emptyDir volume for token sink (/home/vault) in init and sidecar cont…

…ainers
hashicorp · Mar 5, 2020 · a40d0df · a40d0df
1 parent a51f757
commit a40d0df
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 9 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -298,6 +298,12 @@ func ShouldInject(pod *corev1.Pod) (bool, error) {
 func (a *Agent) Patch() ([]byte, error) {
 	var patches []byte
 
+	// Add a volume for the token sink
+	a.Patches = append(a.Patches, addVolumes(
+		a.Pod.Spec.Volumes,
+		[]corev1.Volume{a.ContainerTokenVolume()},
+		"/spec/volumes")...)
+
 	// Add our volume that will be shared by the containers
 	// for passing data in the pod.
 	a.Patches = append(a.Patches, addVolumes(

diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go
@@ -181,6 +181,11 @@ func TestSecretAnnotationsWithPreserveCaseSensitivityFlagOn(t *testing.T) {
 		pod := testPod(annotation)
 		var patches []*jsonpatch.JsonPatchOperation
 
+		err := Init(pod, AgentConfig{"", "http://foobar:8200", "test", "test", true, "1000", "100"})
+		if err != nil {
+			t.Errorf("got error, shouldn't have: %s", err)
+		}
+
 		agent, err := New(pod, patches)
 		if err != nil {
 			t.Errorf("got error, shouldn't have: %s", err)
@@ -289,9 +294,10 @@ func TestTemplateShortcuts(t *testing.T) {
 			},
 			map[string]Secret{
 				"token": Secret{
-					Name:     "token",
-					Path:     TokenSecret,
-					Template: TokenTemplate,
+					Name:      "token",
+					Path:      TokenSecret,
+					Template:  TokenTemplate,
+					MountPath: secretVolumePath,
 				},
 			},
 		},

diff --git a/agent-inject/agent/container_init_sidecar.go b/agent-inject/agent/container_init_sidecar.go
@@ -13,6 +13,11 @@ import (
 // two config files.
 func (a *Agent) ContainerInitSidecar() (corev1.Container, error) {
 	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      tokenVolumeName,
+			MountPath: tokenVolumePath,
+			ReadOnly:  false,
+		},
 		{
 			Name:      a.ServiceAccountName,
 			MountPath: a.ServiceAccountPath,

diff --git a/agent-inject/agent/container_sidecar.go b/agent-inject/agent/container_sidecar.go
@@ -30,6 +30,11 @@ func (a *Agent) ContainerSidecar() (corev1.Container, error) {
 			MountPath: a.ServiceAccountPath,
 			ReadOnly:  true,
 		},
+		{
+			Name:      tokenVolumeName,
+			MountPath: tokenVolumePath,
+			ReadOnly:  false,
+		},
 	}
 	volumeMounts = append(volumeMounts, a.ContainerVolumeMounts()...)
 
@@ -112,7 +117,6 @@ func (a *Agent) parseResources() (corev1.ResourceRequirements, error) {
 	resources.Requests = requests
 
 	return resources, nil
-
 }
 
 func parseQuantity(raw string) (resource.Quantity, error) {

diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go
@@ -32,7 +32,7 @@ func TestContainerSidecarVolume(t *testing.T) {
 	pod := testPod(annotations)
 	var patches []*jsonpatch.JsonPatchOperation
 
-	err := Init(pod, "foobar-image", "http://foobar:1234", "test", "test", true)
+	err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", true, "1000", "100"})
 	if err != nil {
 		t.Errorf("got error, shouldn't have: %s", err)
 	}
@@ -44,8 +44,8 @@ func TestContainerSidecarVolume(t *testing.T) {
 
 	container, err := agent.ContainerSidecar()
 
-	// One config volume mount and two secrets volume mounts
-	require.Equal(t, 3, len(container.VolumeMounts))
+	// One token volume mount, one config volume mount and two secrets volume mounts
+	require.Equal(t, 4, len(container.VolumeMounts))
 
 	require.Equal(
 		t,
@@ -55,6 +55,11 @@ func TestContainerSidecarVolume(t *testing.T) {
 				MountPath: agent.ServiceAccountPath,
 				ReadOnly:  true,
 			},
+			corev1.VolumeMount{
+				Name:      tokenVolumeName,
+				MountPath: tokenVolumePath,
+				ReadOnly:  false,
+			},
 			corev1.VolumeMount{
 				Name:      secretVolumeName,
 				MountPath: agent.Annotations[AnnotationVaultSecretVolumePath],

diff --git a/agent-inject/agent/container_volume.go b/agent-inject/agent/container_volume.go
@@ -8,6 +8,8 @@ import (
 )
 
 const (
+	tokenVolumeName     = "home"
+	tokenVolumePath     = "/home/vault"
 	configVolumeName    = "vault-config"
 	configVolumePath    = "/vault/configs"
 	secretVolumeName    = "vault-secrets"
@@ -56,6 +58,19 @@ func (a *Agent) ContainerVolumes() []corev1.Volume {
 	return containerVolumes
 }
 
+// ContainerTokenVolume returns a volume to mount the
+// home directory where the token sink will write to.
+func (a *Agent) ContainerTokenVolume() corev1.Volume {
+	return corev1.Volume{
+		Name: tokenVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{
+				Medium: "Memory",
+			},
+		},
+	}
+}
+
 // ContainerConfigMapVolume returns a volume to mount a config map
 // if the user supplied any.
 func (a *Agent) ContainerConfigMapVolume() corev1.Volume {

diff --git a/agent-inject/handler_test.go b/agent-inject/handler_test.go
@@ -138,6 +138,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -169,8 +173,8 @@ func TestHandlerHandle(t *testing.T) {
 				Object: encodeRaw(t, &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
 						Annotations: map[string]string{
-							agent.AnnotationAgentInject: "true",
-							agent.AnnotationVaultRole:   "demo",
+							agent.AnnotationAgentInject:    "true",
+							agent.AnnotationVaultRole:      "demo",
 							agent.AnnotationAgentInitFirst: "true",
 						},
 					},
@@ -183,6 +187,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -239,6 +247,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -292,6 +304,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -341,6 +357,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -391,6 +411,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",
@@ -433,6 +457,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/volumes",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/volumes",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/0/volumeMounts/-",