Allow SecretReference.Name in PVs to have 253 characters
PV.Spec.CSI.*SecretReference.Name should be allowed to have up to be limited to 253 characters (DNS1123Subdomain) and not to 63 characters (DNS1123Label), so all possible Secrets names can be used as secrets in a PV. This is continuation of https://github.com/kubernetes/kubernetes/pull/108331 / Kubernetes 1.25, which allowed updating PVs with long secret names, if the previous PV had long secret name too. This makes sure downgrade from 1.27 to 1.26 works well and allows PVs created in 1.27 to be updated in 1.26. Now the long secret names are accepted during PV creation too.
This commit is contained in:
Jan Safranek
@@ -763,7 +763,7 @@ func TestValidatePersistentVolumeSourceUpdate(t *testing.T) {
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "controllerExpand"),
|
||||
},
|
||||
"csi-expansion-enabled-with-longSecretRef": {
|
||||
isExpectedFailure: true,
|
||||
isExpectedFailure: false, // updating controllerExpandSecretRef is allowed only from nil
|
||||
oldVolume: validCSIVolume,
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, longSecretRef, "controllerExpand"),
|
||||
},
|
||||
@@ -773,7 +773,7 @@ func TestValidatePersistentVolumeSourceUpdate(t *testing.T) {
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "controllerExpand"),
|
||||
},
|
||||
"csi-expansion-enabled-from-shortSecretRef-to-longSecretRef": {
|
||||
isExpectedFailure: true,
|
||||
isExpectedFailure: true, // updating controllerExpandSecretRef is allowed only from nil
|
||||
oldVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "controllerExpand"),
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, longSecretRef, "controllerExpand"),
|
||||
},
|
||||
@@ -798,7 +798,7 @@ func TestValidatePersistentVolumeSourceUpdate(t *testing.T) {
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "controllerPublish"),
|
||||
},
|
||||
"csi-cntrlpublish-enabled-from-shortSecretRef-to-longSecretRef": {
|
||||
isExpectedFailure: true,
|
||||
isExpectedFailure: true, // updating secretRef will fail as the object is immutable eventhough the secretRef is valid
|
||||
oldVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "controllerPublish"),
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, longSecretRef, "controllerPublish"),
|
||||
},
|
||||
@@ -843,7 +843,7 @@ func TestValidatePersistentVolumeSourceUpdate(t *testing.T) {
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, longSecretRef, "nodeStage"),
|
||||
},
|
||||
"csi-nodestage-enabled-from-shortSecretRef-to-longSecretRef": {
|
||||
isExpectedFailure: true,
|
||||
isExpectedFailure: true, // updating secretRef will fail as the object is immutable eventhough the secretRef is valid
|
||||
oldVolume: getCSIVolumeWithSecret(validCSIVolume, shortSecretRef, "nodeStage"),
|
||||
newVolume: getCSIVolumeWithSecret(validCSIVolume, longSecretRef, "nodeStage"),
|
||||
},
|
||||
@@ -2891,11 +2891,10 @@ func TestValidateCSIVolumeSource(t *testing.T) {
|
||||
|
||||
func TestValidateCSIPersistentVolumeSource(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
csi *core.CSIPersistentVolumeSource
|
||||
errtype field.ErrorType
|
||||
errfield string
|
||||
allowDNSSubDomainSecretName bool
|
||||
name string
|
||||
csi *core.CSIPersistentVolumeSource
|
||||
errtype field.ErrorType
|
||||
errfield string
|
||||
}{
|
||||
{
|
||||
name: "all required fields ok",
|
||||
@@ -3060,81 +3059,51 @@ func TestValidateCSIPersistentVolumeSource(t *testing.T) {
|
||||
|
||||
// tests with allowDNSSubDomainSecretName flag on/off
|
||||
{
|
||||
name: "valid nodeExpandSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
name: "valid nodeExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "Invalid nodeExpandSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodeExpandSecretRef.name",
|
||||
name: "valid long nodeExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "valid nodeExpandSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
name: "Invalid nodeExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodeExpandSecretRef.name",
|
||||
},
|
||||
{
|
||||
name: "Invalid nodeExpandSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodeExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodeExpandSecretRef.name",
|
||||
name: "valid nodePublishSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "valid nodePublishSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
name: "valid long nodePublishSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "Invalid nodePublishSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodePublishSecretRef.name",
|
||||
name: "Invalid nodePublishSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodePublishSecretRef.name",
|
||||
},
|
||||
{
|
||||
name: "valid nodePublishSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
name: "valid ControllerExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "Invalid nodePublishSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", NodePublishSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "nodePublishSecretRef.name",
|
||||
name: "valid long ControllerExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
},
|
||||
{
|
||||
name: "valid ControllerExpandSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 63), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
},
|
||||
{
|
||||
name: "Invalid ControllerExpandSecretRef with allow flag off",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: false,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "controllerExpandSecretRef.name",
|
||||
},
|
||||
{
|
||||
name: "valid ControllerExpandSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 65), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
},
|
||||
{
|
||||
name: "Invalid ControllerExpandSecretRef with allow flag on",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
allowDNSSubDomainSecretName: true,
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "controllerExpandSecretRef.name",
|
||||
name: "Invalid ControllerExpandSecretRef",
|
||||
csi: &core.CSIPersistentVolumeSource{Driver: "com.google.gcepd", VolumeHandle: "foobar", ControllerExpandSecretRef: &core.SecretReference{Name: strings.Repeat("g", 255), Namespace: "default"}},
|
||||
errtype: field.ErrorTypeInvalid,
|
||||
errfield: "controllerExpandSecretRef.name",
|
||||
},
|
||||
}
|
||||
|
||||
for i, tc := range testCases {
|
||||
errs := validateCSIPersistentVolumeSource(tc.csi, tc.allowDNSSubDomainSecretName, field.NewPath("field"))
|
||||
errs := validateCSIPersistentVolumeSource(tc.csi, field.NewPath("field"))
|
||||
|
||||
if len(errs) > 0 && tc.errtype == "" {
|
||||
t.Errorf("[%d: %q] unexpected error(s): %v", i, tc.name, errs)
|
||||
@@ -21709,7 +21678,7 @@ func TestValidatePVSecretReference(t *testing.T) {
|
||||
name: "invalid secret ref name",
|
||||
args: args{&core.SecretReference{Name: "$%^&*#", Namespace: "default"}, rootFld},
|
||||
expectError: true,
|
||||
expectedError: "name.name: Invalid value: \"$%^&*#\": " + dnsLabelErrMsg,
|
||||
expectedError: "name.name: Invalid value: \"$%^&*#\": " + dnsSubdomainLabelErrMsg,
|
||||
},
|
||||
{
|
||||
name: "invalid secret ref namespace",
|
||||
@@ -21738,7 +21707,7 @@ func TestValidatePVSecretReference(t *testing.T) {
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
errs := validatePVSecretReference(tt.args.secretRef, false, tt.args.fldPath)
|
||||
errs := validatePVSecretReference(tt.args.secretRef, tt.args.fldPath)
|
||||
if tt.expectError && len(errs) == 0 {
|
||||
t.Errorf("Unexpected success")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user