-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow providers to have the driver write files #481
feat: allow providers to have the driver write files #481
Conversation
Skipping CI for Draft Pull Request. |
/retest |
/test pull-secrets-store-csi-driver-e2e-vault |
vault e2e tests should be fixed with #483 |
/test pull-secrets-store-csi-driver-e2e-vault |
) | ||
|
||
const ( | ||
maxFileNameLength = 255 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For Azure Key vault, the max object name length is 128 and I assume this is a reasonable limit for the Google Secrets Manager as well. Is there a restriction for Hashicorp vault? Since this limit is being imposed now we should make sure we aren't breaking any exist cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not seem like the vault provider includes an restrictions on path lengths: https://github.com/hashicorp/vault-csi-provider/blob/20173a0f069739c2e9236c3b23bbe98a4af2c3ba/internal/provider/provider.go#L254
The GCP plugin has a length of 253 since IsConfigMapKey
is currently used:
https://github.com/kubernetes/apimachinery/blob/2456ebdaba229616fab2161a615148884b46644b/pkg/util/validation/validation.go#L424
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tomhjp Do you see anything breaking with imposing this limit on the secret name length for the vault provider?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no explicit limit currently but I'm ok with introducing this limit 👍
pkg/util/fileutil/writer.go
Outdated
if targetPath == "" { | ||
return fmt.Errorf("invalid path: must not be empty: %q", targetPath) | ||
} | ||
if path.IsAbs(targetPath) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use filepath
so this is valid for windows too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at path.IsAbs and filepath.IsAbs I'm fairly certain that their implementations are equivalent, so I'll move to filepath
as that seems more semantically correct. Think we should propose a change to automic_writer.go too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we should propose a change to atomic_writer.go
. We can open a PR and get feedback from the community.
string path = 1; | ||
// The mode bits used to set permissions on this file. | ||
// Must be a decimal value between 0 and 511. | ||
int32 mode = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Today, the mode is sent to the provider from the driver. Having this will make it extensible in the future if we decide to support user configuration for mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. My initial thoughts here are that we should deprecate permission
in MountRequest
and that permissions should be specified in the provider specific portion of the SecretProviderClass
yaml at the same spot that secrets->files are mapped.
|
||
// File holds secret file contents and location in the mount path to write the | ||
// file. | ||
message File { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we also add a comment with the limitations on the size of the payload?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, i completely forgot about that. Do you think I should also add a configurable message size flag to this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming bigger size than default supported would mean we would need to use grpc stream? I would be open to keeping the default with the limitation documented. If there are users with additional size, then we can add an option to configure. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the repeated File files = 3
comment but we can just add a flag to control the MaxCallRecvMsgSize
option when creating the plugin grpc client. This would require config/deploy from the user but would not require switching to grpc streaming. I believe this was what @tomhjp preferred in the design doc
/test pull-secrets-store-csi-driver-e2e-azure |
1 similar comment
/test pull-secrets-store-csi-driver-e2e-azure |
@tam7t: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
}, | ||
}, | ||
{ | ||
name: "provider response with multiple files", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a test for 0 file returned
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "provider successful response" case covers this, but I've updated it to be explicit and this gave me the idea to use filepath.walk + go-cmp for better file comparisons
@@ -59,6 +61,27 @@ message MountRequest { | |||
message MountResponse { | |||
repeated ObjectVersion object_version = 1; | |||
Error error = 2; | |||
// files contains the entire mount volume filesystem. | |||
// | |||
// The total size of all files should not exceed 1MiB or syncing to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to validate the file content size if this is a known limit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could add it for the 1 MiB case but over 4MiB the RPC will fail. I've added a klog to MountContent
for when the proto is > 1MiB.
171ef9a
to
b7a9369
Compare
b7a9369
to
bc3ec81
Compare
/test pull-secrets-store-csi-driver-e2e-windows |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aramase, tam7t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
Expands the provider<->driver interface to allow the providers to have the driver write all files to the mount.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #460
Special notes for your reviewer: