From a40d0dfaf71215da05fdeabcff4e525a783763ba Mon Sep 17 00:00:00 2001 From: joe miller Date: Wed, 4 Mar 2020 20:10:02 -0800 Subject: [PATCH] emptyDir volume for token sink (/home/vault) in init and sidecar containers --- agent-inject/agent/agent.go | 6 ++++ agent-inject/agent/annotations_test.go | 12 ++++++-- agent-inject/agent/container_init_sidecar.go | 5 +++ agent-inject/agent/container_sidecar.go | 6 +++- agent-inject/agent/container_sidecar_test.go | 11 +++++-- agent-inject/agent/container_volume.go | 15 +++++++++ agent-inject/handler_test.go | 32 ++++++++++++++++++-- 7 files changed, 78 insertions(+), 9 deletions(-) diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index b00cde52..ea14b893 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -298,6 +298,12 @@ func ShouldInject(pod *corev1.Pod) (bool, error) { func (a *Agent) Patch() ([]byte, error) { var patches []byte + // Add a volume for the token sink + a.Patches = append(a.Patches, addVolumes( + a.Pod.Spec.Volumes, + []corev1.Volume{a.ContainerTokenVolume()}, + "/spec/volumes")...) + // Add our volume that will be shared by the containers // for passing data in the pod. a.Patches = append(a.Patches, addVolumes( diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go index fb97a2d8..36628c44 100644 --- a/agent-inject/agent/annotations_test.go +++ b/agent-inject/agent/annotations_test.go @@ -181,6 +181,11 @@ func TestSecretAnnotationsWithPreserveCaseSensitivityFlagOn(t *testing.T) { pod := testPod(annotation) var patches []*jsonpatch.JsonPatchOperation + err := Init(pod, AgentConfig{"", "http://foobar:8200", "test", "test", true, "1000", "100"}) + if err != nil { + t.Errorf("got error, shouldn't have: %s", err) + } + agent, err := New(pod, patches) if err != nil { t.Errorf("got error, shouldn't have: %s", err) @@ -289,9 +294,10 @@ func TestTemplateShortcuts(t *testing.T) { }, map[string]Secret{ "token": Secret{ - Name: "token", - Path: TokenSecret, - Template: TokenTemplate, + Name: "token", + Path: TokenSecret, + Template: TokenTemplate, + MountPath: secretVolumePath, }, }, }, diff --git a/agent-inject/agent/container_init_sidecar.go b/agent-inject/agent/container_init_sidecar.go index 2c3278d7..94cf9813 100644 --- a/agent-inject/agent/container_init_sidecar.go +++ b/agent-inject/agent/container_init_sidecar.go @@ -13,6 +13,11 @@ import ( // two config files. func (a *Agent) ContainerInitSidecar() (corev1.Container, error) { volumeMounts := []corev1.VolumeMount{ + { + Name: tokenVolumeName, + MountPath: tokenVolumePath, + ReadOnly: false, + }, { Name: a.ServiceAccountName, MountPath: a.ServiceAccountPath, diff --git a/agent-inject/agent/container_sidecar.go b/agent-inject/agent/container_sidecar.go index a555ad37..d152b12b 100644 --- a/agent-inject/agent/container_sidecar.go +++ b/agent-inject/agent/container_sidecar.go @@ -30,6 +30,11 @@ func (a *Agent) ContainerSidecar() (corev1.Container, error) { MountPath: a.ServiceAccountPath, ReadOnly: true, }, + { + Name: tokenVolumeName, + MountPath: tokenVolumePath, + ReadOnly: false, + }, } volumeMounts = append(volumeMounts, a.ContainerVolumeMounts()...) @@ -112,7 +117,6 @@ func (a *Agent) parseResources() (corev1.ResourceRequirements, error) { resources.Requests = requests return resources, nil - } func parseQuantity(raw string) (resource.Quantity, error) { diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go index e8ab65bc..ebff2690 100644 --- a/agent-inject/agent/container_sidecar_test.go +++ b/agent-inject/agent/container_sidecar_test.go @@ -32,7 +32,7 @@ func TestContainerSidecarVolume(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation - err := Init(pod, "foobar-image", "http://foobar:1234", "test", "test", true) + err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", true, "1000", "100"}) if err != nil { t.Errorf("got error, shouldn't have: %s", err) } @@ -44,8 +44,8 @@ func TestContainerSidecarVolume(t *testing.T) { container, err := agent.ContainerSidecar() - // One config volume mount and two secrets volume mounts - require.Equal(t, 3, len(container.VolumeMounts)) + // One token volume mount, one config volume mount and two secrets volume mounts + require.Equal(t, 4, len(container.VolumeMounts)) require.Equal( t, @@ -55,6 +55,11 @@ func TestContainerSidecarVolume(t *testing.T) { MountPath: agent.ServiceAccountPath, ReadOnly: true, }, + corev1.VolumeMount{ + Name: tokenVolumeName, + MountPath: tokenVolumePath, + ReadOnly: false, + }, corev1.VolumeMount{ Name: secretVolumeName, MountPath: agent.Annotations[AnnotationVaultSecretVolumePath], diff --git a/agent-inject/agent/container_volume.go b/agent-inject/agent/container_volume.go index a6716d83..052c4f92 100644 --- a/agent-inject/agent/container_volume.go +++ b/agent-inject/agent/container_volume.go @@ -8,6 +8,8 @@ import ( ) const ( + tokenVolumeName = "home" + tokenVolumePath = "/home/vault" configVolumeName = "vault-config" configVolumePath = "/vault/configs" secretVolumeName = "vault-secrets" @@ -56,6 +58,19 @@ func (a *Agent) ContainerVolumes() []corev1.Volume { return containerVolumes } +// ContainerTokenVolume returns a volume to mount the +// home directory where the token sink will write to. +func (a *Agent) ContainerTokenVolume() corev1.Volume { + return corev1.Volume{ + Name: tokenVolumeName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{ + Medium: "Memory", + }, + }, + } +} + // ContainerConfigMapVolume returns a volume to mount a config map // if the user supplied any. func (a *Agent) ContainerConfigMapVolume() corev1.Volume { diff --git a/agent-inject/handler_test.go b/agent-inject/handler_test.go index 9bc7dd0e..e57ea43b 100644 --- a/agent-inject/handler_test.go +++ b/agent-inject/handler_test.go @@ -138,6 +138,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -169,8 +173,8 @@ func TestHandlerHandle(t *testing.T) { Object: encodeRaw(t, &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - agent.AnnotationAgentInject: "true", - agent.AnnotationVaultRole: "demo", + agent.AnnotationAgentInject: "true", + agent.AnnotationVaultRole: "demo", agent.AnnotationAgentInitFirst: "true", }, }, @@ -183,6 +187,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -239,6 +247,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -292,6 +304,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -341,6 +357,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -391,6 +411,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-", @@ -433,6 +457,10 @@ func TestHandlerHandle(t *testing.T) { Operation: "add", Path: "/spec/volumes", }, + { + Operation: "add", + Path: "/spec/volumes", + }, { Operation: "add", Path: "/spec/containers/0/volumeMounts/-",