Adding credentials support for k8s core CSI

[sbezverk]

PR implements changes proposed in: kubernetes/community#1816

CSI now allows credentials to be specified on CreateVolume/DeleteVolume, ControllerPublishVolume/ControllerUnpublishVolume, and NodePublishVolume/NodeUnpublishVolume operations

[sbezverk]

/sig storage
/kind feature

[sbezverk]

@vladimirvivien @saad-ali Please review.
This implementation adds two new objects and modifies code only for NodePublish and NodeUnpublish, since these operations are executed by csi_mounter.go and csi_client.go
Changes for ControllerCreate/Delete/Publish/Unpublish are outside of k8s core and will be done after merging this change.

[sbezverk]

@saad-ali addressed changes in the proposal, PTAL.

[saad-ali]

nit: Update comment

  // ControllerPublishSecretRef is a reference to the secret object containing
  // sensitive information to pass to the CSI driver to complete the CSI
  // ControllerPublishVolume and ControllerUnpublishVolume calls.
  // This field is optional, and  may be empty if no secret is required. If the
  // secret object contains more than one secret, all secrets are passed.
  // +optional

[sbezverk]

done

[saad-ali]

You can remove this line.

[saad-ali]

You can remove this line.

[sbezverk]

done

[saad-ali]

I think empty namespace maybe a valid case (default namespace?).

[sbezverk]

done, in reality it will not be ever empty as I take it from pod's spec. Removed ns check.

[saad-ali]

Not your code, but, can you add a commit to remove probe related code in this PR too:

...
 	if err := csi.NodeProbe(ctx, csiVersion); err != nil {
...

and all related comments, e.g.:

// TODO (vladimirvivien) use this method to probe controller using CSI.NodeProbe() call

[sbezverk]

done

[saad-ali]

Just use csiSource.NodePublishSecretRef.Name everywhere instead.

[sbezverk]

done

[saad-ali]

I'm not 100% sure, but I think an empty namespace is valid. So maybe just check if NodePublishSecretRef.Name != nil

[sbezverk]

Here I check for the presence of Secret Object, Name is string, it could be not nil but "". If you do not mind I would like to keep this check for object not nil and secret name validation in getCredentialsFromSecret

[sbezverk]

@saad-ali addressed your comments, PTAL.

[saad-ali]

I forgot one more set of changes: The Kubernetes API server's node authorizer must be updated to allow kubelet to access the secrets referenced by CSIPersistentVolumeSource.

[saad-ali]

I forgot one more set of changes: The Kubernetes API server's node authorizer must be updated to allow kubelet to access the secrets referenced by CSIPersistentVolumeSource.

Actually I think this might be handled by VisitPVSecretNames.
@liggitt to confirm and review.

/assign @liggitt

[saad-ali]

verify gofmt is failing, please run gofmt

[liggitt]

I forgot one more set of changes: The Kubernetes API server's node authorizer must be updated to allow kubelet to access the secrets referenced by CSIPersistentVolumeSource.

Actually I think this might be handled by VisitPVSecretNames.
@liggitt to confirm and review.

Close, though the node authorizer today allows the kubelet to read any secret referenced by a PV. As of this PR, only some secret references should be kubelet-visible (specifically, ControllerPublishSecretRef should not be). You can make that a parameter to the visitor (func(namespace, name string, kubeletVisible bool)) and omit appropriately in the node authorizer visitor

[liggitt]

api validation should be added to prevent these from being empty... no need to recheck here (or in the other blocks)

[sbezverk]

@liggitt could you please point me where the validation you mentioned should be added.

[liggitt]

kubernetes/pkg/apis/core/validation/validation.go

Lines 1432 to 1456 in 82eeda0

	func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
	allErrs = append(allErrs, field.Forbidden(fldPath, "CSIPersistentVolume disabled by feature-gate"))
	}
	if len(csi.Driver) == 0 {
	allErrs = append(allErrs, field.Required(fldPath.Child("driver"), ""))
	}
	if len(csi.Driver) > 63 {
	allErrs = append(allErrs, field.TooLong(fldPath.Child("driver"), csi.Driver, 63))
	}
	if !csiDriverNameRexp.MatchString(csi.Driver) {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("driver"), csi.Driver, validation.RegexError(csiDriverNameRexpErrMsg, csiDriverNameRexpFmt, "csi-hostpath")))
	}
	if len(csi.VolumeHandle) == 0 {
	allErrs = append(allErrs, field.Required(fldPath.Child("volumeHandle"), ""))
	}
	return allErrs
	}

[sbezverk]

/test pull-kubernetes-unit

[liggitt]

for all of these, ensure name is a valid secret name and namespace is a valid namespace name

[sbezverk]

done

[liggitt]

this should be csiSource.NodePublishSecretRef.Namespace

[liggitt]

to protect against this type of mistake, consider passing the secret ref to getCredentialsFromSecret instead of loose name/namespace fields

[sbezverk]

done

[liggitt]

NodePublishSecretRef.Namespace

[sbezverk]

Will be passing SecreteReference to getCredentialsFromSecret.

[sbezverk]

@saad-ali @liggitt addressed latest comments, PTAL

[saad-ali]

LGTM mod nit

@liggitt for node authorizer review

[saad-ali]

nit: when it is unclear what the value means, it's nice to have a comment, for example:

!visitor(
    *source.AzureFile.SecretNamespace,
    source.AzureFile.SecretName,
    true /* kubeletVisible */) {

But it's a personal preference, up to you if you want to do that.

[sbezverk]

agree, it is more next developer friendly :)

[liggitt]

I expected this to return the error and avoid making the CSI call

[sbezverk]

I am not sure, credentials are not mandatory, so if not specified I do not think we should fail CSI call. @saad-ali what do you think?

[liggitt]

if they were specified by the PV, then it seems like an error resolving them should be considered an error in input gathering and short-circuit

[liggitt]

here and below, I expected to handle an error return from getCredentialsFromSecret by short-circuiting and returning the error, rather than making the csi call with an empty credentials map

[liggitt]

API and node authorizer bits LGTM
one comment on error handling on secret lookup

[liggitt]

/approve

[saad-ali]

/lgtm
/approve

[saad-ali]

For vendored dep update:
/assign @thockin

[brendandburns]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, liggitt, saad-ali, sbezverk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• Godeps/OWNERS [brendandburns]
• api/OWNERS [brendandburns,liggitt]
• docs/api-reference/OWNERS [brendandburns,liggitt]
• pkg/api/OWNERS [brendandburns,liggitt]
• pkg/apis/core/OWNERS [brendandburns,liggitt]
• pkg/volume/csi/OWNERS [brendandburns,saad-ali]
• plugin/pkg/auth/authorizer/node/OWNERS [brendandburns,liggitt]
• staging/src/k8s.io/api/OWNERS [brendandburns,liggitt]
• vendor/OWNERS [brendandburns]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[sbezverk]

/test pull-kubernetes-unit

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.