Flexvolume: Add support for multiple secrets

2016-04-15 02:11:37 -07:00
parent 16e2e87a89
commit f53bc4ebe0
13 changed files with 90 additions and 31 deletions
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -512,7 +512,11 @@ type FlexVolumeSource struct {
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
 	FSType string `json:"fsType,omitempty"`
-	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// Optional: SecretRef is reference to the secret object containing
+	// sensitive information to pass to the plugin scripts. This may be
+	// empty if no secret object is specified. If the secret object
+	// contains more than one secret, all secrets are passed to the plugin
+	// scripts.
 	SecretRef *LocalObjectReference `json:"secretRef,omitempty"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
--- a/pkg/api/v1/types.go
+++ b/pkg/api/v1/types.go
@@ -675,7 +675,11 @@ type FlexVolumeSource struct {
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
 	FSType string `json:"fsType,omitempty"`
-	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// Optional: SecretRef is reference to the secret object containing
+	// sensitive information to pass to the plugin scripts. This may be
+	// empty if no secret object is specified. If the secret object
+	// contains more than one secret, all secrets are passed to the plugin
+	// scripts.
 	SecretRef *LocalObjectReference `json:"secretRef,omitempty"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
--- a/pkg/api/v1/types_swagger_doc_generated.go
+++ b/pkg/api/v1/types_swagger_doc_generated.go
@@ -477,7 +477,7 @@ var map_FlexVolumeSource = map[string]string{
 	"":          "FlexVolume represents a generic volume resource that is provisioned/attached using a exec based plugin. This is an alpha feature and may change in future.",
 	"driver":    "Driver is the name of the driver to use for this volume.",
 	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.",
-	"secretRef": "Optional: SecretRef is reference to the authentication secret for User, default is empty.",
+	"secretRef": "Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.",
 	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
 	"options":   "Optional: Extra command options if any.",
 }
--- a/pkg/volume/flexvolume/flexvolume.go
+++ b/pkg/volume/flexvolume/flexvolume.go
@@ -17,6 +17,7 @@ limitations under the License.
 package flexvolume

 import (
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -103,7 +104,7 @@ func (plugin *flexVolumePlugin) getVolumeSource(spec *volume.Spec) *api.FlexVolu
 // NewMounter is the mounter routine to build the volume.
 func (plugin *flexVolumePlugin) NewMounter(spec *volume.Spec, pod *api.Pod, _ volume.VolumeOptions) (volume.Mounter, error) {
 	fv := plugin.getVolumeSource(spec)
-	secret := ""
+	secrets := make(map[string]string)
 	if fv.SecretRef != nil {
 		kubeClient := plugin.host.GetKubeClient()
 		if kubeClient == nil {
@@ -116,15 +117,15 @@ func (plugin *flexVolumePlugin) NewMounter(spec *volume.Spec, pod *api.Pod, _ vo
 			return nil, err
 		}
 		for name, data := range secretName.Data {
-			secret = string(data)
+			secrets[name] = base64.StdEncoding.EncodeToString(data)
 			glog.V(1).Infof("found flex volume secret info: %s", name)
 		}
 	}
-	return plugin.newMounterInternal(spec, pod, &flexVolumeUtil{}, plugin.host.GetMounter(), exec.New(), secret)
+	return plugin.newMounterInternal(spec, pod, &flexVolumeUtil{}, plugin.host.GetMounter(), exec.New(), secrets)
 }

 // newMounterInternal is the internal mounter routine to build the volume.
-func (plugin *flexVolumePlugin) newMounterInternal(spec *volume.Spec, pod *api.Pod, manager flexVolumeManager, mounter mount.Interface, runner exec.Interface, secret string) (volume.Mounter, error) {
+func (plugin *flexVolumePlugin) newMounterInternal(spec *volume.Spec, pod *api.Pod, manager flexVolumeManager, mounter mount.Interface, runner exec.Interface, secrets map[string]string) (volume.Mounter, error) {
 	source := plugin.getVolumeSource(spec)
 	return &flexVolumeMounter{
 		flexVolumeDisk: &flexVolumeDisk{
@@ -136,7 +137,7 @@ func (plugin *flexVolumePlugin) newMounterInternal(spec *volume.Spec, pod *api.P
 			execPath:     plugin.getExecutable(),
 			mounter:      mounter,
 			plugin:       plugin,
-			secret:       secret,
+			secrets:      secrets,
 		},
 		fsType:             source.FSType,
 		readOnly:           source.ReadOnly,
@@ -186,8 +187,8 @@ type flexVolumeDisk struct {
 	// block device.
 	mounter mount.Interface
 	// secret for the volume.
-	secret string
-	plugin *flexVolumePlugin
+	secrets map[string]string
+	plugin  *flexVolumePlugin
 }

 // FlexVolumeUnmounter is the disk that will be cleaned by this plugin.
@@ -275,8 +276,8 @@ func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
 	}

 	// Extract secret and pass it as options.
-	if f.secret != "" {
-		f.options[optionKeySecret] = f.secret
+	for name, secret := range f.secrets {
+		f.options[optionKeySecret+"/"+name] = secret
 	}

 	device, err := f.manager.attach(f)
@@ -301,8 +302,8 @@ func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
 			options = append(options, "rw")
 		}
 		// Extract secret and pass it as options.
-		if f.secret != "" {
-			options = append(options, "secret="+f.secret)
+		for name, secret := range f.secrets {
+			f.options[optionKeySecret+"/"+name] = secret
 		}

 		os.MkdirAll(dir, 0750)
--- a/pkg/volume/flexvolume/flexvolume_test.go
+++ b/pkg/volume/flexvolume/flexvolume_test.go
@@ -18,6 +18,7 @@ package flexvolume

 import (
 	"bytes"
+	"encoding/base64"
 	"fmt"
 	"os"
 	"path"
@@ -239,7 +240,9 @@ func doTestPluginAttachDetach(t *testing.T, spec *volume.Spec, tmpDir string) {
 	}
 	fake := &mount.FakeMounter{}
 	pod := &api.Pod{ObjectMeta: api.ObjectMeta{UID: types.UID("poduid")}}
-	mounter, err := plugin.(*flexVolumePlugin).newMounterInternal(spec, pod, &flexVolumeUtil{}, fake, exec.New(), "")
+	secretMap := make(map[string]string)
+	secretMap["flexsecret"] = base64.StdEncoding.EncodeToString([]byte("foo"))
+	mounter, err := plugin.(*flexVolumePlugin).newMounterInternal(spec, pod, &flexVolumeUtil{}, fake, exec.New(), secretMap)
 	volumePath := mounter.GetPath()
 	if err != nil {
 		t.Errorf("Failed to make a new Mounter: %v", err)
@@ -318,7 +321,8 @@ func doTestPluginMountUnmount(t *testing.T, spec *volume.Spec, tmpDir string) {
 	}
 	fake := &mount.FakeMounter{}
 	pod := &api.Pod{ObjectMeta: api.ObjectMeta{UID: types.UID("poduid")}}
-	mounter, err := plugin.(*flexVolumePlugin).newMounterInternal(spec, pod, &flexVolumeUtil{}, fake, exec.New(), "")
+	// Use nil secret to test for nil secret case.
+	mounter, err := plugin.(*flexVolumePlugin).newMounterInternal(spec, pod, &flexVolumeUtil{}, fake, exec.New(), nil)
 	volumePath := mounter.GetPath()
 	if err != nil {
 		t.Errorf("Failed to make a new Mounter: %v", err)