diff options
author | cdoern <cdoern@redhat.com> | 2022-06-07 16:37:59 -0400 |
---|---|---|
committer | Charlie Doern <cdoern@redhat.com> | 2022-07-20 12:55:33 -0400 |
commit | 438fef1caa26a1f09cd7be341e854d4bd5726c2b (patch) | |
tree | e449aceae653fcce93fe38aa38a60d08a95bda1e /pkg/specgen | |
parent | 8c9eff5b12eebe318be1f905562be6a236285caa (diff) | |
download | podman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.tar.gz podman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.tar.bz2 podman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.zip |
kube secret handling for podman play kube
add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file.
Kubernetes secrets have a different structure than podman and therefore have to be handeled differently.
In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets
to come!
resolves #12396
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/kube/kube.go | 10 | ||||
-rw-r--r-- | pkg/specgen/generate/kube/play_test.go | 2 | ||||
-rw-r--r-- | pkg/specgen/generate/kube/volume.go | 56 |
3 files changed, 64 insertions, 4 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 454a1e1d0..e9abf419b 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -398,6 +398,16 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener Type: "b", } s.Devices = append(s.Devices, device) + case KubeVolumeTypeSecret: + // in podman play kube we need to add these secrets as volumes rather than as + // specgen.Secrets. Adding them as volumes allows for all key: value pairs to be mounted + secretVolume := specgen.NamedVolume{ + Dest: volume.MountPath, + Name: volumeSource.Source, + Options: options, + } + + s.Volumes = append(s.Volumes, &secretVolume) default: return nil, errors.New("unsupported volume source type") } diff --git a/pkg/specgen/generate/kube/play_test.go b/pkg/specgen/generate/kube/play_test.go index 466dab610..470c0c39c 100644 --- a/pkg/specgen/generate/kube/play_test.go +++ b/pkg/specgen/generate/kube/play_test.go @@ -28,7 +28,7 @@ func createSecrets(t *testing.T, d string) *secrets.SecretsManager { data, err := json.Marshal(s.Data) assert.NoError(t, err) - _, err = secretsManager.Store(s.ObjectMeta.Name, data, driver, driverOpts) + _, err = secretsManager.Store(s.ObjectMeta.Name, data, driver, driverOpts, nil) assert.NoError(t, err) } diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go index f5c0c241d..c12adadd8 100644 --- a/pkg/specgen/generate/kube/volume.go +++ b/pkg/specgen/generate/kube/volume.go @@ -6,9 +6,13 @@ import ( "os" "github.com/containers/common/pkg/parse" + "github.com/containers/common/pkg/secrets" "github.com/containers/podman/v4/libpod" v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1" + metav1 "github.com/containers/podman/v4/pkg/k8s.io/apimachinery/pkg/apis/meta/v1" + "github.com/sirupsen/logrus" + "gopkg.in/yaml.v3" ) const ( @@ -27,6 +31,7 @@ const ( KubeVolumeTypeConfigMap KubeVolumeTypeBlockDevice KubeVolumeTypeCharDevice + KubeVolumeTypeSecret ) //nolint:revive @@ -125,6 +130,49 @@ func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource) (*KubeVolume, error) }, nil } +// VolumeFromSecret creates a new kube volume from a kube secret. +func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error) { + // returns a byte array of a kube secret data, meaning this needs to go into a string map + _, secretByte, err := secretsManager.LookupSecretData(secretSource.SecretName) + if err != nil { + return nil, err + } + + // unmarshaling directly into a v1.secret creates type mismatch errors + // use a more friendly, string only secret struct. + type KubeSecret struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + // +optional + Immutable *bool `json:"immutable,omitempty"` + Data map[string]string `json:"data,omitempty"` + // +optional + StringData map[string]string `json:"stringData,omitempty"` + // +optional + Type string `json:"type,omitempty"` + } + + data := &KubeSecret{} + + err = yaml.Unmarshal(secretByte, data) + if err != nil { + return nil, err + } + + kv := &KubeVolume{} + kv.Type = KubeVolumeTypeSecret + kv.Source = secretSource.SecretName + kv.Optional = *secretSource.Optional + kv.Items = make(map[string]string) + + // add key: value pairs to the items array + for key, entry := range data.Data { + kv.Items[key] = entry + } + return kv, nil +} + // Create a KubeVolume from a PersistentVolumeClaimVolumeSource func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource) (*KubeVolume, error) { return &KubeVolume{ @@ -172,7 +220,7 @@ func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, config } // Create a KubeVolume from one of the supported VolumeSource -func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error) { +func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager) (*KubeVolume, error) { switch { case volumeSource.HostPath != nil: return VolumeFromHostPath(volumeSource.HostPath) @@ -180,17 +228,19 @@ func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap) ( return VolumeFromPersistentVolumeClaim(volumeSource.PersistentVolumeClaim) case volumeSource.ConfigMap != nil: return VolumeFromConfigMap(volumeSource.ConfigMap, configMaps) + case volumeSource.Secret != nil: + return VolumeFromSecret(volumeSource.Secret, secretsManager) default: return nil, errors.New("HostPath, ConfigMap, and PersistentVolumeClaim are currently the only supported VolumeSource") } } // Create a map of volume name to KubeVolume -func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap) (map[string]*KubeVolume, error) { +func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager) (map[string]*KubeVolume, error) { volumes := make(map[string]*KubeVolume) for _, specVolume := range specVolumes { - volume, err := VolumeFromSource(specVolume.VolumeSource, configMaps) + volume, err := VolumeFromSource(specVolume.VolumeSource, configMaps, secretsManager) if err != nil { return nil, fmt.Errorf("failed to create volume %q: %w", specVolume.Name, err) } |