Add secret volume plugin and e2e test

2015-02-17 20:26:41 -05:00
parent afefa85b26
commit a42ff94c8f
18 changed files with 539 additions and 24 deletions
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -230,7 +230,10 @@ type GitRepo struct {
 	// TODO: Consider credentials here.
 }

-// Adapts a Secret into a VolumeSource
+// Adapts a Secret into a VolumeSource.
+//
+// The contents of the target Secret's Data field will be presented in a volume
+// as files using the keys in the Data field as the file names.
 type SecretSource struct {
 	// Reference to a Secret
 	Target ObjectReference `json:"target"`
@@ -1318,15 +1321,22 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }

-// Secret holds secret data of a certain type
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta   `json:",inline"`
 	ObjectMeta `json:"metadata,omitempty"`

+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }

+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string

 const (
@@ -1339,5 +1349,3 @@ type SecretList struct {

 	Items []Secret `json:"items"`
 }
-
-const MaxSecretSize = 1 * 1024 * 1024
--- a/pkg/api/v1beta1/types.go
+++ b/pkg/api/v1beta1/types.go
@@ -1100,13 +1100,21 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }

+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta `json:",inline"`

+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }

+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string

 const (
--- a/pkg/api/v1beta2/types.go
+++ b/pkg/api/v1beta2/types.go
@@ -1103,14 +1103,21 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }

-// Secret holds secret data of a certain type
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta `json:",inline"`

+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	// The serialized form of the secret data is a base64 encoded string.
+	Type SecretType `json:"type,omitempty"`
 }

+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string

 const (
--- a/pkg/api/v1beta3/types.go
+++ b/pkg/api/v1beta3/types.go
@@ -1243,16 +1243,22 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }

-// Secret holds mappings between paths and secret data
-// TODO: shouldn't "Secret" be a plural?
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta   `json:",inline"`
 	ObjectMeta `json:"metadata,omitempty"`

+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }

+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string

 const (
--- a/pkg/api/validation/validation.go
+++ b/pkg/api/validation/validation.go
@@ -853,9 +853,14 @@ func ValidateSecret(secret *api.Secret) errs.ValidationErrorList {
 	}

 	totalSize := 0
-	for _, value := range secret.Data {
+	for key, value := range secret.Data {
+		if !util.IsDNSSubdomain(key) {
+			allErrs = append(allErrs, errs.NewFieldInvalid(fmt.Sprintf("data[%v]", key), key, cIdentifierErrorMsg))
+		}
+
 		totalSize += len(value)
 	}
+
 	if totalSize > api.MaxSecretSize {
 		allErrs = append(allErrs, errs.NewFieldForbidden("data", "Maximum secret size exceeded"))
 	}
--- a/pkg/api/validation/validation_test.go
+++ b/pkg/api/validation/validation_test.go
@@ -2497,7 +2497,7 @@ func TestValidateSecret(t *testing.T) {
 		return api.Secret{
 			ObjectMeta: api.ObjectMeta{Name: "foo", Namespace: "bar"},
 			Data: map[string][]byte{
-				"foo": []byte("bar"),
+				"data-1": []byte("bar"),
 			},
 		}
 	}
@@ -2508,6 +2508,7 @@ func TestValidateSecret(t *testing.T) {
 		emptyNs     = validSecret()
 		invalidNs   = validSecret()
 		overMaxSize = validSecret()
+		invalidKey  = validSecret()
 	)

 	emptyName.Name = ""
@@ -2517,6 +2518,7 @@ func TestValidateSecret(t *testing.T) {
 	overMaxSize.Data = map[string][]byte{
 		"over": make([]byte, api.MaxSecretSize+1),
 	}
+	invalidKey.Data["a..b"] = []byte("whoops")

 	tests := map[string]struct {
 		secret api.Secret
@@ -2528,6 +2530,7 @@ func TestValidateSecret(t *testing.T) {
 		"empty namespace":   {emptyNs, false},
 		"invalid namespace": {invalidNs, false},
 		"over max size":     {overMaxSize, false},
+		"invalid key":       {invalidKey, false},
 	}

 	for name, tc := range tests {