Move CredentialProvider into its own package
#363
Conversation
| @@ -0,0 +1,162 @@ | |||
| // Package awsprofile provides utilities for creating and deleting AWS Profile (i.e., credentials & config files). | |||
There was a problem hiding this comment.
This package now accepts basepath, prefix and filePerm settings as arguments (see Setting struct) to accommodate changes in credentialprovider. There is no other change than that.
| ctx, cancel := context.WithCancel(context.Background()) | ||
| defer cancel() | ||
| tokenFile := os.Getenv(webIdentityTokenEnv) | ||
| if tokenFile != "" { | ||
| klog.Infof("Found AWS_WEB_IDENTITY_TOKEN_FILE, syncing token") | ||
| go tokenFileTender(ctx, tokenFile, "/csi/token") | ||
| } |
There was a problem hiding this comment.
This logic has been moved to provideStsWebIdentityCredentialsFromDriver function in pkg/driver/node/credentialprovider/provider_driver.go. Since we enabled requiresRepublish as part of Pod-level identity support, Kubernetes will call NodePublishVolume periodically to update existing service account tokens before they expire, and the credential provider will be called as part of this method. Another reason for this change is that, this assumes a single location for service account tokens for Driver-level identity, but with containerization this won't be the case. See the note regarding credential provider in the original PR description for more context.
| @@ -0,0 +1,84 @@ | |||
| package credentialprovider | |||
There was a problem hiding this comment.
There is no change in stsRegion, RegionFromIMDSOnce and its tests rather than using the new ProvideContext struct instead of volume context.
| if credentials.AccessKeyID != "" && credentials.SecretAccessKey != "" { | ||
| // Kubernetes creates target path in the form of "/var/lib/kubelet/pods/<pod-uuid>/volumes/kubernetes.io~csi/<volume-id>/mount". | ||
| // So the directory of the target path is unique for this mount, and we can use it to write credentials and config files. | ||
| // These files will be cleaned up in `Unmount`. | ||
| basepath := filepath.Dir(target) | ||
| awsProfile, err = awsprofile.CreateAWSProfile(basepath, credentials.AccessKeyID, credentials.SecretAccessKey, credentials.SessionToken) | ||
| if err != nil { | ||
| klog.V(4).Infof("Mount: Failed to create AWS Profile in %s: %v", basepath, err) | ||
| return fmt.Errorf("Mount: Failed to create AWS Profile in %s: %v", basepath, err) | ||
| } | ||
| } |
There was a problem hiding this comment.
This logic to create AWS profile based on long-term credentials has been moved to provideLongTermCredentialsFromDriver function in pkg/driver/node/credentialprovider/provider_driver.go.
| func (m *SystemdMounter) credentialWriteAndEnvPath() (writePath string, envPath string) { | ||
| // This is the plugin directory for CSI driver mounted in the container. | ||
| writePath = "/csi" | ||
| // This is the plugin directory for CSI driver in the host. | ||
| envPath = hostPluginDirWithDefault() | ||
| return writePath, envPath | ||
| } | ||
|
|
||
| func hostPluginDirWithDefault() string { | ||
| hostPluginDir := os.Getenv("HOST_PLUGIN_DIR") | ||
| if hostPluginDir == "" { | ||
| hostPluginDir = "/var/lib/kubelet/plugins/s3.csi.aws.com/" | ||
| } | ||
| return hostPluginDir | ||
| } |
There was a problem hiding this comment.
This two path, writePath and envPath was hard-coded in CredentialProvider before and now an argument to credentialProvider.{Provide, Cleanup} as they will be different in PodMounter.
| volumeCtx := req.GetVolumeContext() | ||
| if volumeCtx[volumecontext.AuthenticationSource] == mounter.AuthenticationSourcePod { | ||
| podID := volumeCtx[volumecontext.CSIPodUID] | ||
| volumeID := req.GetVolumeId() | ||
| if podID != "" && volumeID != "" { | ||
| err := ns.credentialProvider.CleanupToken(volumeID, podID) | ||
| if err != nil { | ||
| klog.V(4).Infof("NodeStageVolume: Failed to cleanup token for pod/volume %s/%s: %v", podID, volumeID, err) | ||
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
This NodeStageVolume wasn't enabled at all – we need to add STAGE_UNSTAGE_VOLUME node capability to enable – and also this cleaning of tokens has been moved to Unmount method of mounter.
| // filesystems, and to communicate with each other, the CSI Driver Node Pod uses `hostPath` volume to gain | ||
| // access some path visible from both the CSI Driver Node Pod and Mountpoint, and setups files in that volume | ||
| // using [WritePath] and returns paths to these files in [EnvPath], so Mountpoint can correctly read these files. | ||
| type ProvideContext struct { |
There was a problem hiding this comment.
credentialprovider.Provide method was accepting a few arguments including volume context before, now I grouped all them into ProvideContext.
The WritePath and EnvPath are the new ones, they were hard-coded before, and will be different on PodMounter and SystemdMounter.
Signed-off-by: Burak Varlı <[email protected]>
Signed-off-by: Burak Varlı <[email protected]>
unexge
force-pushed
the
add-credentialprovider-package
branch
from
49f7629 to
314f370
Compare
Supersedes #328. Pre-work for #279.
This PR moves the logic in
CredentialProvider,MountCredentials,awsprofilepackage andtokenFileTenderfunction (indriver.gofor driver-level IRSA) intocredentialproviderpackage to unify all credential related logic.Addition to that, it makes the following changes to make it workable with the upcoming
PodMounterfor containerization:credentialprovider.Providemethod call intoMounterinterface asSystemdMounterandPodMounterwill have different mechanism/paths to provide credentialscredentialprovider.{Provide, Cleanup}asSystemdMounterandPodMounterwill use different paths to write credentialsCleanuptoUnmountmethod ofMounterinterfaceBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.