Merge pull request kubernetes-retired#20 from rrati/bac-fixes

BucketAccess Controller fixes

Author: k8s-ci-robot

Diff for: container-object-storage-interface-provisioner-sidecar/go.mod

@@ -4,7 +4,7 @@ go 1.15
 
 require (
 	github.com/kubernetes-csi/csi-lib-utils v0.9.0
-	github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201204201926-43539346a903
+	github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201217233824-6b4158ff7e28
 	github.com/kubernetes-sigs/container-object-storage-interface-spec v0.0.0-20201217184109-8cbf84dde8d3
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324

Diff for: container-object-storage-interface-provisioner-sidecar/go.sum

@@ -258,8 +258,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kubernetes-csi/csi-lib-utils v0.9.0 h1:TbuDmxoVqM+fvVkzG/7sShyX/8jUln0ElLHuETcsQJI=
 github.com/kubernetes-csi/csi-lib-utils v0.9.0/go.mod h1:8E2jVUX9j3QgspwHXa6LwyN7IHQDjW9jX3kwoWnSC+M=
-github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201204201926-43539346a903 h1:kBd9bCHv429J7Y8Mp2w1Xg3QtDiRAhittzYC/45/G2E=
-github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201204201926-43539346a903/go.mod h1:C7tjzC+nLe7H7+3UM/Z6a7F24yxOO8FSK3ZaVZrKDPQ=
+github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201217233824-6b4158ff7e28 h1:ZCH6aKd+cWLi66i3tPV6f0dIuFG5Lk9XOxWacnsR8mg=
+github.com/kubernetes-sigs/container-object-storage-interface-api v0.0.0-20201217233824-6b4158ff7e28/go.mod h1:C7tjzC+nLe7H7+3UM/Z6a7F24yxOO8FSK3ZaVZrKDPQ=
 github.com/kubernetes-sigs/container-object-storage-interface-spec v0.0.0-20201217184109-8cbf84dde8d3 h1:8uv9nGDukcMLYeg/m9YtTyr2IzXZd5WwUVDBRuJy2Vw=
 github.com/kubernetes-sigs/container-object-storage-interface-spec v0.0.0-20201217184109-8cbf84dde8d3/go.mod h1:wojgWDesMMLuFza4p1YnpX3sdPeo0mDWmSbmPsxRDh0=
 github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
@@ -589,6 +589,7 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

Diff for: container-object-storage-interface-provisioner-sidecar/pkg/controller/bucketaccess/bucket_access_controller.go

@@ -22,7 +22,7 @@ import (
 	"strings"
 	"time"
 
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -116,7 +116,7 @@ func (bal *bucketAccessListener) Add(ctx context.Context, obj *v1alpha1.BucketAc
 	req := osspec.ProvisionerGrantBucketAccessRequest{
 		Principal:     obj.Spec.Principal,
 		AccessPolicy:  obj.Spec.PolicyActionsConfigMapData,
-		BucketContext: map[string]string{},
+		BucketContext: obj.Spec.Parameters,
 	}
 
 	switch bucket.Spec.Protocol.Name {
@@ -148,7 +148,7 @@ func (bal *bucketAccessListener) Add(ctx context.Context, obj *v1alpha1.BucketAc
 
 	// Only update the principal in the BucketAccess if it wasn't set because
 	// that means that the provisioner created one
-	if len(obj.Spec.Principal) == 0 {
+	if len(obj.Spec.Principal) == 0 && obj.Spec.ServiceAccount == nil {
 		err = bal.updatePrincipal(ctx, obj.Name, rsp)
 		if err != nil {
 			return err
@@ -158,22 +158,25 @@ func (bal *bucketAccessListener) Add(ctx context.Context, obj *v1alpha1.BucketAc
 	// Only create the secret with credentials if serviveAccount isn't set.
 	// If serviceAccount is set then authorization happens out of band in the
 	// cloud provider
-	if len(obj.Spec.ServiceAccount) == 0 {
-		secret := v1.Secret{
+	if obj.Spec.ServiceAccount == nil {
+		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: generateSecretName(obj.UID),
 			},
 			StringData: map[string]string{
 				"CredentialsFilePath":     rsp.CredentialsFilePath,
 				"CredentialsFileContents": rsp.CredentialsFileContents,
 			},
-			Type: v1.SecretTypeOpaque,
+			Type: corev1.SecretTypeOpaque,
 		}
+
 		// It's unlikely but should probably handle retries on rare case of collision
 		_, err = bal.kubeClient.CoreV1().Secrets("objectstorage-system").Create(ctx, &secret, metav1.CreateOptions{})
 		if err != nil {
 			return err
 		}
+
+		// TODO update the mintedSecretName in the BA
 	}
 
 	// update bucket access status to granted
@@ -203,7 +206,7 @@ func (bal *bucketAccessListener) Delete(ctx context.Context, obj *v1alpha1.Bucke
 
 	req := osspec.ProvisionerRevokeBucketAccessRequest{
 		Principal:     obj.Spec.Principal,
-		BucketContext: map[string]string{},
+		BucketContext: obj.Spec.Parameters,
 	}
 
 	switch bucket.Spec.Protocol.Name {
@@ -234,7 +237,9 @@ func (bal *bucketAccessListener) Delete(ctx context.Context, obj *v1alpha1.Bucke
 	klog.V(1).Infof("provisioner returned revoke bucket access response %v", rsp)
 
 	// Delete the secret
-	if len(obj.Spec.ServiceAccount) == 0 {
+	if obj.Spec.ServiceAccount == nil {
+		// TODO get the minted secret name from the BA
+
 		// It's unlikely but should probably handle retries on rare case of collision
 		err = bal.kubeClient.CoreV1().Secrets("objectstorage-system").Delete(ctx, generateSecretName(obj.UID), metav1.DeleteOptions{})
 		if err != nil {

Diff for: container-object-storage-interface-provisioner-sidecar/pkg/controller/bucketaccess/bucket_access_controller_test.go

@@ -28,6 +28,7 @@ import (
 	osspec "github.com/kubernetes-sigs/container-object-storage-interface-spec"
 	fakespec "github.com/kubernetes-sigs/container-object-storage-interface-spec/fake"
 
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -118,6 +119,8 @@ func TestAdd(t *testing.T) {
 	generatedPrincipal := "driverPrincipal"
 	sa := "serviceAccount"
 	mpc := struct{ fakespec.MockProvisionerClient }{}
+	extraParamName := "ParamName"
+	extraParamValue := "ParamValue"
 
 	testCases := []struct {
 		name           string
@@ -126,6 +129,7 @@ func TestAdd(t *testing.T) {
 		grantFunc      func(ctx context.Context, in *osspec.ProvisionerGrantBucketAccessRequest, opts ...grpc.CallOption) (*osspec.ProvisionerGrantBucketAccessResponse, error)
 		principal      string
 		serviceAccount string
+		params         map[string]string
 	}{
 		{
 			name: "S3",
@@ -158,6 +162,9 @@ func TestAdd(t *testing.T) {
 				if in.BucketContext["Endpoint"] != endpoint {
 					t.Errorf("expected %s, got %s", endpoint, in.BucketContext["Endpoint"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerGrantBucketAccessResponse{
 					Principal:               principal,
 					CredentialsFileContents: credsContents,
@@ -166,6 +173,9 @@ func TestAdd(t *testing.T) {
 			},
 			principal:      principal,
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "GCS",
@@ -194,6 +204,9 @@ func TestAdd(t *testing.T) {
 				if in.BucketContext["ProjectID"] != projID {
 					t.Errorf("expected %s, got %s", projID, in.BucketContext["ProjectID"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerGrantBucketAccessResponse{
 					Principal:               principal,
 					CredentialsFileContents: credsContents,
@@ -202,6 +215,9 @@ func TestAdd(t *testing.T) {
 			},
 			principal:      principal,
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "AzureBlob",
@@ -222,6 +238,9 @@ func TestAdd(t *testing.T) {
 				if in.BucketContext["StorageAccount"] != account {
 					t.Errorf("expected %s, got %s", account, in.BucketContext["StorageAccount"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerGrantBucketAccessResponse{
 					Principal:               principal,
 					CredentialsFileContents: credsContents,
@@ -230,6 +249,9 @@ func TestAdd(t *testing.T) {
 			},
 			principal:      principal,
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "No Principal",
@@ -252,6 +274,9 @@ func TestAdd(t *testing.T) {
 			},
 			principal:      "",
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "ServiceAccount exists",
@@ -274,6 +299,9 @@ func TestAdd(t *testing.T) {
 			},
 			principal:      principal,
 			serviceAccount: sa,
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 	}
 
@@ -297,10 +325,16 @@ func TestAdd(t *testing.T) {
 				BucketInstanceName: instanceName,
 				Provisioner:        provisioner,
 				Principal:          tc.principal,
-				ServiceAccount:     tc.serviceAccount,
+				Parameters:         tc.params,
 			},
 		}
 
+		if len(tc.serviceAccount) > 0 {
+			ba.Spec.ServiceAccount = &corev1.ObjectReference{
+				Name: tc.serviceAccount,
+			}
+		}
+
 		ctx := context.TODO()
 		tc.setProtocol(&b)
 		client := fakebucketclientset.NewSimpleClientset(&ba, &b)
@@ -383,13 +417,16 @@ func TestDelete(t *testing.T) {
 	endpoint := "endpoint1"
 	instanceName := "instance"
 	mpc := struct{ fakespec.MockProvisionerClient }{}
+	extraParamName := "ParamName"
+	extraParamValue := "ParamValue"
 
 	testCases := []struct {
 		name           string
 		setProtocol    func(b *v1alpha1.Bucket)
 		protocolName   v1alpha1.ProtocolName
 		revokeFunc     func(ctx context.Context, in *osspec.ProvisionerRevokeBucketAccessRequest, opts ...grpc.CallOption) (*osspec.ProvisionerRevokeBucketAccessResponse, error)
 		serviceAccount string
+		params         map[string]string
 	}{
 		{
 			name: "S3",
@@ -422,9 +459,15 @@ func TestDelete(t *testing.T) {
 				if in.BucketContext["Endpoint"] != endpoint {
 					t.Errorf("expected %s, got %s", endpoint, in.BucketContext["Endpoint"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerRevokeBucketAccessResponse{}, nil
 			},
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "GCS",
@@ -453,9 +496,15 @@ func TestDelete(t *testing.T) {
 				if in.BucketContext["ProjectID"] != projID {
 					t.Errorf("expected %s, got %s", projID, in.BucketContext["ProjectID"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerRevokeBucketAccessResponse{}, nil
 			},
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "AzureBlob",
@@ -476,9 +525,15 @@ func TestDelete(t *testing.T) {
 				if in.BucketContext["StorageAccount"] != account {
 					t.Errorf("expected %s, got %s", account, in.BucketContext["StorageAccount"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerRevokeBucketAccessResponse{}, nil
 			},
 			serviceAccount: "",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 		{
 			name: "service account exists",
@@ -511,9 +566,15 @@ func TestDelete(t *testing.T) {
 				if in.BucketContext["Endpoint"] != endpoint {
 					t.Errorf("expected %s, got %s", endpoint, in.BucketContext["Endpoint"])
 				}
+				if in.BucketContext[extraParamName] != extraParamValue {
+					t.Errorf("expected %s, got %s", extraParamValue, in.BucketContext[extraParamName])
+				}
 				return &osspec.ProvisionerRevokeBucketAccessResponse{}, nil
 			},
 			serviceAccount: "serviceAccount",
+			params: map[string]string{
+				extraParamName: extraParamValue,
+			},
 		},
 	}
 
@@ -537,12 +598,18 @@ func TestDelete(t *testing.T) {
 				BucketInstanceName: instanceName,
 				Provisioner:        provisioner,
 				Principal:          principal,
-				ServiceAccount:     tc.serviceAccount,
+				Parameters:         tc.params,
 			},
 			Status: v1alpha1.BucketAccessStatus{
 				AccessGranted: true,
 			},
 		}
+
+		if len(tc.serviceAccount) > 0 {
+			ba.Spec.ServiceAccount = &corev1.ObjectReference{
+				Name: tc.serviceAccount,
+			}
+		}
 		secretName := generateSecretName(ba.UID)
 		secret := v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{