OKE-1853: Refactor lookup node id from node.spec.ProviderID

Completely removed cache and vcn/subnet based lookup. Requires nodes have node.spec.ProviderID set correctly. deploy.sh now drops enough info to disk for the flexvolume driver binary to find, auth and use the kube master api server to query for a list of nodes. DISCUSS: should the rbac roles be rolled into the main driver manifest file?
oracle · Sep 10, 2018 · ee71309 · ee71309
1 parent 573a706
commit ee71309
Show file tree

Hide file tree

Showing 17 changed files with 182 additions and 514 deletions.
diff --git a/README.md b/README.md
@@ -19,19 +19,12 @@ installed on every node in your Kubernetes cluster.
 The recommended way to install the driver is through the daemonset installer mechanism. This will create two daemonsets, one specifically for master nodes, allowing configuration via a Kubernetes Secret, and one for worker nodes.
 
 ```
+kubectl apply -f https://github.com/oracle/oci-flexvolume-driver/releases/download/${flexvolume_driver_version}/rbac.yaml
+
 kubectl apply -f https://github.com/oracle/oci-flexvolume-driver/releases/download/${flexvolume_driver_version}/oci-flexvolume-driver.yaml
 ```
 
-You'll still need to add the config file manually or as a kubernetes secret.
-
-### Manually
-
-The driver should be installed in the volume plugin path on **every**
-node in your Kubernetes cluster at the following location:
-`/usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci`.
-
-NOTE: If running kube-controller-managers in a container you _must_ ensure that
-the plugin directory is mounted into the container.
+You'll still need to add the config file as a kubernetes secret.
 
 #### Configuration
 
@@ -96,6 +89,19 @@ The configuration file requires a simple configuration in the following format:
 useInstancePrincipals: true
 ```
 
+#### Driver Kubernetes API Access
+
+The driver needs to get node information from the Kubernetes API server. A kubeconfig file with appropriate permissions (rbac: nodes/get) needs
+to be provided in the same manor as the OCI auth config file above.
+
+```
+kubectl create secret generic oci-flexvolume-driver-kubeconfig \
+    -n kube-system \
+    --from-file=kubeconfig=kubeconfig
+```
+
+Once the Secret is set and the daemonsets deployed, the kubeconfig file will be placed onto the master nodes.
+
 #### Extra configuration values
 
 You can set these in the environment to override the default values.

diff --git a/cmd/oci/main.go b/cmd/oci/main.go
@@ -50,5 +50,11 @@ func main() {
 	log.SetOutput(f)
 
 	log.Printf("OCI FlexVolume Driver version: %s (%s)", version, build)
-	flexvolume.ExecDriver(&driver.OCIFlexvolumeDriver{}, os.Args)
+	d, err := driver.NewOCIFlexvolumeDriver()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error creating new driver: %v", err)
+		log.Printf("error creating new driver: %v", err)
+		os.Exit(1)
+	}
+	flexvolume.ExecDriver(d, os.Args)
 }
diff --git a/deploy.sh b/deploy.sh
@@ -25,10 +25,14 @@ driver_dir="/flexmnt/$VENDOR${VENDOR:+"~"}${DRIVER}"
 LOG_FILE="$driver_dir/oci_flexvolume_driver.log"
 
 config_file_name="config.yaml"
+kubeconfig_file_name="kubeconfig"
 config_tmp_dir="/tmp"
+kubeconfig_tmp_dir="/tmp2"
 
 CONFIG_FILE="$config_tmp_dir/$config_file_name"
 
+KUBECONFIG_FILE="$kubeconfig_tmp_dir/$kubeconfig_file_name"
+
 if [ ! -d "$driver_dir" ]; then
   mkdir "$driver_dir"
 fi
@@ -40,6 +44,10 @@ if [ -f "$CONFIG_FILE" ]; then
   cp  "$CONFIG_FILE"  "$driver_dir/$config_file_name"
 fi
 
+if [ -f "$KUBECONFIG_FILE" ]; then
+  cp  "$KUBECONFIG_FILE"  "$driver_dir/$kubeconfig_file_name"
+fi
+
 while : ; do
   touch $LOG_FILE
   tail -f $LOG_FILE

diff --git a/manifests/oci-flexvolume-driver.yaml b/manifests/oci-flexvolume-driver.yaml
@@ -10,6 +10,7 @@ spec:
       labels:
         app: oci-flexvolume-driver
     spec:
+      serviceAccountName: oci-flexvolume-driver
       nodeSelector:
         node-role.kubernetes.io/master: ""
       tolerations:
@@ -31,6 +32,9 @@ spec:
             - mountPath: /tmp
               name: config
               readOnly: true
+            - mountPath: /tmp2
+              name: kubeconfig
+              readOnly: true
       volumes:
         - name: flexvolume-mount
           hostPath:
@@ -39,6 +43,9 @@ spec:
         - name: config
           secret:
             secretName: oci-flexvolume-driver
+        - name: kubeconfig
+          secret:
+            secretName: oci-flexvolume-driver-kubeconfig
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet

diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: oci-flexvolume-driver
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: oci-flexvolume-driver
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs:
+    - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: oci-flexvolume-driver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:  ClusterRole
+  name: oci-flexvolume-driver
+subjects:
+- kind: ServiceAccount
+  name: oci-flexvolume-driver
+  namespace: kube-system
diff --git a/pkg/oci/client/cache/ocicache.go b/pkg/oci/client/cache/ocicache.go
diff --git a/pkg/oci/client/cache/ocicache_test.go b/pkg/oci/client/cache/ocicache_test.go