Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add annotation for setting access mode on automounted configmap/secret files #1074

Merged
merged 4 commits into from
Apr 5, 2023
Merged

Add annotation for setting access mode on automounted configmap/secret files #1074

merged 4 commits into from
Apr 5, 2023

Conversation

amisevsk
Copy link
Collaborator

@amisevsk amisevsk commented Mar 29, 2023
edited
Loading

What does this PR do?

Adds secret/configmap automount annotation

controller.devfile.io/mount-access-mode

that can be used to configure file permissions on files mounted from the secret/configmap. Access mode is propagated into merged projected volumes as well.

What issues does this PR fix or reference?

Closes #1072

Is it tested? How?

To test manually, see files below

yaml resources
  • Plain configmap (mounted to /tmp/access-mode/configmap/): 
    apiVersion: v1
kind: ConfigMap
metadata:
  name: test-cm-accessmode
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /tmp/access-mode/configmap/
    controller.devfile.io/mount-access-mode: "0777"
data:
  cm-test.sh: |
    #!/bin/bash

    echo "I am a configmap"
  • Plain secret (mounted to /tmp/access-mode/secret/): 
    apiVersion: v1
kind: Secret
metadata:
  name: test-secret-accessmode
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /tmp/access-mode/secret/
    controller.devfile.io/mount-access-mode: "0777"
type: Opaque
data:
  # Contents:
  # #!/bin/bash
  #
  # echo "I am a secret"
  secret-test.sh: IyEvYmluL2Jhc2gKCmVjaG8gIkkgYW0gYSBzZWNyZXQiCg==
  • Projected configmaps and secrets, with different access modes (mounted to /tmp/access-mode/projected/): 
    apiVersion: v1
kind: Secret
metadata:
  name: test-secret-accessmode-projected
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /tmp/access-mode/projected/
    controller.devfile.io/mount-access-mode: "0777"
type: Opaque
data:
  secret-test.sh: IyEvYmluL2Jhc2gKCmVjaG8gIkkgYW0gYSBzZWNyZXQiCg==
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: test-cm-accessmode-projected-1
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /tmp/access-mode/projected/
    controller.devfile.io/mount-access-mode: "0776"
data:
  cm-test-2.sh: |
    #!/bin/bash

    echo "I am a configmap 2"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: test-cm-accessmode-projected-2
  labels:
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /tmp/access-mode/projected/
    controller.devfile.io/mount-access-mode: "0774"
data:
  cm-test-1.sh: |
    #!/bin/bash

    echo "I am a configmap 1"

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

@amisevsk amisevsk requested review from l0rd and AObuchow March 29, 2023 21:48
@amisevsk amisevsk requested a review from ibuziuk as a code owner March 29, 2023 21:48
@amisevsk amisevsk changed the title Automount access mode Add annotation for setting access mode on automounted configmap/secret files Mar 29, 2023
@codecov
Copy link

codecov bot commented Mar 29, 2023
edited
Loading

Codecov Report

Patch coverage: 76.54% and project coverage change: +2.67 🎉

Comparison is base (bd7a091) 51.48% compared to head (a311d86) 54.16%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1074      +/-   ##
==========================================
+ Coverage   51.48%   54.16%   +2.67%     
==========================================
  Files          76       76              
  Lines        6606     6680      +74     
==========================================
+ Hits         3401     3618     +217     
+ Misses       2939     2778     -161     
- Partials      266      284      +18
Impacted Files Coverage Δ
pkg/provision/automount/secret.go 82.35% <62.50%> (+46.41%) ⬆️
pkg/provision/automount/configmap.go 86.17% <77.41%> (+42.23%) ⬆️
pkg/provision/automount/common.go 68.46% <86.36%> (+34.80%) ⬆️
pkg/provision/automount/gitconfig.go 62.61% <100.00%> (+23.36%) ⬆️
pkg/provision/automount/projected.go 96.61% <100.00%> (+1.78%) ⬆️

... and 2 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

AObuchow
AObuchow approved these changes Mar 30, 2023
View reviewed changes
Copy link
Collaborator

@AObuchow AObuchow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested out the sample configmaps/secrets and was able to execute them as expected. Code looks good to me as well. I'll let you add the automated tests and re-review then.

@openshift-ci openshift-ci bot added the lgtm label Mar 30, 2023
@openshift-ci
Copy link

openshift-ci bot commented Apr 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, AObuchow, ibuziuk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm label Apr 4, 2023
@openshift-ci
Copy link

openshift-ci bot commented Apr 4, 2023

New changes are detected. LGTM label has been removed.

@amisevsk
Copy link
Collaborator Author

amisevsk commented Apr 4, 2023

/retest

@amisevsk
Copy link
Collaborator Author

amisevsk commented Apr 4, 2023

Prow tests are failing due to kislyuk/yq#165

@amisevsk
Add automount annotation for setting access mode on resources
ff08c45 
Add annotation

  controller.devfile.io/mount-access-mode: "<access-mode>"

To allow configuring the access mode for files mounted from a configmap
or secret. This allows mounting e.g. a script in a configmap as
executable

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Support access-mode annotation for projected automount sources
68839fa 
Support setting access mode on automount configmaps/secrets when they
are ultimately merged into a projected volume. In order to do this, it
is necessary to attach the access mode to each item in each
configmap/secret.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Update additional-configuration.adoc to mention access mode annotation.
9d300b8 
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Add test cases for automount provisioning
a311d86 
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@AObuchow
Copy link
Collaborator

AObuchow commented Apr 5, 2023

/retest

@AObuchow AObuchow merged commit bad43e7 into devfile:main Apr 5, 2023
@amisevsk amisevsk deleted the automount-access-mode branch April 5, 2023 13:01
@l0rd l0rd mentioned this pull request Apr 6, 2023
Closed
6 tasks
@feloy feloy mentioned this pull request Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AObuchow AObuchow AObuchow approved these changes

@ibuziuk ibuziuk ibuziuk approved these changes

@l0rd l0rd Awaiting requested review from l0rd

Assignees

@ibuziuk ibuziuk

@AObuchow AObuchow

Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add automount annotation to allow configuring access mode for mounted configmaps
3 participants
@amisevsk @AObuchow @ibuziuk