fixes

kubernetes-sigs · Jul 11, 2024 · 5ac6905 · 5ac6905
1 parent ec4394b
commit 5ac6905
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 118 deletions.
diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go
@@ -18,7 +18,10 @@ package driver
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
+	"sort"
+	"strconv"
 	"strings"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
@@ -222,3 +225,90 @@ func (d *Driver) ControllerGetVolume(ctx context.Context, req *csi.ControllerGet
 
 	return nil, status.Error(codes.Unimplemented, "")
 }
+
+func getCloud(secrets map[string]string, driverCloud cloud.Cloud) (cloud.Cloud, string, bool, error) {
+
+	var localCloud cloud.Cloud
+	var roleArn string
+	var crossAccountDNSEnabled bool
+	var err error
+
+	// Fetch aws role ARN for cross account mount from CSI secrets. Link to CSI secrets below
+	// https://kubernetes-csi.github.io/docs/secrets-and-credentials.html#csi-operation-secrets
+	if value, ok := secrets[RoleArn]; ok {
+		roleArn = value
+	}
+	if value, ok := secrets[CrossAccount]; ok {
+		crossAccountDNSEnabled, err = strconv.ParseBool(value)
+		if err != nil {
+			return nil, "", false, status.Error(codes.InvalidArgument, "crossaccount parameter must have boolean value.")
+		}
+	} else {
+		crossAccountDNSEnabled = false
+	}
+
+	if roleArn != "" {
+		localCloud, err = cloud.NewCloudWithRole(roleArn)
+		if err != nil {
+			return nil, "", false, status.Errorf(codes.Unauthenticated, "Unable to initialize aws cloud: %v. Please verify role has the correct AWS permissions for cross account mount", err)
+		}
+	} else {
+		localCloud = driverCloud
+	}
+
+	return localCloud, roleArn, crossAccountDNSEnabled, nil
+}
+
+func interpolateRootDirectoryName(rootDirectoryPath string, volumeParams map[string]string) (string, error) {
+	r := strings.NewReplacer(createListOfVariableSubstitutions(volumeParams)...)
+	result := r.Replace(rootDirectoryPath)
+
+	// Check if any templating characters still exist
+	if strings.Contains(result, "${") || strings.Contains(result, "}") {
+		return "", status.Errorf(codes.InvalidArgument,
+			"Path specified \"%v\" contains invalid elements. Can only contain %v", rootDirectoryPath,
+			getSupportedComponentNames())
+	}
+	return result, nil
+}
+
+func createListOfVariableSubstitutions(volumeParams map[string]string) []string {
+	variableSubstitutions := make([]string, 2*len(subPathPatternComponents))
+	i := 0
+	for key, volumeParamsKey := range subPathPatternComponents {
+		variableSubstitutions[i] = "${" + key + "}"
+		variableSubstitutions[i+1] = volumeParams[volumeParamsKey]
+		i += 2
+	}
+	return variableSubstitutions
+}
+
+func getSupportedComponentNames() []string {
+	keys := make([]string, len(subPathPatternComponents))
+
+	i := 0
+	for key := range subPathPatternComponents {
+		keys[i] = key
+		i++
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func validateEfsPathRequirements(proposedPath string) (bool, error) {
+	if len(proposedPath) > 100 {
+		// Check the proposed path is 100 characters or fewer
+		return false, status.Errorf(codes.InvalidArgument, "Proposed path '%s' exceeds EFS limit of 100 characters", proposedPath)
+	} else if strings.Count(proposedPath, "/") > 5 {
+		// Check the proposed path contains at most 4 subdirectories
+		return false, status.Errorf(codes.InvalidArgument, "Proposed path '%s' EFS limit of 4 subdirectories", proposedPath)
+	} else {
+		return true, nil
+	}
+}
+
+func get64LenHash(text string) string {
+	h := sha256.New()
+	h.Write([]byte(text))
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
diff --git a/pkg/driver/gid_allocator.go b/pkg/driver/gid_allocator.go
diff --git a/pkg/driver/provisioner.go b/pkg/driver/provisioner.go
@@ -2,11 +2,14 @@ package driver
 
 import (
 	"context"
+	"fmt"
 	"os"
+	"path"
 	"strconv"
 	"strings"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/google/uuid"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"k8s.io/klog"
@@ -67,12 +70,8 @@ func (a AccessPointProvisioner) Provision(ctx context.Context, req *csi.CreateVo
 	var (
 		azName                 string
 		basePath               string
-		gid                    int64
-		gidMin                 int64
-		gidMax                 int64
 		localCloud             cloud.Cloud
 		roleArn                string
-		uid                    int64
 		crossAccountDNSEnabled bool
 	)
 	// Create tags
@@ -119,26 +118,37 @@ func (a AccessPointProvisioner) Provision(ctx context.Context, req *csi.CreateVo
 		return nil, err
 	}
 
-	// Check if file system exists. Describe FS or List APs handle appropriate error codes
-	// With dynamic uid/gid provisioning we can save a call to describe FS, as list APs fails if FS ID does not exist
-	var accessPoints []*cloud.AccessPoint
-	if uid == -1 || gid == -1 {
-		accessPoints, err = localCloud.ListAccessPoints(ctx, accessPointsOptions.FileSystemId)
-	} else {
-		_, err = localCloud.DescribeFileSystem(ctx, accessPointsOptions.FileSystemId)
-	}
-	if err != nil {
-		if err == cloud.ErrAccessDenied {
-			return nil, status.Errorf(codes.Unauthenticated, "Access Denied. Please ensure you have the right AWS permissions: %v", err)
-		}
-		if err == cloud.ErrNotFound {
-			return nil, status.Errorf(codes.InvalidArgument, "File System does not exist: %v", err)
+	rootDirName := volName
+	// Check if a custom structure should be imposed on the access point directory
+	if value, ok := volumeParams[SubPathPattern]; ok {
+		// Try and construct the root directory and check it only contains supported components
+		val, err := interpolateRootDirectoryName(value, volumeParams)
+		if err == nil {
+			klog.Infof("Using user-specified structure for access point directory.")
+			rootDirName = val
+			if value, ok := volumeParams[EnsureUniqueDirectory]; ok {
+				if ensureUniqueDirectory, err := strconv.ParseBool(value); !ensureUniqueDirectory && err == nil {
+					klog.Infof("Not appending PVC UID to path.")
+				} else {
+					klog.Infof("Appending PVC UID to path.")
+					rootDirName = fmt.Sprintf("%s-%s", val, uuid.New().String())
+				}
+			} else {
+				klog.Infof("Appending PVC UID to path.")
+				rootDirName = fmt.Sprintf("%s-%s", val, uuid.New().String())
+			}
+		} else {
+			return nil, err
 		}
-		return nil, status.Errorf(codes.Internal, "Failed to fetch Access Points or Describe File System: %v", err)
+	} else {
+		klog.Infof("Using PV name for access point directory.")
 	}
 
-	rootDirName := volName
-	rootDir := basePath + "/" + rootDirName
+	rootDir := path.Join("/", basePath, rootDirName)
+	if ok, err := validateEfsPathRequirements(rootDir); !ok {
+		return nil, err
+	}
+	klog.Infof("Using %v as the access point directory.", rootDir)
 
 	accessPointsOptions.Uid = uid
 	accessPointsOptions.Gid = gid