Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use namespace for spc lookup + unit tests #264

Merged
merged 3 commits into from
Jul 31, 2020
Merged

fix: use namespace for spc lookup + unit tests #264

merged 3 commits into from
Jul 31, 2020

Conversation

aramase
Copy link
Member

@aramase aramase commented Jul 29, 2020

What this PR does / why we need it:

  • Sets the podNamespace env var for strict namespace enforcement
  • Refactors NodePublishVolume to add more unit test for the NodePublish code path
  • Updates logs to include pod name and pod namespace for debugging
  • Adds unit tests

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #263

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 29, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 29, 2020
@k8s-ci-robot k8s-ci-robot requested a review from ritazh July 29, 2020 18:15
@aramase aramase changed the title fix: use namespace for spc lookup + unit tests [WIP] fix: use namespace for spc lookup + unit tests Jul 29, 2020
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 29, 2020
@aramase aramase force-pushed the same-ns-and-unit-tests branch 4 times, most recently from 836c715 to 2b5e7e9 Compare July 29, 2020 19:23
@aramase
Copy link
Member Author

aramase commented Jul 29, 2020

/test pull-secrets-store-csi-driver-unit

@aramase aramase changed the title [WIP] fix: use namespace for spc lookup + unit tests fix: use namespace for spc lookup + unit tests Jul 29, 2020
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 29, 2020
@aramase aramase force-pushed the same-ns-and-unit-tests branch 4 times, most recently from 136a827 to 076583c Compare July 29, 2020 23:14
ritazh
ritazh reviewed Jul 30, 2020
View reviewed changes
cmd/secrets-store-csi-driver/main.go
@@ -96,5 +98,13 @@ func main() {

func handle() {
driver := secretsstore.GetDriver()
driver.Run(*driverName, *nodeID, *endpoint, *providerVolumePath, *minProviderVersion)
cfg, err := config.GetConfig()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recall we had to call getClient() to get the latest client to prevent from reading from cache. Is this no longer a concern?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/client/client.go#L42-L52

// New returns a new Client using the provided config and Options.
// The returned client reads *and* writes directly from the server
// (it doesn't use object caches).  It understands how to work with
// normal types (both custom resources and aggregated/built-in resources),
// as well as unstructured types.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about this one kubernetes-sigs/controller-runtime#403
But I dont think we have multiple controllers updating the same objects now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, we don't have any update operations on spc. There is only GET for spc and CREATE for spcpodstatus

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the links here for future ref

https://github.com/kubernetes-sigs/controller-runtime/blob/cea989b02ed02254d751ad30471c40bacd5888fc/pkg/client/client_cache.go#L88-L96

newResource always creates a new client - https://github.com/kubernetes-sigs/controller-runtime/blob/cea989b02ed02254d751ad30471c40bacd5888fc/pkg/client/client_cache.go#L51-L68

ritazh
ritazh reviewed Jul 30, 2020
View reviewed changes
test/bats/azure.bats Outdated Show resolved Hide resolved
@aramase
Copy link
Member Author

aramase commented Jul 30, 2020

/test pull-secrets-store-csi-driver-e2e-windows

@aramase
Copy link
Member Author

aramase commented Jul 30, 2020

@ritazh Updated the PR, PTAL!

@aramase aramase added this to the v0.0.13 milestone Jul 31, 2020
ritazh
ritazh reviewed Jul 31, 2020
View reviewed changes
test/bats/vault.bats
@test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences" {
POD=$(kubectl get pod -l app=nginx -n test-ns -o jsonpath="{.items[0].metadata.name}")
result=$(kubectl exec -n test-ns -it $POD -- cat /mnt/secrets-store/foo)
[[ "$result" == "hello" ]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you pls update all these == to -eq

Copy link
Member Author

@aramase aramase Jul 31, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should use == for string comparisons. Using -eq returns 0 even when the strings don't match.

#!/usr/bin/env bats

export result="hel"

@test "testing with eq" {
    [[ "$result" -eq "hello" ]]
}

@test "testing with other" {
    [[ "$result" == *"hello"* ]]
}

➜ bats test.bats -t
1..2
ok 1 testing with eq
not ok 2 testing with other
# (in test file /Users/anishramasekar/Desktop/test.bats, line 9)
#   `@test "testing with other" {' failed

WDYT?

ritazh
ritazh reviewed Jul 31, 2020
View reviewed changes
test/bats/vault.bats Outdated

run kubectl delete -f $BATS_TESTS_DIR/vault_synck8s_v1alpha1_secretproviderclass.yaml
assert_success

sleep 20
result=$(kubectl get secret | grep foosecret | wc -l)
[[ "$result" == "0" ]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, lets use -eq for numeric and == for string.

@aramase
Copy link
Member Author

aramase commented Jul 31, 2020

/test pull-secrets-store-csi-driver-e2e-windows

@aramase
Copy link
Member Author

aramase commented Jul 31, 2020

/hold

(for windows tests to pass)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 31, 2020
@aramase
Copy link
Member Author

aramase commented Jul 31, 2020

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 31, 2020
@ritazh
Copy link
Member

ritazh commented Jul 31, 2020

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 31, 2020
@k8s-ci-robot k8s-ci-robot merged commit ea233c0 into kubernetes-sigs:master Jul 31, 2020
@aramase aramase deleted the same-ns-and-unit-tests branch July 31, 2020 22:24
@aramase aramase mentioned this pull request Aug 7, 2020
Closed
@aramase aramase mentioned this pull request Aug 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritazh ritazh ritazh left review comments

Assignees

@ritazh ritazh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v0.0.13
Development

Successfully merging this pull request may close these issues.

namespace lookup for SecretProviderClass not enforced in NodePublishVolume
3 participants
@aramase @k8s-ci-robot @ritazh