39bb841827
The following tests are not tagged because they are not really run in
node e2e suites:
* A subset of host path tests that required SSH access
- should evaluate whether the tests should be moved to test/e2e_node
* GCP volume tests
- should evaluate whether these tests should be moved out of the
common directly since they are not shared with the node e2e suite.
1676 lines
54 KiB
Go
1676 lines
54 KiB
Go
/*
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package common
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path"
|
|
"time"
|
|
|
|
"k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/util/uuid"
|
|
"k8s.io/kubernetes/test/e2e/framework"
|
|
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("[sig-storage] Projected", func() {
|
|
// Part 1/3 - Secrets
|
|
f := framework.NewDefaultFramework("projected")
|
|
|
|
/*
|
|
Testname: projected-secret-no-defaultMode
|
|
Description: Simple projected Secret test with no defaultMode set.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() {
|
|
doProjectedSecretE2EWithoutMapping(f, nil /* default mode */, "projected-secret-test-"+string(uuid.NewUUID()), nil, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-with-defaultMode
|
|
Description: Simple projected Secret test with defaultMode set.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [NodeConformance]", func() {
|
|
defaultMode := int32(0400)
|
|
doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), nil, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-with-nonroot-defaultMode-fsGroup
|
|
Description: Simple projected Secret test as non-root with
|
|
defaultMode and fsGroup set.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [NodeConformance]", func() {
|
|
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
|
fsGroup := int64(1001)
|
|
uid := int64(1000)
|
|
doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-simple-mapped
|
|
Description: Simple projected Secret test, by setting a secret and
|
|
mounting it to a volume with a custom path (mapping) on the pod with
|
|
no other settings and make sure the pod actually consumes it.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() {
|
|
doProjectedSecretE2EWithMapping(f, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-with-item-mode-mapped
|
|
Description: Repeat the projected-secret-simple-mapped but this time
|
|
with an item mode (e.g. 0400) for the secret map item.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with mappings and Item Mode set [NodeConformance]", func() {
|
|
mode := int32(0400)
|
|
doProjectedSecretE2EWithMapping(f, &mode)
|
|
})
|
|
|
|
It("should be able to mount in a volume regardless of a different secret existing with same name in different namespace [NodeConformance]", func() {
|
|
var (
|
|
namespace2 *v1.Namespace
|
|
err error
|
|
secret2Name = "projected-secret-test-" + string(uuid.NewUUID())
|
|
)
|
|
|
|
if namespace2, err = f.CreateNamespace("secret-namespace", nil); err != nil {
|
|
framework.Failf("unable to create new namespace %s: %v", namespace2.Name, err)
|
|
}
|
|
|
|
secret2 := secretForTest(namespace2.Name, secret2Name)
|
|
secret2.Data = map[string][]byte{
|
|
"this_should_not_match_content_of_other_secret": []byte("similarly_this_should_not_match_content_of_other_secret\n"),
|
|
}
|
|
if secret2, err = f.ClientSet.CoreV1().Secrets(namespace2.Name).Create(secret2); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", secret2.Name, err)
|
|
}
|
|
doProjectedSecretE2EWithoutMapping(f, nil /* default mode */, secret2.Name, nil, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-multiple-volumes
|
|
Description: Make sure secrets works when mounted as two different
|
|
volumes on the same node.
|
|
*/
|
|
framework.ConformanceIt("should be consumable in multiple volumes in a pod [NodeConformance]", func() {
|
|
// This test ensures that the same secret can be mounted in multiple
|
|
// volumes in the same pod. This test case exists to prevent
|
|
// regressions that break this use-case.
|
|
var (
|
|
name = "projected-secret-test-" + string(uuid.NewUUID())
|
|
volumeName = "projected-secret-volume"
|
|
volumeMountPath = "/etc/projected-secret-volume"
|
|
volumeName2 = "projected-secret-volume-2"
|
|
volumeMountPath2 = "/etc/projected-secret-volume-2"
|
|
secret = secretForTest(f.Namespace.Name, name)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating secret with name %s", secret.Name))
|
|
var err error
|
|
if secret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(secret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", secret.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-secrets-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: volumeName2,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "secret-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{
|
|
"--file_content=/etc/projected-secret-volume/data-1",
|
|
"--file_mode=/etc/projected-secret-volume/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
ReadOnly: true,
|
|
},
|
|
{
|
|
Name: volumeName2,
|
|
MountPath: volumeMountPath2,
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
f.TestContainerOutput("consume secrets", pod, 0, []string{
|
|
"content of file \"/etc/projected-secret-volume/data-1\": value-1",
|
|
"mode of file \"/etc/projected-secret-volume/data-1\": -rw-r--r--",
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-simple-optional
|
|
Description: Make sure secrets works when optional updates included.
|
|
*/
|
|
framework.ConformanceIt("optional updates should be reflected in volume [NodeConformance]", func() {
|
|
podLogTimeout := framework.GetPodSecretUpdateTimeout(f.ClientSet)
|
|
containerTimeoutArg := fmt.Sprintf("--retry_time=%v", int(podLogTimeout.Seconds()))
|
|
trueVal := true
|
|
volumeMountPath := "/etc/projected-secret-volumes"
|
|
|
|
deleteName := "s-test-opt-del-" + string(uuid.NewUUID())
|
|
deleteContainerName := "dels-volume-test"
|
|
deleteVolumeName := "deletes-volume"
|
|
deleteSecret := &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: deleteName,
|
|
},
|
|
Data: map[string][]byte{
|
|
"data-1": []byte("value-1"),
|
|
},
|
|
}
|
|
|
|
updateName := "s-test-opt-upd-" + string(uuid.NewUUID())
|
|
updateContainerName := "upds-volume-test"
|
|
updateVolumeName := "updates-volume"
|
|
updateSecret := &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: updateName,
|
|
},
|
|
Data: map[string][]byte{
|
|
"data-1": []byte("value-1"),
|
|
},
|
|
}
|
|
|
|
createName := "s-test-opt-create-" + string(uuid.NewUUID())
|
|
createContainerName := "creates-volume-test"
|
|
createVolumeName := "creates-volume"
|
|
createSecret := &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: createName,
|
|
},
|
|
Data: map[string][]byte{
|
|
"data-1": []byte("value-1"),
|
|
},
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating secret with name %s", deleteSecret.Name))
|
|
var err error
|
|
if deleteSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(deleteSecret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", deleteSecret.Name, err)
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating secret with name %s", updateSecret.Name))
|
|
if updateSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(updateSecret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", updateSecret.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-secrets-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: deleteVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: deleteName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: updateVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: updateName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: createVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: createName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: deleteContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-secret-volumes/delete/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: deleteVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "delete"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: updateContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-secret-volumes/update/data-3"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: updateVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "update"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: createContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-secret-volumes/create/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: createVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "create"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
By("Creating the pod")
|
|
f.PodClient().CreateSync(pod)
|
|
|
|
pollCreateLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, createContainerName)
|
|
}
|
|
Eventually(pollCreateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-secret-volumes/create/data-1"))
|
|
|
|
pollUpdateLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, updateContainerName)
|
|
}
|
|
Eventually(pollUpdateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-secret-volumes/update/data-3"))
|
|
|
|
pollDeleteLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, deleteContainerName)
|
|
}
|
|
Eventually(pollDeleteLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-1"))
|
|
|
|
By(fmt.Sprintf("Deleting secret %v", deleteSecret.Name))
|
|
err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(deleteSecret.Name, &metav1.DeleteOptions{})
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to delete secret %q in namespace %q", deleteSecret.Name, f.Namespace.Name)
|
|
|
|
By(fmt.Sprintf("Updating secret %v", updateSecret.Name))
|
|
updateSecret.ResourceVersion = "" // to force update
|
|
delete(updateSecret.Data, "data-1")
|
|
updateSecret.Data["data-3"] = []byte("value-3")
|
|
_, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Update(updateSecret)
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to update secret %q in namespace %q", updateSecret.Name, f.Namespace.Name)
|
|
|
|
By(fmt.Sprintf("Creating secret with name %s", createSecret.Name))
|
|
if createSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(createSecret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", createSecret.Name, err)
|
|
}
|
|
|
|
By("waiting to observe update in volume")
|
|
|
|
Eventually(pollCreateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-1"))
|
|
Eventually(pollUpdateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-3"))
|
|
Eventually(pollDeleteLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-secret-volumes/delete/data-1"))
|
|
})
|
|
|
|
// Part 2/3 - ConfigMaps
|
|
/*
|
|
Testname: projected-volume-configMap-nomappings-succeeds
|
|
Description: Make sure that a projected volume with a configMap with
|
|
no mappings succeeds properly.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() {
|
|
doProjectedConfigMapE2EWithoutMappings(f, 0, 0, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-volume-configMap-consumable-defaultMode
|
|
Description: Make sure that a projected volume configMap is consumable
|
|
with defaultMode set.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [NodeConformance]", func() {
|
|
defaultMode := int32(0400)
|
|
doProjectedConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode)
|
|
})
|
|
|
|
It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [NodeFeature:FSGroup]", func() {
|
|
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
|
doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, &defaultMode)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-volume-configMap-consumable-nonroot
|
|
Description: Make sure that a projected volume configMap is consumable
|
|
by a non-root userID.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume as non-root [NodeConformance]", func() {
|
|
doProjectedConfigMapE2EWithoutMappings(f, 1000, 0, nil)
|
|
})
|
|
|
|
It("should be consumable from pods in volume as non-root with FSGroup [NodeFeature:FSGroup]", func() {
|
|
doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-configmap-simple-mapped
|
|
Description: Simplest projected ConfigMap test, by setting a config
|
|
map and mounting it to a volume with a custom path (mapping) on the
|
|
pod with no other settings and make sure the pod actually consumes it.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() {
|
|
doProjectedConfigMapE2EWithMappings(f, 0, 0, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-secret-with-item-mode-mapped
|
|
Description: Repeat the projected-secret-simple-mapped but this time
|
|
with an item mode (e.g. 0400) for the secret map item
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with mappings and Item mode set [NodeConformance]", func() {
|
|
mode := int32(0400)
|
|
doProjectedConfigMapE2EWithMappings(f, 0, 0, &mode)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-configmap-simpler-user-mapped
|
|
Description: Repeat the projected-config-map-simple-mapped but this
|
|
time with a user other than root.
|
|
*/
|
|
framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [NodeConformance]", func() {
|
|
doProjectedConfigMapE2EWithMappings(f, 1000, 0, nil)
|
|
})
|
|
|
|
It("should be consumable from pods in volume with mappings as non-root with FSGroup [NodeFeature:FSGroup]", func() {
|
|
doProjectedConfigMapE2EWithMappings(f, 1000, 1001, nil)
|
|
})
|
|
|
|
/*
|
|
Testname: projected-volume-configMaps-updated-successfully
|
|
Description: Make sure that if a projected volume has configMaps,
|
|
that the values in these configMaps can be updated, deleted,
|
|
and created.
|
|
*/
|
|
framework.ConformanceIt("updates should be reflected in volume [NodeConformance]", func() {
|
|
podLogTimeout := framework.GetPodSecretUpdateTimeout(f.ClientSet)
|
|
containerTimeoutArg := fmt.Sprintf("--retry_time=%v", int(podLogTimeout.Seconds()))
|
|
|
|
name := "projected-configmap-test-upd-" + string(uuid.NewUUID())
|
|
volumeName := "projected-configmap-volume"
|
|
volumeMountPath := "/etc/projected-configmap-volume"
|
|
containerName := "projected-configmap-volume-test"
|
|
configMap := &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: name,
|
|
},
|
|
Data: map[string]string{
|
|
"data-1": "value-1",
|
|
},
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating projection with configMap that has name %s", configMap.Name))
|
|
var err error
|
|
if configMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(configMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", configMap.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-configmaps-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: containerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-configmap-volume/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
By("Creating the pod")
|
|
f.PodClient().CreateSync(pod)
|
|
|
|
pollLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, containerName)
|
|
}
|
|
|
|
Eventually(pollLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-1"))
|
|
|
|
By(fmt.Sprintf("Updating configmap %v", configMap.Name))
|
|
configMap.ResourceVersion = "" // to force update
|
|
configMap.Data["data-1"] = "value-2"
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Update(configMap)
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to update configmap %q in namespace %q", configMap.Name, f.Namespace.Name)
|
|
|
|
By("waiting to observe update in volume")
|
|
Eventually(pollLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-2"))
|
|
})
|
|
|
|
/*
|
|
Testname: projected-volume-optional-configMaps-updated-successfully
|
|
Description: Make sure that if a projected volume has optional
|
|
configMaps, that the values in these configMaps can be updated,
|
|
deleted, and created.
|
|
*/
|
|
framework.ConformanceIt("optional updates should be reflected in volume [NodeConformance]", func() {
|
|
podLogTimeout := framework.GetPodSecretUpdateTimeout(f.ClientSet)
|
|
containerTimeoutArg := fmt.Sprintf("--retry_time=%v", int(podLogTimeout.Seconds()))
|
|
trueVal := true
|
|
volumeMountPath := "/etc/projected-configmap-volumes"
|
|
|
|
deleteName := "cm-test-opt-del-" + string(uuid.NewUUID())
|
|
deleteContainerName := "delcm-volume-test"
|
|
deleteVolumeName := "deletecm-volume"
|
|
deleteConfigMap := &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: deleteName,
|
|
},
|
|
Data: map[string]string{
|
|
"data-1": "value-1",
|
|
},
|
|
}
|
|
|
|
updateName := "cm-test-opt-upd-" + string(uuid.NewUUID())
|
|
updateContainerName := "updcm-volume-test"
|
|
updateVolumeName := "updatecm-volume"
|
|
updateConfigMap := &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: updateName,
|
|
},
|
|
Data: map[string]string{
|
|
"data-1": "value-1",
|
|
},
|
|
}
|
|
|
|
createName := "cm-test-opt-create-" + string(uuid.NewUUID())
|
|
createContainerName := "createcm-volume-test"
|
|
createVolumeName := "createcm-volume"
|
|
createConfigMap := &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: createName,
|
|
},
|
|
Data: map[string]string{
|
|
"data-1": "value-1",
|
|
},
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", deleteConfigMap.Name))
|
|
var err error
|
|
if deleteConfigMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(deleteConfigMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", deleteConfigMap.Name, err)
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", updateConfigMap.Name))
|
|
if updateConfigMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(updateConfigMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", updateConfigMap.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-configmaps-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: deleteVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: deleteName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: updateVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: updateName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: createVolumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: createName,
|
|
},
|
|
Optional: &trueVal,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: deleteContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-configmap-volumes/delete/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: deleteVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "delete"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: updateContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-configmap-volumes/update/data-3"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: updateVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "update"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: createContainerName,
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", containerTimeoutArg, "--file_content_in_loop=/etc/projected-configmap-volumes/create/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: createVolumeName,
|
|
MountPath: path.Join(volumeMountPath, "create"),
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
By("Creating the pod")
|
|
f.PodClient().CreateSync(pod)
|
|
|
|
pollCreateLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, createContainerName)
|
|
}
|
|
Eventually(pollCreateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-configmap-volumes/create/data-1"))
|
|
|
|
pollUpdateLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, updateContainerName)
|
|
}
|
|
Eventually(pollUpdateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-configmap-volumes/update/data-3"))
|
|
|
|
pollDeleteLogs := func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, deleteContainerName)
|
|
}
|
|
Eventually(pollDeleteLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-1"))
|
|
|
|
By(fmt.Sprintf("Deleting configmap %v", deleteConfigMap.Name))
|
|
err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Delete(deleteConfigMap.Name, &metav1.DeleteOptions{})
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to delete configmap %q in namespace %q", deleteConfigMap.Name, f.Namespace.Name)
|
|
|
|
By(fmt.Sprintf("Updating configmap %v", updateConfigMap.Name))
|
|
updateConfigMap.ResourceVersion = "" // to force update
|
|
delete(updateConfigMap.Data, "data-1")
|
|
updateConfigMap.Data["data-3"] = "value-3"
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Update(updateConfigMap)
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to update configmap %q in namespace %q", updateConfigMap.Name, f.Namespace.Name)
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", createConfigMap.Name))
|
|
if createConfigMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(createConfigMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", createConfigMap.Name, err)
|
|
}
|
|
|
|
By("waiting to observe update in volume")
|
|
|
|
Eventually(pollCreateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-1"))
|
|
Eventually(pollUpdateLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("value-3"))
|
|
Eventually(pollDeleteLogs, podLogTimeout, framework.Poll).Should(ContainSubstring("Error reading file /etc/projected-configmap-volumes/delete/data-1"))
|
|
})
|
|
|
|
/*
|
|
Testname: projected-configmap-multiple-volumes
|
|
Description: Make sure config map works when it mounted as two
|
|
different volumes on the same node.
|
|
*/
|
|
framework.ConformanceIt("should be consumable in multiple volumes in the same pod [NodeConformance]", func() {
|
|
var (
|
|
name = "projected-configmap-test-volume-" + string(uuid.NewUUID())
|
|
volumeName = "projected-configmap-volume"
|
|
volumeMountPath = "/etc/projected-configmap-volume"
|
|
volumeName2 = "projected-configmap-volume-2"
|
|
volumeMountPath2 = "/etc/projected-configmap-volume-2"
|
|
configMap = newConfigMap(f, name)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", configMap.Name))
|
|
var err error
|
|
if configMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(configMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", configMap.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-configmaps-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: volumeName2,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "projected-configmap-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{"--file_content=/etc/projected-configmap-volume/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
ReadOnly: true,
|
|
},
|
|
{
|
|
Name: volumeName2,
|
|
MountPath: volumeMountPath2,
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
f.TestContainerOutput("consume configMaps", pod, 0, []string{
|
|
"content of file \"/etc/projected-configmap-volume/data-1\": value-1",
|
|
})
|
|
|
|
})
|
|
|
|
// Part 3/3 - DownwardAPI
|
|
// How long to wait for a log pod to be displayed
|
|
const podLogTimeout = 2 * time.Minute
|
|
var podClient *framework.PodClient
|
|
BeforeEach(func() {
|
|
podClient = f.PodClient()
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-podname
|
|
Description: Ensure that downward API can provide pod's name through
|
|
DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide podname only [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname")
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("%s\n", podName),
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-set-default-mode
|
|
Description: Ensure that downward API can set default file permission
|
|
mode for DownwardAPIVolumeFiles if no mode is specified in a projected
|
|
volume.
|
|
*/
|
|
framework.ConformanceIt("should set DefaultMode on files [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
defaultMode := int32(0400)
|
|
pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", nil, &defaultMode)
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
"mode of file \"/etc/podinfo/podname\": -r--------",
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-set-mode
|
|
Description: Ensure that downward API can set file permission mode for
|
|
DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should set mode on item file [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
mode := int32(0400)
|
|
pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil)
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
"mode of file \"/etc/podinfo/podname\": -r--------",
|
|
})
|
|
})
|
|
|
|
It("should provide podname as non-root with fsgroup [NodeFeature:FSGroup]", func() {
|
|
podName := "metadata-volume-" + string(uuid.NewUUID())
|
|
uid := int64(1001)
|
|
gid := int64(1234)
|
|
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname")
|
|
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
|
RunAsUser: &uid,
|
|
FSGroup: &gid,
|
|
}
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("%s\n", podName),
|
|
})
|
|
})
|
|
|
|
It("should provide podname as non-root with fsgroup and defaultMode [NodeFeature:FSGroup]", func() {
|
|
podName := "metadata-volume-" + string(uuid.NewUUID())
|
|
uid := int64(1001)
|
|
gid := int64(1234)
|
|
mode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
|
pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil)
|
|
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
|
RunAsUser: &uid,
|
|
FSGroup: &gid,
|
|
}
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
"mode of file \"/etc/podinfo/podname\": -r--r-----",
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-update-label
|
|
Description: Ensure that downward API updates labels in
|
|
DownwardAPIVolumeFiles when pod's labels get modified in a projected
|
|
volume.
|
|
*/
|
|
framework.ConformanceIt("should update labels on modification [NodeConformance]", func() {
|
|
labels := map[string]string{}
|
|
labels["key1"] = "value1"
|
|
labels["key2"] = "value2"
|
|
|
|
podName := "labelsupdate" + string(uuid.NewUUID())
|
|
pod := projectedDownwardAPIVolumePodForUpdateTest(podName, labels, map[string]string{}, "/etc/podinfo/labels")
|
|
containerName := "client-container"
|
|
By("Creating the pod")
|
|
podClient.CreateSync(pod)
|
|
|
|
Eventually(func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, containerName)
|
|
},
|
|
podLogTimeout, framework.Poll).Should(ContainSubstring("key1=\"value1\"\n"))
|
|
|
|
//modify labels
|
|
podClient.Update(podName, func(pod *v1.Pod) {
|
|
pod.Labels["key3"] = "value3"
|
|
})
|
|
|
|
Eventually(func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, containerName)
|
|
},
|
|
podLogTimeout, framework.Poll).Should(ContainSubstring("key3=\"value3\"\n"))
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-update-annotation
|
|
Description: Ensure that downward API updates annotations in
|
|
DownwardAPIVolumeFiles when pod's annotations get modified in a
|
|
projected volume.
|
|
*/
|
|
framework.ConformanceIt("should update annotations on modification [NodeConformance]", func() {
|
|
annotations := map[string]string{}
|
|
annotations["builder"] = "bar"
|
|
podName := "annotationupdate" + string(uuid.NewUUID())
|
|
pod := projectedDownwardAPIVolumePodForUpdateTest(podName, map[string]string{}, annotations, "/etc/podinfo/annotations")
|
|
|
|
containerName := "client-container"
|
|
By("Creating the pod")
|
|
podClient.CreateSync(pod)
|
|
|
|
pod, err := podClient.Get(pod.Name, metav1.GetOptions{})
|
|
Expect(err).NotTo(HaveOccurred(), "Failed to get pod %q", pod.Name)
|
|
|
|
Eventually(func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, containerName)
|
|
},
|
|
podLogTimeout, framework.Poll).Should(ContainSubstring("builder=\"bar\"\n"))
|
|
|
|
//modify annotations
|
|
podClient.Update(podName, func(pod *v1.Pod) {
|
|
pod.Annotations["builder"] = "foo"
|
|
})
|
|
|
|
Eventually(func() (string, error) {
|
|
return framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, containerName)
|
|
},
|
|
podLogTimeout, framework.Poll).Should(ContainSubstring("builder=\"foo\"\n"))
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-cpu-limit
|
|
Description: Ensure that downward API can provide container's CPU
|
|
limit through DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide container's cpu limit [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForContainerResources(podName, "/etc/podinfo/cpu_limit")
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("2\n"),
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-memory-limit
|
|
Description: Ensure that downward API can provide container's memory
|
|
limit through DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide container's memory limit [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForContainerResources(podName, "/etc/podinfo/memory_limit")
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("67108864\n"),
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-cpu-request
|
|
Description: Ensure that downward API can provide container's CPU
|
|
request through DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide container's cpu request [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForContainerResources(podName, "/etc/podinfo/cpu_request")
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("1\n"),
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-memory-request
|
|
Description: Ensure that downward API can provide container's memory
|
|
request through DownwardAPIVolumeFiles in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide container's memory request [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForContainerResources(podName, "/etc/podinfo/memory_request")
|
|
|
|
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("33554432\n"),
|
|
})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-default-cpu
|
|
Description: Ensure that downward API can provide default node
|
|
allocatable value for CPU through DownwardAPIVolumeFiles if CPU limit
|
|
is not specified for a container in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide node allocatable (cpu) as default cpu limit if the limit is not set [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForDefaultContainerResources(podName, "/etc/podinfo/cpu_limit")
|
|
|
|
f.TestContainerOutputRegexp("downward API volume plugin", pod, 0, []string{"[1-9]"})
|
|
})
|
|
|
|
/*
|
|
Testname: projected-downwardapi-volume-default-memory
|
|
Description: Ensure that downward API can provide default node
|
|
allocatable value for memory through DownwardAPIVolumeFiles if memory
|
|
limit is not specified for a container in a projected volume.
|
|
*/
|
|
framework.ConformanceIt("should provide node allocatable (memory) as default memory limit if the limit is not set [NodeConformance]", func() {
|
|
podName := "downwardapi-volume-" + string(uuid.NewUUID())
|
|
pod := downwardAPIVolumeForDefaultContainerResources(podName, "/etc/podinfo/memory_limit")
|
|
|
|
f.TestContainerOutputRegexp("downward API volume plugin", pod, 0, []string{"[1-9]"})
|
|
})
|
|
|
|
// Test multiple projections
|
|
/*
|
|
Testname: projected-configmap-secret-same-dir
|
|
Description: This test projects a secret and configmap into the same
|
|
directory to ensure projection is working as intended.
|
|
*/
|
|
framework.ConformanceIt("should project all components that make up the projection API [Projection][NodeConformance]", func() {
|
|
var err error
|
|
podName := "projected-volume-" + string(uuid.NewUUID())
|
|
secretName := "secret-projected-all-test-volume-" + string(uuid.NewUUID())
|
|
configMapName := "configmap-projected-all-test-volume-" + string(uuid.NewUUID())
|
|
configMap := &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: configMapName,
|
|
},
|
|
Data: map[string]string{
|
|
"configmap-data": "configmap-value-1",
|
|
},
|
|
}
|
|
secret := &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: f.Namespace.Name,
|
|
Name: secretName,
|
|
},
|
|
Data: map[string][]byte{
|
|
"secret-data": []byte("secret-value-1"),
|
|
},
|
|
}
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", configMap.Name))
|
|
if configMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(configMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", configMap.Name, err)
|
|
}
|
|
By(fmt.Sprintf("Creating secret with name %s", secret.Name))
|
|
if secret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(secret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", secret.Name, err)
|
|
}
|
|
|
|
pod := projectedAllVolumeBasePod(podName, secretName, configMapName, nil, nil)
|
|
pod.Spec.Containers = []v1.Container{
|
|
{
|
|
Name: "projected-all-volume-test",
|
|
Image: busyboxImage,
|
|
Command: []string{"sh", "-c", "cat /all/podname && cat /all/secret-data && cat /all/configmap-data"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "podinfo",
|
|
MountPath: "/all",
|
|
ReadOnly: false,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
f.TestContainerOutput("Check all projections for projected volume plugin", pod, 0, []string{
|
|
fmt.Sprintf("%s", podName),
|
|
"secret-value-1",
|
|
"configmap-value-1",
|
|
})
|
|
})
|
|
})
|
|
|
|
func doProjectedSecretE2EWithoutMapping(f *framework.Framework, defaultMode *int32,
|
|
secretName string, fsGroup *int64, uid *int64) {
|
|
var (
|
|
volumeName = "projected-secret-volume"
|
|
volumeMountPath = "/etc/projected-secret-volume"
|
|
secret = secretForTest(f.Namespace.Name, secretName)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating projection with secret that has name %s", secret.Name))
|
|
var err error
|
|
if secret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(secret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", secret.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-secrets-" + string(uuid.NewUUID()),
|
|
Namespace: f.Namespace.Name,
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: secretName,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "projected-secret-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{
|
|
"--file_content=/etc/projected-secret-volume/data-1",
|
|
"--file_mode=/etc/projected-secret-volume/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
if defaultMode != nil {
|
|
//pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.DefaultMode = defaultMode
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.DefaultMode = defaultMode
|
|
} else {
|
|
mode := int32(0644)
|
|
defaultMode = &mode
|
|
}
|
|
|
|
if fsGroup != nil || uid != nil {
|
|
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
|
FSGroup: fsGroup,
|
|
RunAsUser: uid,
|
|
}
|
|
}
|
|
|
|
modeString := fmt.Sprintf("%v", os.FileMode(*defaultMode))
|
|
expectedOutput := []string{
|
|
"content of file \"/etc/projected-secret-volume/data-1\": value-1",
|
|
"mode of file \"/etc/projected-secret-volume/data-1\": " + modeString,
|
|
}
|
|
|
|
f.TestContainerOutput("consume secrets", pod, 0, expectedOutput)
|
|
}
|
|
|
|
func doProjectedSecretE2EWithMapping(f *framework.Framework, mode *int32) {
|
|
var (
|
|
name = "projected-secret-test-map-" + string(uuid.NewUUID())
|
|
volumeName = "projected-secret-volume"
|
|
volumeMountPath = "/etc/projected-secret-volume"
|
|
secret = secretForTest(f.Namespace.Name, name)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating projection with secret that has name %s", secret.Name))
|
|
var err error
|
|
if secret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(secret); err != nil {
|
|
framework.Failf("unable to create test secret %s: %v", secret.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-secrets-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
Items: []v1.KeyToPath{
|
|
{
|
|
Key: "data-1",
|
|
Path: "new-path-data-1",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "projected-secret-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{
|
|
"--file_content=/etc/projected-secret-volume/new-path-data-1",
|
|
"--file_mode=/etc/projected-secret-volume/new-path-data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
if mode != nil {
|
|
//pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.Items[0].Mode = mode
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.DefaultMode = mode
|
|
} else {
|
|
defaultItemMode := int32(0644)
|
|
mode = &defaultItemMode
|
|
}
|
|
|
|
modeString := fmt.Sprintf("%v", os.FileMode(*mode))
|
|
expectedOutput := []string{
|
|
"content of file \"/etc/projected-secret-volume/new-path-data-1\": value-1",
|
|
"mode of file \"/etc/projected-secret-volume/new-path-data-1\": " + modeString,
|
|
}
|
|
|
|
f.TestContainerOutput("consume secrets", pod, 0, expectedOutput)
|
|
}
|
|
|
|
func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) {
|
|
userID := int64(uid)
|
|
groupID := int64(fsGroup)
|
|
|
|
var (
|
|
name = "projected-configmap-test-volume-" + string(uuid.NewUUID())
|
|
volumeName = "projected-configmap-volume"
|
|
volumeMountPath = "/etc/projected-configmap-volume"
|
|
configMap = newConfigMap(f, name)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", configMap.Name))
|
|
var err error
|
|
if configMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(configMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", configMap.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-configmaps-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
SecurityContext: &v1.PodSecurityContext{},
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "projected-configmap-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{
|
|
"--file_content=/etc/projected-configmap-volume/data-1",
|
|
"--file_mode=/etc/projected-configmap-volume/data-1"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
if userID != 0 {
|
|
pod.Spec.SecurityContext.RunAsUser = &userID
|
|
}
|
|
|
|
if groupID != 0 {
|
|
pod.Spec.SecurityContext.FSGroup = &groupID
|
|
}
|
|
|
|
if defaultMode != nil {
|
|
//pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].ConfigMap.DefaultMode = defaultMode
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.DefaultMode = defaultMode
|
|
} else {
|
|
mode := int32(0644)
|
|
defaultMode = &mode
|
|
}
|
|
|
|
modeString := fmt.Sprintf("%v", os.FileMode(*defaultMode))
|
|
output := []string{
|
|
"content of file \"/etc/projected-configmap-volume/data-1\": value-1",
|
|
"mode of file \"/etc/projected-configmap-volume/data-1\": " + modeString,
|
|
}
|
|
f.TestContainerOutput("consume configMaps", pod, 0, output)
|
|
}
|
|
|
|
func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) {
|
|
userID := int64(uid)
|
|
groupID := int64(fsGroup)
|
|
|
|
var (
|
|
name = "projected-configmap-test-volume-map-" + string(uuid.NewUUID())
|
|
volumeName = "projected-configmap-volume"
|
|
volumeMountPath = "/etc/projected-configmap-volume"
|
|
configMap = newConfigMap(f, name)
|
|
)
|
|
|
|
By(fmt.Sprintf("Creating configMap with name %s", configMap.Name))
|
|
|
|
var err error
|
|
if configMap, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(configMap); err != nil {
|
|
framework.Failf("unable to create test configMap %s: %v", configMap.Name, err)
|
|
}
|
|
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "pod-projected-configmaps-" + string(uuid.NewUUID()),
|
|
},
|
|
Spec: v1.PodSpec{
|
|
SecurityContext: &v1.PodSecurityContext{},
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: volumeName,
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: name,
|
|
},
|
|
Items: []v1.KeyToPath{
|
|
{
|
|
Key: "data-2",
|
|
Path: "path/to/data-2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "projected-configmap-volume-test",
|
|
Image: mountImage,
|
|
Args: []string{"--file_content=/etc/projected-configmap-volume/path/to/data-2",
|
|
"--file_mode=/etc/projected-configmap-volume/path/to/data-2"},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: volumeName,
|
|
MountPath: volumeMountPath,
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
if userID != 0 {
|
|
pod.Spec.SecurityContext.RunAsUser = &userID
|
|
}
|
|
|
|
if groupID != 0 {
|
|
pod.Spec.SecurityContext.FSGroup = &groupID
|
|
}
|
|
|
|
if itemMode != nil {
|
|
//pod.Spec.Volumes[0].VolumeSource.ConfigMap.Items[0].Mode = itemMode
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.DefaultMode = itemMode
|
|
} else {
|
|
mode := int32(0644)
|
|
itemMode = &mode
|
|
}
|
|
|
|
// Just check file mode if fsGroup is not set. If fsGroup is set, the
|
|
// final mode is adjusted and we are not testing that case.
|
|
output := []string{
|
|
"content of file \"/etc/projected-configmap-volume/path/to/data-2\": value-2",
|
|
}
|
|
if fsGroup == 0 {
|
|
modeString := fmt.Sprintf("%v", os.FileMode(*itemMode))
|
|
output = append(output, "mode of file \"/etc/projected-configmap-volume/path/to/data-2\": "+modeString)
|
|
}
|
|
f.TestContainerOutput("consume configMaps", pod, 0, output)
|
|
}
|
|
|
|
func projectedDownwardAPIVolumePodForModeTest(name, filePath string, itemMode, defaultMode *int32) *v1.Pod {
|
|
pod := projectedDownwardAPIVolumeBasePod(name, nil, nil)
|
|
|
|
pod.Spec.Containers = []v1.Container{
|
|
{
|
|
Name: "client-container",
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--file_mode=" + filePath},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "podinfo",
|
|
MountPath: "/etc/podinfo",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
if itemMode != nil {
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].DownwardAPI.Items[0].Mode = itemMode
|
|
}
|
|
if defaultMode != nil {
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.DefaultMode = defaultMode
|
|
}
|
|
|
|
return pod
|
|
}
|
|
|
|
func projectedDownwardAPIVolumePodForUpdateTest(name string, labels, annotations map[string]string, filePath string) *v1.Pod {
|
|
pod := projectedDownwardAPIVolumeBasePod(name, labels, annotations)
|
|
|
|
pod.Spec.Containers = []v1.Container{
|
|
{
|
|
Name: "client-container",
|
|
Image: mountImage,
|
|
Command: []string{"/mounttest", "--break_on_expected_content=false", "--retry_time=1200", "--file_content_in_loop=" + filePath},
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "podinfo",
|
|
MountPath: "/etc/podinfo",
|
|
ReadOnly: false,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
applyLabelsAndAnnotationsToProjectedDownwardAPIPod(labels, annotations, pod)
|
|
return pod
|
|
}
|
|
|
|
func projectedDownwardAPIVolumeBasePod(name string, labels, annotations map[string]string) *v1.Pod {
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: name,
|
|
Labels: labels,
|
|
Annotations: annotations,
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: "podinfo",
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
DownwardAPI: &v1.DownwardAPIProjection{
|
|
Items: []v1.DownwardAPIVolumeFile{
|
|
{
|
|
Path: "podname",
|
|
FieldRef: &v1.ObjectFieldSelector{
|
|
APIVersion: "v1",
|
|
FieldPath: "metadata.name",
|
|
},
|
|
},
|
|
{
|
|
Path: "cpu_limit",
|
|
ResourceFieldRef: &v1.ResourceFieldSelector{
|
|
ContainerName: "client-container",
|
|
Resource: "limits.cpu",
|
|
},
|
|
},
|
|
{
|
|
Path: "cpu_request",
|
|
ResourceFieldRef: &v1.ResourceFieldSelector{
|
|
ContainerName: "client-container",
|
|
Resource: "requests.cpu",
|
|
},
|
|
},
|
|
{
|
|
Path: "memory_limit",
|
|
ResourceFieldRef: &v1.ResourceFieldSelector{
|
|
ContainerName: "client-container",
|
|
Resource: "limits.memory",
|
|
},
|
|
},
|
|
{
|
|
Path: "memory_request",
|
|
ResourceFieldRef: &v1.ResourceFieldSelector{
|
|
ContainerName: "client-container",
|
|
Resource: "requests.memory",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
return pod
|
|
}
|
|
|
|
func applyLabelsAndAnnotationsToProjectedDownwardAPIPod(labels, annotations map[string]string, pod *v1.Pod) {
|
|
if len(labels) > 0 {
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].DownwardAPI.Items = append(pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].DownwardAPI.Items, v1.DownwardAPIVolumeFile{
|
|
Path: "labels",
|
|
FieldRef: &v1.ObjectFieldSelector{
|
|
APIVersion: "v1",
|
|
FieldPath: "metadata.labels",
|
|
},
|
|
})
|
|
}
|
|
|
|
if len(annotations) > 0 {
|
|
pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].DownwardAPI.Items = append(pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].DownwardAPI.Items, v1.DownwardAPIVolumeFile{
|
|
Path: "annotations",
|
|
FieldRef: &v1.ObjectFieldSelector{
|
|
APIVersion: "v1",
|
|
FieldPath: "metadata.annotations",
|
|
},
|
|
})
|
|
}
|
|
}
|
|
|
|
func projectedAllVolumeBasePod(podName string, secretName string, configMapName string, labels, annotations map[string]string) *v1.Pod {
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: podName,
|
|
Labels: labels,
|
|
Annotations: annotations,
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: "podinfo",
|
|
VolumeSource: v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{
|
|
DownwardAPI: &v1.DownwardAPIProjection{
|
|
Items: []v1.DownwardAPIVolumeFile{
|
|
{
|
|
Path: "podname",
|
|
FieldRef: &v1.ObjectFieldSelector{
|
|
APIVersion: "v1",
|
|
FieldPath: "metadata.name",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Secret: &v1.SecretProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: secretName,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: configMapName,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
},
|
|
}
|
|
|
|
return pod
|
|
}
|