Merge pull request #1509 from lpabon/intree-multitenant-2

[security fix] Refactor intree security model
libopenstorage · Apr 22, 2020 · 9db49f2 · 9db49f2
2 parents 26ffe0b + 5ba9691
commit 9db49f2
Show file tree

Hide file tree

Showing 101 changed files with 14,263 additions and 553 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -7,6 +7,12 @@ go:
   - 1.13.x
 install:
   - go get -u github.com/vbatts/git-validation
+  - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+  - chmod +x kubectl
+  - mv kubectl ${GOPATH}/bin
+  - curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-$(uname)-amd64
+  - chmod +x ./kind
+  - mv ./kind ${GOPATH}/bin
 script:
   - git-validation -run DCO,short-subject
   - if [[ $(go version) == *"1.13"* ]]; then
@@ -15,11 +21,8 @@ script:
   - make docker-proto
   - git diff $(find . -name "*.pb.*go" -o -name "api.swagger.json" | grep -v vendor) | wc -l | grep "^0"
   - git grep -rw GPL vendor | grep LICENSE | egrep -v "yaml.v2" | wc -l | grep "^0"
-  - make sdk-check-version
-  - make install
-  - make vet
+  - make install verify
   - bash hack/docker-integration-test.sh
-  - make docker-test
   - if [ "${TRAVIS_PULL_REQUEST}" == "false" ]; then
       echo "${DOCKER_PASS}" | docker login -u "${DOCKER_USER}" --password-stdin;
       make push-mock-sdk-server;

diff --git a/Makefile b/Makefile
@@ -82,6 +82,8 @@ OSDSANITY:=cmd/osd-sanity/osd-sanity
 	clean \
 	generate \
 	generate-mockfiles \
+	e2e \
+	verify \
 	sdk-check-version
 
 
@@ -157,7 +159,7 @@ build: packr
 	go build -tags "$(TAGS)" $(BUILDFLAGS) $(PKGS)
 
 install: packr $(OSDSANITY)-install
-	go install -tags "$(TAGS)" $(PKGS)
+	go install -gcflags="all=-N -l" -tags "$(TAGS)" $(PKGS)
 	go install github.com/libopenstorage/openstorage/cmd/osd-token-generator
 
 $(OSDSANITY):
@@ -412,3 +414,9 @@ mockgen:
 	mockgen -destination=api/mock/mock_volume.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageVolumeServer,OpenStorageVolumeClient
 	mockgen -destination=api/mock/mock_fstrim.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageFilesystemTrimServer,OpenStorageFilesystemTrimClient
 	mockgen -destination=api/mock/mock_fscheck.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageFilesystemCheckServer,OpenStorageFilesystemCheckClient
+	mockgen -destination=api/server/mock/mock_schedops_k8s.go -package=mock github.com/portworx/sched-ops/k8s/core Ops
+
+e2e: docker-build-osd
+	cd test && ./run.bash
+
+verify: vet sdk-check-version docker-test e2e
diff --git a/api/api.go b/api/api.go
@@ -169,6 +169,19 @@ const (
 	AutoAggregation = math.MaxUint32
 )
 
+// The main goal of the following label keys is for the Kubernetes intree middleware
+// to keep track of the source location of the PVC with labels that cannot be modified
+// by the owner of the volume, but only by the storage administrator.
+const (
+	// KubernetesPvcNameKey is a label on the openstorage volume
+	// which tracks the source PVC for the volume.
+	KubernetesPvcNameKey = "openstorage.io/pvc-name"
+
+	// KubernetesPvcNamespaceKey is a label on the openstorage volume
+	// which tracks the source PVC namespace for the volume
+	KubernetesPvcNamespaceKey = "openstorage.io/pvc-namespace"
+)
+
 // Node describes the state of a node.
 // It includes the current physical state (CPU, memory, storage, network usage) as
 // well as the containers running on the system.
@@ -1204,4 +1217,6 @@ func (v *Volume) IsAttached() bool {
 type TokenSecretContext struct {
 	SecretName      string
 	SecretNamespace string
+	PvcName         string
+	PvcNamespace    string
 }