graduate CSIServiceAccountToken to beta

This commit is contained in:
Shihang Zhang
2021-02-22 00:40:30 -08:00
parent f17004981b
commit 4ad1c71174
14 changed files with 181 additions and 92 deletions

View File

@@ -274,6 +274,9 @@ type CSIDriverSpec struct {
// If the CSIDriverRegistry feature gate is enabled and the value is
// specified to false, the attach operation will be skipped.
// Otherwise the attach operation will be called.
//
// This field is immutable.
//
// +optional
AttachRequired *bool
@@ -282,6 +285,9 @@ type CSIDriverSpec struct {
// Refer to the specific FSGroupPolicy values for additional details.
// This field is alpha-level, and is only honored by servers
// that enable the CSIVolumeFSGroupPolicy feature gate.
//
// This field is immutable.
//
// +optional
FSGroupPolicy *FSGroupPolicy
@@ -309,6 +315,9 @@ type CSIDriverSpec struct {
// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
// deployed on such a cluster and the deployment determines which mode that is, for example
// via a command line parameter of the driver.
//
// This field is immutable.
//
// +optional
PodInfoOnMount *bool
@@ -324,6 +333,9 @@ type CSIDriverSpec struct {
// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
// A driver can support one or more of these mode and
// more modes may be added in the future.
//
// This field is immutable.
//
// +optional
VolumeLifecycleModes []VolumeLifecycleMode
@@ -341,6 +353,8 @@ type CSIDriverSpec struct {
// unset or false and it can be flipped later when storage
// capacity information has been published.
//
// This field is immutable.
//
// This is a beta field and only available when the CSIStorageCapacity
// feature is enabled. The default is false.
//
@@ -363,7 +377,7 @@ type CSIDriverSpec struct {
// most one token is empty string. To receive a new token after expiry,
// RequiresRepublish can be used to trigger NodePublishVolume periodically.
//
// This is an alpha feature and only available when the
// This is a beta feature and only available when the
// CSIServiceAccountToken feature is enabled.
//
// +optional
@@ -378,7 +392,7 @@ type CSIDriverSpec struct {
// to NodePublishVolume should only update the contents of the volume. New
// mount points will not be seen by a running container.
//
// This is an alpha feature and only available when the
// This is a beta feature and only available when the
// CSIServiceAccountToken feature is enabled.
//
// +optional

View File

@@ -425,11 +425,14 @@ func ValidateCSIDriver(csiDriver *storage.CSIDriver) field.ErrorList {
func ValidateCSIDriverUpdate(new, old *storage.CSIDriver) field.ErrorList {
allErrs := apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))
// Spec is read-only
// If this ever relaxes in the future, make sure to increment the Generation number in PrepareForUpdate
if !apiequality.Semantic.DeepEqual(old.Spec, new.Spec) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), new.Spec, "field is immutable"))
}
// immutable fields should not be mutated.
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.AttachRequired, old.Spec.AttachRequired, field.NewPath("spec", "attachedRequired"))...)
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.FSGroupPolicy, old.Spec.FSGroupPolicy, field.NewPath("spec", "fsGroupPolicy"))...)
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.PodInfoOnMount, old.Spec.PodInfoOnMount, field.NewPath("spec", "podInfoOnMount"))...)
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.VolumeLifecycleModes, old.Spec.VolumeLifecycleModes, field.NewPath("spec", "volumeLifecycleModes"))...)
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.StorageCapacity, old.Spec.StorageCapacity, field.NewPath("spec", "storageCapacity"))...)
allErrs = append(allErrs, validateTokenRequests(new.Spec.TokenRequests, field.NewPath("spec", "tokenRequests"))...)
return allErrs
}

View File

@@ -1927,11 +1927,11 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
podInfoOnMount := true
storageCapacity := true
notPodInfoOnMount := false
gcp := "gcp"
requiresRepublish := true
notRequiresRepublish := false
notStorageCapacity := false
resourceVersion := "1"
invalidFSGroupPolicy := storage.ReadWriteOnceWithFSTypeFSGroupPolicy
invalidFSGroupPolicy = "invalid-mode"
old := storage.CSIDriver{
ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion},
Spec: storage.CSIDriverSpec{
@@ -1946,30 +1946,35 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
},
}
// Currently we compare the object against itself
// and ensure updates succeed
successCases := []storage.CSIDriver{
old,
// An invalid FSGroupPolicy should still pass
successCases := []struct {
name string
modify func(new *storage.CSIDriver)
}{
{
ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion},
Spec: storage.CSIDriverSpec{
AttachRequired: &attachNotRequired,
PodInfoOnMount: &notPodInfoOnMount,
VolumeLifecycleModes: []storage.VolumeLifecycleMode{
storage.VolumeLifecycleEphemeral,
storage.VolumeLifecyclePersistent,
},
FSGroupPolicy: &invalidFSGroupPolicy,
StorageCapacity: &storageCapacity,
name: "no change",
modify: func(new *storage.CSIDriver) {},
},
{
name: "change TokenRequests",
modify: func(new *storage.CSIDriver) {
new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}}
},
},
{
name: "change RequiresRepublish",
modify: func(new *storage.CSIDriver) {
new.Spec.RequiresRepublish = &requiresRepublish
},
},
}
for _, csiDriver := range successCases {
newDriver := csiDriver.DeepCopy()
if errs := ValidateCSIDriverUpdate(&csiDriver, newDriver); len(errs) != 0 {
t.Errorf("expected success for %+v: %v", csiDriver, errs)
}
for _, test := range successCases {
t.Run(test.name, func(t *testing.T) {
new := old.DeepCopy()
test.modify(new)
if errs := ValidateCSIDriverUpdate(new, &old); len(errs) != 0 {
t.Errorf("Expected success for %+v: %v", new, errs)
}
})
}
// Each test case changes exactly one field. None of that is valid.
@@ -1995,18 +2000,18 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
new.Spec.AttachRequired = nil
},
},
{
name: "PodInfoOnMount not set",
modify: func(new *storage.CSIDriver) {
new.Spec.PodInfoOnMount = nil
},
},
{
name: "AttachRequired changed",
modify: func(new *storage.CSIDriver) {
new.Spec.AttachRequired = &attachRequired
},
},
{
name: "PodInfoOnMount not set",
modify: func(new *storage.CSIDriver) {
new.Spec.PodInfoOnMount = nil
},
},
{
name: "PodInfoOnMount changed",
modify: func(new *storage.CSIDriver) {
@@ -2064,6 +2069,12 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
new.Spec.StorageCapacity = &notStorageCapacity
},
},
{
name: "TokenRequests invalidated",
modify: func(new *storage.CSIDriver) {
new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}, {Audience: gcp}}
},
},
}
for _, test := range errorCases {
@@ -2071,7 +2082,7 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
new := old.DeepCopy()
test.modify(new)
if errs := ValidateCSIDriverUpdate(new, &old); len(errs) == 0 {
t.Errorf("Expected failure for test: %v", new)
t.Errorf("Expected failure for test: %+v", new)
}
})
}
@@ -2253,7 +2264,7 @@ func TestCSIServiceAccountToken(t *testing.T) {
wantErr: true,
},
{
desc: "invalid - TokenRequests has tokens with ExpirationSeconds less than 10min",
desc: "invalid - TokenRequests has tokens with ExpirationSeconds longer than 1<<32 min",
csiDriver: &storage.CSIDriver{
ObjectMeta: metav1.ObjectMeta{Name: driverName},
Spec: storage.CSIDriverSpec{