graduate CSIServiceAccountToken to beta
This commit is contained in:
@@ -274,6 +274,9 @@ type CSIDriverSpec struct {
|
||||
// If the CSIDriverRegistry feature gate is enabled and the value is
|
||||
// specified to false, the attach operation will be skipped.
|
||||
// Otherwise the attach operation will be called.
|
||||
//
|
||||
// This field is immutable.
|
||||
//
|
||||
// +optional
|
||||
AttachRequired *bool
|
||||
|
||||
@@ -282,6 +285,9 @@ type CSIDriverSpec struct {
|
||||
// Refer to the specific FSGroupPolicy values for additional details.
|
||||
// This field is alpha-level, and is only honored by servers
|
||||
// that enable the CSIVolumeFSGroupPolicy feature gate.
|
||||
//
|
||||
// This field is immutable.
|
||||
//
|
||||
// +optional
|
||||
FSGroupPolicy *FSGroupPolicy
|
||||
|
||||
@@ -309,6 +315,9 @@ type CSIDriverSpec struct {
|
||||
// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
|
||||
// deployed on such a cluster and the deployment determines which mode that is, for example
|
||||
// via a command line parameter of the driver.
|
||||
//
|
||||
// This field is immutable.
|
||||
//
|
||||
// +optional
|
||||
PodInfoOnMount *bool
|
||||
|
||||
@@ -324,6 +333,9 @@ type CSIDriverSpec struct {
|
||||
// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
|
||||
// A driver can support one or more of these mode and
|
||||
// more modes may be added in the future.
|
||||
//
|
||||
// This field is immutable.
|
||||
//
|
||||
// +optional
|
||||
VolumeLifecycleModes []VolumeLifecycleMode
|
||||
|
||||
@@ -341,6 +353,8 @@ type CSIDriverSpec struct {
|
||||
// unset or false and it can be flipped later when storage
|
||||
// capacity information has been published.
|
||||
//
|
||||
// This field is immutable.
|
||||
//
|
||||
// This is a beta field and only available when the CSIStorageCapacity
|
||||
// feature is enabled. The default is false.
|
||||
//
|
||||
@@ -363,7 +377,7 @@ type CSIDriverSpec struct {
|
||||
// most one token is empty string. To receive a new token after expiry,
|
||||
// RequiresRepublish can be used to trigger NodePublishVolume periodically.
|
||||
//
|
||||
// This is an alpha feature and only available when the
|
||||
// This is a beta feature and only available when the
|
||||
// CSIServiceAccountToken feature is enabled.
|
||||
//
|
||||
// +optional
|
||||
@@ -378,7 +392,7 @@ type CSIDriverSpec struct {
|
||||
// to NodePublishVolume should only update the contents of the volume. New
|
||||
// mount points will not be seen by a running container.
|
||||
//
|
||||
// This is an alpha feature and only available when the
|
||||
// This is a beta feature and only available when the
|
||||
// CSIServiceAccountToken feature is enabled.
|
||||
//
|
||||
// +optional
|
||||
|
@@ -425,11 +425,14 @@ func ValidateCSIDriver(csiDriver *storage.CSIDriver) field.ErrorList {
|
||||
func ValidateCSIDriverUpdate(new, old *storage.CSIDriver) field.ErrorList {
|
||||
allErrs := apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))
|
||||
|
||||
// Spec is read-only
|
||||
// If this ever relaxes in the future, make sure to increment the Generation number in PrepareForUpdate
|
||||
if !apiequality.Semantic.DeepEqual(old.Spec, new.Spec) {
|
||||
allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), new.Spec, "field is immutable"))
|
||||
}
|
||||
// immutable fields should not be mutated.
|
||||
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.AttachRequired, old.Spec.AttachRequired, field.NewPath("spec", "attachedRequired"))...)
|
||||
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.FSGroupPolicy, old.Spec.FSGroupPolicy, field.NewPath("spec", "fsGroupPolicy"))...)
|
||||
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.PodInfoOnMount, old.Spec.PodInfoOnMount, field.NewPath("spec", "podInfoOnMount"))...)
|
||||
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.VolumeLifecycleModes, old.Spec.VolumeLifecycleModes, field.NewPath("spec", "volumeLifecycleModes"))...)
|
||||
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.StorageCapacity, old.Spec.StorageCapacity, field.NewPath("spec", "storageCapacity"))...)
|
||||
|
||||
allErrs = append(allErrs, validateTokenRequests(new.Spec.TokenRequests, field.NewPath("spec", "tokenRequests"))...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
|
@@ -1927,11 +1927,11 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
podInfoOnMount := true
|
||||
storageCapacity := true
|
||||
notPodInfoOnMount := false
|
||||
gcp := "gcp"
|
||||
requiresRepublish := true
|
||||
notRequiresRepublish := false
|
||||
notStorageCapacity := false
|
||||
resourceVersion := "1"
|
||||
invalidFSGroupPolicy := storage.ReadWriteOnceWithFSTypeFSGroupPolicy
|
||||
invalidFSGroupPolicy = "invalid-mode"
|
||||
old := storage.CSIDriver{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion},
|
||||
Spec: storage.CSIDriverSpec{
|
||||
@@ -1946,30 +1946,35 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
// Currently we compare the object against itself
|
||||
// and ensure updates succeed
|
||||
successCases := []storage.CSIDriver{
|
||||
old,
|
||||
// An invalid FSGroupPolicy should still pass
|
||||
successCases := []struct {
|
||||
name string
|
||||
modify func(new *storage.CSIDriver)
|
||||
}{
|
||||
{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion},
|
||||
Spec: storage.CSIDriverSpec{
|
||||
AttachRequired: &attachNotRequired,
|
||||
PodInfoOnMount: ¬PodInfoOnMount,
|
||||
VolumeLifecycleModes: []storage.VolumeLifecycleMode{
|
||||
storage.VolumeLifecycleEphemeral,
|
||||
storage.VolumeLifecyclePersistent,
|
||||
},
|
||||
FSGroupPolicy: &invalidFSGroupPolicy,
|
||||
StorageCapacity: &storageCapacity,
|
||||
name: "no change",
|
||||
modify: func(new *storage.CSIDriver) {},
|
||||
},
|
||||
{
|
||||
name: "change TokenRequests",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}}
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "change RequiresRepublish",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.RequiresRepublish = &requiresRepublish
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, csiDriver := range successCases {
|
||||
newDriver := csiDriver.DeepCopy()
|
||||
if errs := ValidateCSIDriverUpdate(&csiDriver, newDriver); len(errs) != 0 {
|
||||
t.Errorf("expected success for %+v: %v", csiDriver, errs)
|
||||
}
|
||||
for _, test := range successCases {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
new := old.DeepCopy()
|
||||
test.modify(new)
|
||||
if errs := ValidateCSIDriverUpdate(new, &old); len(errs) != 0 {
|
||||
t.Errorf("Expected success for %+v: %v", new, errs)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// Each test case changes exactly one field. None of that is valid.
|
||||
@@ -1995,18 +2000,18 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
new.Spec.AttachRequired = nil
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "PodInfoOnMount not set",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.PodInfoOnMount = nil
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "AttachRequired changed",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.AttachRequired = &attachRequired
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "PodInfoOnMount not set",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.PodInfoOnMount = nil
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "PodInfoOnMount changed",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
@@ -2064,6 +2069,12 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
new.Spec.StorageCapacity = ¬StorageCapacity
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "TokenRequests invalidated",
|
||||
modify: func(new *storage.CSIDriver) {
|
||||
new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}, {Audience: gcp}}
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range errorCases {
|
||||
@@ -2071,7 +2082,7 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
new := old.DeepCopy()
|
||||
test.modify(new)
|
||||
if errs := ValidateCSIDriverUpdate(new, &old); len(errs) == 0 {
|
||||
t.Errorf("Expected failure for test: %v", new)
|
||||
t.Errorf("Expected failure for test: %+v", new)
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -2253,7 +2264,7 @@ func TestCSIServiceAccountToken(t *testing.T) {
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
desc: "invalid - TokenRequests has tokens with ExpirationSeconds less than 10min",
|
||||
desc: "invalid - TokenRequests has tokens with ExpirationSeconds longer than 1<<32 min",
|
||||
csiDriver: &storage.CSIDriver{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: driverName},
|
||||
Spec: storage.CSIDriverSpec{
|
||||
|
Reference in New Issue
Block a user