Secret volume plugin iteration 1

pkg/api/types.go

@@ -230,7 +230,10 @@ type GitRepo struct {
 	// TODO: Consider credentials here.
 }
 
-// Adapts a Secret into a VolumeSource
+// Adapts a Secret into a VolumeSource.
+//
+// The contents of the target Secret's Data field will be presented in a volume
+// as files using the keys in the Data field as the file names.
 type SecretSource struct {
 	// Reference to a Secret
 	Target ObjectReference `json:"target"`
@@ -1318,15 +1321,22 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }
 
-// Secret holds secret data of a certain type
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta   `json:",inline"`
 	ObjectMeta `json:"metadata,omitempty"`
 
+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }
 
+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string
 
 const (
@@ -1339,5 +1349,3 @@ type SecretList struct {
 
 	Items []Secret `json:"items"`
 }
-
-const MaxSecretSize = 1 * 1024 * 1024

pkg/api/v1beta1/types.go

@@ -1100,13 +1100,21 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }
 
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta `json:",inline"`
 
+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }
 
+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string
 
 const (

pkg/api/v1beta2/types.go

@@ -1103,14 +1103,21 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }
 
-// Secret holds secret data of a certain type
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta `json:",inline"`
 
+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	// The serialized form of the secret data is a base64 encoded string.
+	Type SecretType `json:"type,omitempty"`
 }
 
+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string
 
 const (

pkg/api/v1beta3/types.go

@@ -1243,16 +1243,22 @@ type ResourceQuotaList struct {
 	Items []ResourceQuota `json:"items"`
 }
 
-// Secret holds mappings between paths and secret data
-// TODO: shouldn't "Secret" be a plural?
+// Secret holds secret data of a certain type.  The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type Secret struct {
 	TypeMeta   `json:",inline"`
 	ObjectMeta `json:"metadata,omitempty"`
 
+	// Data contains the secret data.  Each key must be a valid DNS_SUBDOMAIN.
+	// The serialized form of the secret data is a base64 encoded string.
 	Data map[string][]byte `json:"data,omitempty"`
-	Type SecretType        `json:"type,omitempty"`
+
+	// Used to facilitate programatic handling of secret data.
+	Type SecretType `json:"type,omitempty"`
 }
 
+const MaxSecretSize = 1 * 1024 * 1024
+
 type SecretType string
 
 const (

pkg/api/validation/validation.go

@@ -853,9 +853,14 @@ func ValidateSecret(secret *api.Secret) errs.ValidationErrorList {
 	}
 
 	totalSize := 0
-	for _, value := range secret.Data {
+	for key, value := range secret.Data {
+		if !util.IsDNSSubdomain(key) {
+			allErrs = append(allErrs, errs.NewFieldInvalid(fmt.Sprintf("data[%v]", key), key, cIdentifierErrorMsg))
+		}
+
 		totalSize += len(value)
 	}
+
 	if totalSize > api.MaxSecretSize {
 		allErrs = append(allErrs, errs.NewFieldForbidden("data", "Maximum secret size exceeded"))
 	}

pkg/api/validation/validation_test.go

@@ -2497,7 +2497,7 @@ func TestValidateSecret(t *testing.T) {
 		return api.Secret{
 			ObjectMeta: api.ObjectMeta{Name: "foo", Namespace: "bar"},
 			Data: map[string][]byte{
-				"foo": []byte("bar"),
+				"data-1": []byte("bar"),
 			},
 		}
 	}
@@ -2508,6 +2508,7 @@ func TestValidateSecret(t *testing.T) {
 		emptyNs     = validSecret()
 		invalidNs   = validSecret()
 		overMaxSize = validSecret()
+		invalidKey  = validSecret()
 	)
 
 	emptyName.Name = ""
@@ -2517,6 +2518,7 @@ func TestValidateSecret(t *testing.T) {
 	overMaxSize.Data = map[string][]byte{
 		"over": make([]byte, api.MaxSecretSize+1),
 	}
+	invalidKey.Data["a..b"] = []byte("whoops")
 
 	tests := map[string]struct {
 		secret api.Secret
@@ -2528,6 +2530,7 @@ func TestValidateSecret(t *testing.T) {
 		"empty namespace":   {emptyNs, false},
 		"invalid namespace": {invalidNs, false},
 		"over max size":     {overMaxSize, false},
+		"invalid key":       {invalidKey, false},
 	}
 
 	for name, tc := range tests {

pkg/kubelet/server/plugins.go

@@ -26,6 +26,7 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/volume/gce_pd"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/volume/git_repo"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/volume/host_path"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/volume/secret"
 )
 
 // ProbeVolumePlugins collects all volume plugins into an easy to use list.
@@ -39,6 +40,7 @@ func ProbeVolumePlugins() []volume.Plugin {
 	allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
 	allPlugins = append(allPlugins, git_repo.ProbeVolumePlugins()...)
 	allPlugins = append(allPlugins, host_path.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, secret.ProbeVolumePlugins()...)
 
 	return allPlugins
 }

pkg/kubelet/server/server.go

@@ -179,6 +179,8 @@ func (s *KubeletServer) Run(_ []string) error {
 		glog.Warningf("No API client: %v", err)
 	}
 
+	glog.Infof("Using root directory: %v", s.RootDirectory)
+
 	credentialprovider.SetPreferredDockercfgPath(s.RootDirectory)
 
 	kcfg := KubeletConfig{

pkg/kubelet/volume/empty_dir/empty_dir_test.go

@@ -27,7 +27,7 @@ import (
 
 func TestCanSupport(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/empty-dir")
 	if err != nil {
@@ -46,7 +46,7 @@ func TestCanSupport(t *testing.T) {
 
 func TestPlugin(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/empty-dir")
 	if err != nil {
@@ -100,7 +100,7 @@ func TestPlugin(t *testing.T) {
 
 func TestPluginBackCompat(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/empty-dir")
 	if err != nil {
@@ -125,7 +125,7 @@ func TestPluginBackCompat(t *testing.T) {
 
 func TestPluginLegacy(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("empty")
 	if err != nil {

pkg/kubelet/volume/gce_pd/gce_pd_test.go

@@ -28,7 +28,7 @@ import (
 
 func TestCanSupport(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/gce-pd")
 	if err != nil {
@@ -80,7 +80,7 @@ func (fake *fakeMounter) List() ([]mount.MountPoint, error) {
 
 func TestPlugin(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/gce-pd")
 	if err != nil {
@@ -146,7 +146,7 @@ func TestPlugin(t *testing.T) {
 
 func TestPluginLegacy(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"/tmp/fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("gce-pd")
 	if err != nil {

pkg/kubelet/volume/git_repo/git_repo_test.go

@@ -35,7 +35,7 @@ func newTestHost(t *testing.T) volume.Host {
 	if err != nil {
 		t.Fatalf("can't make a temp rootdir: %v", err)
 	}
-	return &volume.FakeHost{tempDir}
+	return &volume.FakeHost{tempDir, nil}
 }
 
 func TestCanSupport(t *testing.T) {

pkg/kubelet/volume/host_path/host_path_test.go

@@ -26,7 +26,7 @@ import (
 
 func TestCanSupport(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/host-path")
 	if err != nil {
@@ -45,7 +45,7 @@ func TestCanSupport(t *testing.T) {
 
 func TestPlugin(t *testing.T) {
 	plugMgr := volume.PluginMgr{}
-	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"fake"})
+	plugMgr.InitPlugins(ProbeVolumePlugins(), &volume.FakeHost{"fake", nil})
 
 	plug, err := plugMgr.FindPluginByName("kubernetes.io/host-path")
 	if err != nil {

pkg/kubelet/volume/plugins.go

@@ -22,6 +22,7 @@ import (
 	"sync"
 
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/types"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util/errors"
@@ -76,6 +77,9 @@ type Host interface {
 	// does not exist, the result of this call might not exist.  This
 	// directory might not actually exist on disk yet.
 	GetPodPluginDir(podUID types.UID, pluginName string) string
+
+	// GetKubeClient returns a client interface
+	GetKubeClient() client.Interface
 }
 
 // PluginMgr tracks registered plugins.