/
volumes.go
150 lines (134 loc) · 4.95 KB
/
volumes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package controllers
import (
"fmt"
"sort"
"time"
corev1 "k8s.io/api/core/v1"
"kpt.dev/configsync/pkg/api/configsync"
"kpt.dev/configsync/pkg/api/configsync/v1beta1"
hubv1 "kpt.dev/configsync/pkg/api/hub/v1"
"kpt.dev/configsync/pkg/metadata"
)
// GitCredentialVolume is the volume name of the git credentials.
const GitCredentialVolume = "git-creds"
// HelmCredentialVolume is the volume name of the git credentials.
const HelmCredentialVolume = "helm-creds"
// CACertVolume is the volume name of the CA certificate.
const CACertVolume = "ca-cert"
// CACertSecretKey is the name of the key in the Secret's data map whose value holds the CA cert
const CACertSecretKey = "cert"
// CACertPath is the path where the certificate is mounted.
const CACertPath = "/etc/ca-cert"
// defaultMode is the default permission of the `gcp-ksa` volume.
var defaultMode int32 = 0644
// expirationSeconds is the requested duration of validity of the service account token.
// As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token.
// It sets to 48 hours.
var expirationSeconds = int64((48 * time.Hour).Seconds())
// filterVolumes returns the volumes depending on different auth types.
// If authType is `none`, `gcenode`, or `gcpserviceaccount`, it won't mount the `git-creds` volume.
// If authType is `gcpserviceaccount` with fleet membership available, it also mounts a `gcp-ksa` volume.
func filterVolumes(existing []corev1.Volume, authType configsync.AuthType, secretName, caCertSecretName, sourceType string, membership *hubv1.Membership) []corev1.Volume {
var updatedVolumes []corev1.Volume
for _, volume := range existing {
if volume.Name == GitCredentialVolume {
// Don't mount git-creds volume if auth is 'none', 'gcenode', or 'gcpserviceaccount'
if SkipForAuth(authType) || sourceType != string(v1beta1.GitSource) {
continue
}
volume.Secret.SecretName = secretName
} else if volume.Name == HelmCredentialVolume {
if SkipForAuth(authType) || sourceType != string(v1beta1.HelmSource) {
continue
}
volume.Secret.SecretName = secretName
}
updatedVolumes = append(updatedVolumes, volume)
}
if useCACert(caCertSecretName) {
updatedVolumes = append(updatedVolumes, corev1.Volume{
Name: CACertVolume,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: caCertSecretName,
Items: []corev1.KeyToPath{
{
Key: CACertSecretKey,
Path: CACertSecretKey,
},
},
DefaultMode: &defaultMode,
},
},
})
}
if useFWIAuth(authType, membership) {
updatedVolumes = append(updatedVolumes, corev1.Volume{
Name: gcpKSAVolumeName,
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
Sources: []corev1.VolumeProjection{
{
ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
Audience: membership.Spec.WorkloadIdentityPool,
ExpirationSeconds: &expirationSeconds,
Path: gsaTokenPath,
},
},
{
DownwardAPI: &corev1.DownwardAPIProjection{Items: []corev1.DownwardAPIVolumeFile{
{
Path: googleApplicationCredentialsFile,
FieldRef: &corev1.ObjectFieldSelector{
APIVersion: "v1",
FieldPath: fmt.Sprintf("metadata.annotations['%s']", metadata.FleetWorkloadIdentityCredentials),
},
},
}},
},
},
DefaultMode: &defaultMode,
},
},
})
}
return updatedVolumes
}
// volumeMounts returns a sorted list of VolumeMounts by filtering out git-creds
// VolumeMount when secret is 'none' or 'gcenode'.
func volumeMounts(auth configsync.AuthType, caCertSecretRef, sourceType string, vm []corev1.VolumeMount) []corev1.VolumeMount {
var volumeMount []corev1.VolumeMount
if useCACert(caCertSecretRef) {
volumeMount = append(volumeMount, corev1.VolumeMount{
MountPath: CACertPath,
Name: CACertVolume,
ReadOnly: true,
})
}
for _, volume := range vm {
if volume.Name == GitCredentialVolume && (SkipForAuth(auth) || sourceType != string(v1beta1.GitSource)) {
continue
}
if volume.Name == HelmCredentialVolume && (SkipForAuth(auth) || sourceType != string(v1beta1.HelmSource)) {
continue
}
volumeMount = append(volumeMount, volume)
}
sort.Slice(volumeMount[:], func(i, j int) bool {
return volumeMount[i].Name < volumeMount[j].Name
})
return volumeMount
}