OKE-1853: Reduce list calls on OCI by using k8s apiserver node name r…

…esolution Completely removed cache and vcn/subnet based lookup. Requires nodes have node.spec.ProviderID set correctly. deploy.sh now drops enough info to disk for the flexvolume driver binary to find, auth and use the kube master api server to query for a list of nodes.
oracle · Sep 20, 2018 · 25f8e03 · 25f8e03
1 parent df705b2
commit 25f8e03
Show file tree

Hide file tree

Showing 17 changed files with 200 additions and 477 deletions.
diff --git a/README.md b/README.md
@@ -16,22 +16,15 @@ installed on every node in your Kubernetes cluster.
 
 ### Kubernetes DaemonSet Installer
 
-The recommended way to install the driver is through the daemonset installer mechanism. This will create two daemonsets, one specifically for master nodes, allowing configuration via a Kubernetes Secret, and one for worker nodes.
+The recommended way to install the driver is through the DaemonSet installer mechanism. This will create two daemonsets, one specifically for master nodes, allowing configuration via a Kubernetes Secret, and one for worker nodes.
 
 ```
+kubectl apply -f https://github.com/oracle/oci-flexvolume-driver/releases/download/${flexvolume_driver_version}/rbac.yaml
+
 kubectl apply -f https://github.com/oracle/oci-flexvolume-driver/releases/download/${flexvolume_driver_version}/oci-flexvolume-driver.yaml
 ```
 
-You'll still need to add the config file manually or as a kubernetes secret.
-
-### Manually
-
-The driver should be installed in the volume plugin path on **every**
-node in your Kubernetes cluster at the following location:
-`/usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci`.
-
-NOTE: If running kube-controller-managers in a container you _must_ ensure that
-the plugin directory is mounted into the container.
+You'll still need to add the config file as a Kubernetes Secret.
 
 #### Configuration
 
@@ -96,6 +89,19 @@ The configuration file requires a simple configuration in the following format:
 useInstancePrincipals: true
 ```
 
+#### Driver Kubernetes API Access
+
+The driver needs to get node information from the Kubernetes API server. A kubeconfig file with appropriate permissions (rbac: nodes/get) needs
+to be provided in the same manor as the OCI auth config file above.
+
+```
+kubectl create secret generic oci-flexvolume-driver-kubeconfig \
+    -n kube-system \
+    --from-file=kubeconfig=kubeconfig
+```
+
+Once the Secret is set and the DaemonSet deployed, the kubeconfig file will be placed onto the master nodes.
+
 #### Extra configuration values
 
 You can set these in the environment to override the default values.

diff --git a/cmd/oci/main.go b/cmd/oci/main.go
@@ -50,5 +50,11 @@ func main() {
 	log.SetOutput(f)
 
 	log.Printf("OCI FlexVolume Driver version: %s (%s)", version, build)
-	flexvolume.ExecDriver(&driver.OCIFlexvolumeDriver{}, os.Args)
+	d, err := driver.NewOCIFlexvolumeDriver()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error creating new driver: %v", err)
+		log.Printf("error creating new driver: %v", err)
+		os.Exit(1)
+	}
+	flexvolume.ExecDriver(d, os.Args)
 }
diff --git a/deploy.sh b/deploy.sh
@@ -25,10 +25,14 @@ driver_dir="/flexmnt/$VENDOR${VENDOR:+"~"}${DRIVER}"
 LOG_FILE="$driver_dir/oci_flexvolume_driver.log"
 
 config_file_name="config.yaml"
+kubeconfig_file_name="kubeconfig"
 config_tmp_dir="/tmp"
+kubeconfig_tmp_dir="/tmp2"
 
 CONFIG_FILE="$config_tmp_dir/$config_file_name"
 
+KUBECONFIG_FILE="$kubeconfig_tmp_dir/$kubeconfig_file_name"
+
 if [ ! -d "$driver_dir" ]; then
   mkdir "$driver_dir"
 fi
@@ -40,6 +44,10 @@ if [ -f "$CONFIG_FILE" ]; then
   cp  "$CONFIG_FILE"  "$driver_dir/$config_file_name"
 fi
 
+if [ -f "$KUBECONFIG_FILE" ]; then
+  cp  "$KUBECONFIG_FILE"  "$driver_dir/$kubeconfig_file_name"
+fi
+
 while : ; do
   touch $LOG_FILE
   tail -f $LOG_FILE

diff --git a/manifests/oci-flexvolume-driver.yaml b/manifests/oci-flexvolume-driver.yaml
@@ -1,3 +1,9 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: oci-flexvolume-driver
+---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
@@ -10,6 +16,7 @@ spec:
       labels:
         app: oci-flexvolume-driver
     spec:
+      serviceAccountName: oci-flexvolume-driver
       nodeSelector:
         node-role.kubernetes.io/master: ""
       tolerations:
@@ -31,6 +38,9 @@ spec:
             - mountPath: /tmp
               name: config
               readOnly: true
+            - mountPath: /tmp2
+              name: kubeconfig
+              readOnly: true
       volumes:
         - name: flexvolume-mount
           hostPath:
@@ -39,6 +49,9 @@ spec:
         - name: config
           secret:
             secretName: oci-flexvolume-driver
+        - name: kubeconfig
+          secret:
+            secretName: oci-flexvolume-driver-kubeconfig
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet

diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: oci-flexvolume-driver
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs:
+    - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: oci-flexvolume-driver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:  ClusterRole
+  name: oci-flexvolume-driver
+subjects:
+- kind: ServiceAccount
+  name: oci-flexvolume-driver
+  namespace: kube-system
diff --git a/pkg/oci/client/cache/ocicache.go b/pkg/oci/client/cache/ocicache.go
diff --git a/pkg/oci/client/cache/ocicache_test.go b/pkg/oci/client/cache/ocicache_test.go