diff --git a/pkg/rotation/reconciler.go b/pkg/rotation/reconciler.go index 60e149842..b7c40084d 100644 --- a/pkg/rotation/reconciler.go +++ b/pkg/rotation/reconciler.go @@ -68,6 +68,11 @@ const ( mountRotationCompleteReason = "MountRotationComplete" k8sSecretRotationFailedReason = "SecretRotationFailed" k8sSecretRotationCompleteReason = "SecretRotationComplete" + + csipodname = "csi.storage.k8s.io/pod.name" + csipodnamespace = "csi.storage.k8s.io/pod.namespace" + csipoduid = "csi.storage.k8s.io/pod.uid" + csipodsa = "csi.storage.k8s.io/serviceAccount.name" ) // Reconciler reconciles and rotates contents in the pod @@ -183,14 +188,6 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid errorReason = internalerrors.SecretProviderClassNotFound return fmt.Errorf("failed to get secret provider class %s/%s, err: %+v", spcNamespace, spcName, err) } - paramsJSON, err := json.Marshal(spc.Spec.Parameters) - if err != nil { - return fmt.Errorf("failed to marshal parameters, err: %+v", err) - } - permissionJSON, err := json.Marshal(permission) - if err != nil { - return fmt.Errorf("failed to marshal permission, err: %+v", err) - } // get pod from informer cache podName, podNamespace := spcps.Status.PodName, spcps.Namespace pod, err := r.store.GetPod(podName, podNamespace) @@ -199,6 +196,25 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid return fmt.Errorf("failed to get pod %s/%s, err: %+v", podNamespace, podName, err) } + parameters := make(map[string]string) + if spc.Spec.Parameters != nil { + parameters = spc.Spec.Parameters + } + // Set these parameters to mimic the exact same attributes we get as part of NodePublishVolumeRequest + parameters[csipodname] = podName + parameters[csipodnamespace] = podNamespace + parameters[csipoduid] = string(pod.UID) + parameters[csipodsa] = pod.Spec.ServiceAccountName + + paramsJSON, err := json.Marshal(parameters) + if err != nil { + return fmt.Errorf("failed to marshal parameters, err: %+v", err) + } + permissionJSON, err := json.Marshal(permission) + if err != nil { + return fmt.Errorf("failed to marshal permission, err: %+v", err) + } + // check if the volume pertaining to the current spc is using nodePublishSecretRef for // accessing external secrets store var nodePublishSecretRef *v1.LocalObjectReference @@ -217,6 +233,7 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid } var secretsJSON []byte + nodePublishSecretData := make(map[string]string) // read the Kubernetes secret referenced in NodePublishSecretRef and marshal it // This comprises the secret parameter in the MountRequest to the provider if nodePublishSecretRef != nil { @@ -231,15 +248,15 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid return fmt.Errorf("failed to get node publish secret %s/%s, err: %+v", secretNamespace, secretName, err) } - nodePublishSecretData := make(map[string]string) for k, v := range secret.Data { nodePublishSecretData[k] = string(v) } - secretsJSON, err = json.Marshal(nodePublishSecretData) - if err != nil { - r.generateEvent(pod, v1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to marshal node publish secret data, err: %+v", err)) - return fmt.Errorf("failed to marshal node publish secret data, err: %+v", err) - } + } + + secretsJSON, err = json.Marshal(nodePublishSecretData) + if err != nil { + r.generateEvent(pod, v1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to marshal node publish secret data, err: %+v", err)) + return fmt.Errorf("failed to marshal node publish secret data, err: %+v", err) } // generate a map with the current object versions stored in spc pod status diff --git a/pkg/secrets-store/provider_client_test.go b/pkg/secrets-store/provider_client_test.go index 713b4cbf8..94ec085c3 100644 --- a/pkg/secrets-store/provider_client_test.go +++ b/pkg/secrets-store/provider_client_test.go @@ -55,7 +55,8 @@ func TestMountContent(t *testing.T) { socketPath: getTempTestDir(t), attributes: "{}", targetPath: "/var/lib/kubelet/pods/d448c6a2-cda8-42e3-84fb-3cf75faa8399/volumes/kubernetes.io~csi/secrets-store-inline/mount", - permission: "0644", + permission: "420", + secrets: "{}", expectedObjectVersion: map[string]string{"secret/secret1": "v1", "secret/secret2": "v2"}, }, } @@ -160,7 +161,8 @@ func TestMountContentError(t *testing.T) { socketPath: getTempTestDir(t), attributes: "{}", targetPath: "/var/lib/kubelet/pods/d448c6a2-cda8-42e3-84fb-3cf75faa8399/volumes/kubernetes.io~csi/secrets-store-inline/mount", - permission: "0644", + permission: "420", + secrets: "{}", expectedErrorCode: "AuthenticationFailed", }, } diff --git a/provider/fake/fake_server.go b/provider/fake/fake_server.go index 83c61b285..dc0d9de89 100644 --- a/provider/fake/fake_server.go +++ b/provider/fake/fake_server.go @@ -18,8 +18,10 @@ package fake import ( "context" + "encoding/json" "fmt" "net" + "os" "google.golang.org/grpc" @@ -77,18 +79,25 @@ func (m *MockCSIProviderServer) Start() error { // Mount implements provider csi-provider method func (m *MockCSIProviderServer) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error) { + var attrib, secret map[string]string + var filePermission os.FileMode + var err error + if m.returnErr != nil { return &v1alpha1.MountResponse{}, m.returnErr } - if len(req.GetAttributes()) == 0 { - return nil, fmt.Errorf("missing attributes") + if err = json.Unmarshal([]byte(req.GetAttributes()), &attrib); err != nil { + return nil, fmt.Errorf("failed to unmarshal attributes, error: %+v", err) + } + if err = json.Unmarshal([]byte(req.GetSecrets()), &secret); err != nil { + return nil, fmt.Errorf("failed to unmarshal secrets, error: %+v", err) + } + if err = json.Unmarshal([]byte(req.GetPermission()), &filePermission); err != nil { + return nil, fmt.Errorf("failed to unmarshal file permission, error: %+v", err) } if len(req.GetTargetPath()) == 0 { return nil, fmt.Errorf("missing target path") } - if len(req.GetPermission()) == 0 { - return nil, fmt.Errorf("missing permissions") - } return &v1alpha1.MountResponse{ ObjectVersion: m.objects, Error: &v1alpha1.Error{