feat: support provider paths under /var/run

This allows the driver to check multiple paths when looking for a provider, addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc. -additional-provider-volume-paths is added to so that providers that have not migrated to the /var location will continue to operate. In a future release when all supported providers are migrated to the /var path the -additional-provider-volume-paths flag can be removed or changed to an empty string.
tam7t · Feb 2, 2022 · 4ef4ef6 · 4ef4ef6
1 parent d32ca72
commit 4ef4ef6
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 18 deletions.
diff --git a/cmd/secrets-store-csi-driver/main.go b/cmd/secrets-store-csi-driver/main.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 	_ "net/http/pprof" // #nosec
 	"os"
+	"strings"
 	"time"
 
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
@@ -49,11 +50,12 @@ import (
 )
 
 var (
-	endpoint           = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
-	driverName         = flag.String("drivername", "secrets-store.csi.k8s.io", "name of the driver")
-	nodeID             = flag.String("nodeid", "", "node id")
-	logFormatJSON      = flag.Bool("log-format-json", false, "set log formatter to json")
-	providerVolumePath = flag.String("provider-volume", "/etc/kubernetes/secrets-store-csi-providers", "Volume path for provider")
+	endpoint                = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
+	driverName              = flag.String("drivername", "secrets-store.csi.k8s.io", "name of the driver")
+	nodeID                  = flag.String("nodeid", "", "node id")
+	logFormatJSON           = flag.Bool("log-format-json", false, "set log formatter to json")
+	providerVolumePath      = flag.String("provider-volume", "/var/run/secrets-store-csi-providers", "Volume path for provider")
+	additionalProviderPaths = flag.String("additional-provider-volume-paths", "/etc/kubernetes/secrets-store-csi-providers", "Comma separated list of additional paths to communicate with providers")
 	// this will be removed in a future release
 	metricsAddr          = flag.String("metrics-addr", ":8095", "The address the metric endpoint binds to")
 	enableSecretRotation = flag.Bool("enable-secret-rotation", false, "Enable secret rotation feature [alpha]")
@@ -156,7 +158,9 @@ func main() {
 	ctx := withShutdownSignal(context.Background())
 
 	// create provider clients
-	providerClients := secretsstore.NewPluginClientBuilder(*providerVolumePath, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(*maxCallRecvMsgSize)))
+	providerPaths := strings.Split(*additionalProviderPaths, ",")
+	providerPaths = append(providerPaths, *providerVolumePath)
+	providerClients := secretsstore.NewPluginClientBuilder(providerPaths, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(*maxCallRecvMsgSize)))
 	defer providerClients.Cleanup()
 
 	// enable provider health check

diff --git a/pkg/secrets-store/provider_client.go b/pkg/secrets-store/provider_client.go
@@ -72,11 +72,11 @@ var (
 // PluginClientBuilder builds and stores grpc clients for communicating with
 // provider plugins.
 type PluginClientBuilder struct {
-	clients    map[string]v1alpha1.CSIDriverProviderClient
-	conns      map[string]*grpc.ClientConn
-	socketPath string
-	lock       sync.RWMutex
-	opts       []grpc.DialOption
+	clients     map[string]v1alpha1.CSIDriverProviderClient
+	conns       map[string]*grpc.ClientConn
+	socketPaths []string
+	lock        sync.RWMutex
+	opts        []grpc.DialOption
 }
 
 // NewPluginClientBuilder creates a PluginClientBuilder that will connect to
@@ -89,12 +89,12 @@ type PluginClientBuilder struct {
 //
 // Additional grpc dial options can also be set through opts and will be used
 // when creating all clients.
-func NewPluginClientBuilder(path string, opts ...grpc.DialOption) *PluginClientBuilder {
+func NewPluginClientBuilder(paths []string, opts ...grpc.DialOption) *PluginClientBuilder {
 	return &PluginClientBuilder{
-		clients:    make(map[string]v1alpha1.CSIDriverProviderClient),
-		conns:      make(map[string]*grpc.ClientConn),
-		socketPath: path,
-		lock:       sync.RWMutex{},
+		clients:     make(map[string]v1alpha1.CSIDriverProviderClient),
+		conns:       make(map[string]*grpc.ClientConn),
+		socketPaths: paths,
+		lock:        sync.RWMutex{},
 		opts: append(opts, []grpc.DialOption{
 			grpc.WithInsecure(), // the interface is only secured through filesystem ACLs
 			grpc.WithContextDialer(func(ctx context.Context, target string) (net.Conn, error) {
@@ -124,12 +124,22 @@ func (p *PluginClientBuilder) Get(ctx context.Context, provider string) (v1alpha
 		return nil, fmt.Errorf("%w: provider %q", ErrInvalidProvider, provider)
 	}
 
-	if _, err := os.Stat(fmt.Sprintf("%s/%s.sock", p.socketPath, provider)); os.IsNotExist(err) {
+	// check all paths
+	socketPath := ""
+	for k := range p.socketPaths {
+		tryPath := fmt.Sprintf("%s/%s.sock", p.socketPath[k], provider)
+		if _, err := os.Stat(tryPath); err != nil {
+			socketPath = tryPath
+			break
+		}
+	}
+
+	if socketPath == "" {
 		return nil, fmt.Errorf("%w: provider %q", ErrProviderNotFound, provider)
 	}
 
 	conn, err := grpc.Dial(
-		fmt.Sprintf("%s/%s.sock", p.socketPath, provider),
+		socketPath,
 		p.opts...,
 	)
 	if err != nil {