..5985_11_05_12_35_30.806564262
755 /etc/foo/..5985_11_05_12_35_30.806564262

  3. the AtomicWriter creates for each secret corresponding file with 644 permissions, basedir(file) with 777 permissions

    stat -c "%a %n" /etc/foo/..5985_11_05_12_35_30.806564262/path
755 /etc/foo/..5985_11_05_12_35_30.806564262/path
stat -c "%a %n" /etc/foo/..5985_11_05_12_35_30.806564262/path/my-username
644 /etc/foo/..5985_11_05_12_35_30.806564262/path/my-username

  4. /etc/foo/..data now points to the timestamp directory, the previous one is deleted

Additional data:

ls -ld /etc/foo/
drwxrwxrwt. 4 root root 100 May 11 12:35 /etc/foo/
ls -ld /etc/foo/path
drwxr-xr-x. 2 root root 60 May 11 12:35 /etc/foo/path
ls -ld /etc/foo/path/my-username
lrwxrwxrwx. 1 root root 26 May 11 12:35 /etc/foo/path/my-username -> ../..data/path/my-username
ls -ld /etc/foo/..data/path/my-username
-rw-r--r--. 1 root root 8 May 11 12:35 /etc/foo/..data/path/my-username

path is symlinked to ..5985_11_05_12_35_30.806564262/path as expected:

ls -ld /etc/foo/..5985_11_05_12_35_30.806564262/path/
drwxr-xr-x. 2 root root 60 May 11 12:35 /etc/foo/..5985_11_05_12_35_30.806564262/path/
ls -ld /etc/foo/..5985_11_05_12_35_30.806564262/path/my-username
-rw-r--r--. 1 root root 8 May 11 12:35 /etc/foo/..5985_11_05_12_35_30.806564262/path/my-username

Still confused as both /etc/foo/path/my-username and /etc/foo/..data/path/my-username should have the same permission:

stat -c "%a %n" /etc/foo/path/my-username
777 /etc/foo/path/my-username
stat -c "%a %n" /etc/foo/..data/path/my-username
644 /etc/foo/..data/path/my-username

@bgrant0607
Copy link
Member

I'm fine with this change. It's consistent with ConfigMapVolumeSource.

@ingvagabund
Copy link
Contributor Author

Updated e2e tests for secret volume. New version of mounttest image is required. This PR depends on #25800.

@ingvagabund
Copy link
Contributor Author

Wrt. to the permissions:

  • as the default root mask is 0022, the permissions 0777 are correctly changed to 0755.
  • for the symlink case, the target is correctly set to 0644 as expected, for the symlink itself the 777 permissions is quite normal [1]

[1] http://stackoverflow.com/questions/7487793/symbolic-link-not-inheriting-permissions

@ingvagabund ingvagabund force-pushed the extend-secrets-volumes-with-path-control branch from 95c570d to 4d60c06 Compare May 18, 2016 12:42
@ingvagabund
Extend the current secrets mounting to volume implementation with key…
ebe56f5 
… to path mapping.

The key to path mapping allows pod to specify different name (thus location) of each secret.
At the same time refactor the volume plugin to use AtomicWritter to project secrets to files in a volume.

Update e2e Secrets test, the secret file permission has changed from 0444 to 0644
Remove TestPluginIdempotent as the AtomicWritter is responsible for secret creation
@ingvagabund
Regenerate swagger, api, conversion and other code that needs to be r…
e3aa900 
…egenerated
@ingvagabund ingvagabund force-pushed the extend-secrets-volumes-with-path-control branch from 4d60c06 to e3aa900 Compare May 18, 2016 14:14
@ncdc
Copy link
Member

ncdc commented May 19, 2016

@k8s-bot e2e test this issue: #25800

@pmorie
Copy link
Member

pmorie commented May 19, 2016

@ingvagabund now that #25800 has merged, do you need to update this PR?

@ingvagabund
Copy link
Contributor Author

ingvagabund commented May 20, 2016
edited
Loading

@pmorie the PR can be merged as it is

@pmorie pmorie added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 20, 2016
@pmorie
Copy link
Member

pmorie commented May 20, 2016

@ingvagabund thanks a lot for the fix

@k8s-bot
Copy link

k8s-bot commented May 21, 2016

GCE e2e build/test passed for commit e3aa900.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit eb733cb into kubernetes:master May 21, 2016
@ingvagabund ingvagabund deleted the extend-secrets-volumes-with-path-control branch May 21, 2016 14:36
This was referenced Jun 2, 2016
Closed
Closed
Closed
@rata rata mentioned this pull request Jul 4, 2016
Closed
@ghost ghost mentioned this pull request Dec 12, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pmorie pmorie

Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.
7 participants
@ingvagabund @pmorie @bgrant0607 @ncdc @k8s-bot @k8s-github-robot @googlebot