OKE-1853: Refactor lookup node id from node.spec.ProviderID #149
Conversation
manifests/rbac.yaml
Outdated
| subjects: | ||
| - kind: ServiceAccount | ||
| name: oci-fvd | ||
| namespace: kube-system |
There was a problem hiding this comment.
Trailing newline (you probably need to set "files.insertFinalNewline": true in VSCode)
| @@ -1,92 +0,0 @@ | |||
| // Copyright 2017 Oracle and/or its affiliates. All rights reserved. | |||
pkg/oci/driver/driver.go
Outdated
| } | ||
| } | ||
| if id == "" { | ||
| return id, errors.New("Failed to find node's OCID in returned node list") |
There was a problem hiding this comment.
Error string capitalisation
pkg/oci/driver/driver.go
Outdated
| // Attach initiates the attachment of the given OCI volume to the k8s worker | ||
| // node. | ||
| func (d OCIFlexvolumeDriver) Attach(opts flexvolume.Options, nodeName string) flexvolume.DriverStatus { | ||
|
|
pkg/oci/driver/driver.go
Outdated
|
|
||
| nodeList, err := k.CoreV1().Nodes().List(metav1.ListOptions{}) | ||
| if err != nil { | ||
| return "", err |
There was a problem hiding this comment.
errors.Wrap(err, "listing nodes")
pkg/oci/driver/driver.go
Outdated
| return kubeClient, err | ||
| } | ||
|
|
||
| // findNodeID returns the OCID for the given nodeName |
manifests/oci-flexvolume-driver.yaml
Outdated
| @@ -10,6 +10,7 @@ spec: | |||
| labels: | |||
| app: oci-flexvolume-driver | |||
| spec: | |||
| serviceAccountName: oci-fvd | |||
There was a problem hiding this comment.
s/oci-fvd/oci-flexvolume-driver/
manifests/rbac.yaml
Outdated
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: oci-fvd |
There was a problem hiding this comment.
s/oci-fvd/oci-flexvolume-driver/
deploy.sh
Outdated
| @@ -40,6 +40,10 @@ if [ -f "$CONFIG_FILE" ]; then | |||
| cp "$CONFIG_FILE" "$driver_dir/$config_file_name" | |||
| fi | |||
|
|
|||
| echo https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT > $driver_dir/master_url | |||
There was a problem hiding this comment.
Is this script shared between both the master and worker DaemonSets? If so we'll want to make sure we don't output this stuff in the worker DaemonSet.
pkg/oci/driver/driver.go
Outdated
|
|
||
| // findNodeID returns the OCID for the given nodeName | ||
| func findNodeID(k kubernetes.Interface, nodeName string) (string, error) { | ||
| var id string |
There was a problem hiding this comment.
nit: Would declare adjacent to the for loop personally
pkg/oci/driver/driver.go
Outdated
| @@ -94,15 +109,70 @@ func deriveVolumeOCID(regionKey string, volumeName string) string { | |||
| return volumeOCID | |||
| } | |||
|
|
|||
| func constructKubeClient() (*kubernetes.Clientset, error) { | |||
There was a problem hiding this comment.
We need to be able to construct the client from the env for the managed use case. Let's discuss offline on Monday.
There was a problem hiding this comment.
We should be using the same patterns as normal kube services to construct clients. So not copying in cluster access to new directories, using kube config files, etc.
manifests/rbac.yaml
Outdated
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: oci-fvd |
There was a problem hiding this comment.
We should use more descriptive names
pkg/oci/driver/driver.go
Outdated
| @@ -94,15 +109,70 @@ func deriveVolumeOCID(regionKey string, volumeName string) string { | |||
| return volumeOCID | |||
| } | |||
|
|
|||
| func constructKubeClient() (*kubernetes.Clientset, error) { | |||
There was a problem hiding this comment.
We should be using the same patterns as normal kube services to construct clients. So not copying in cluster access to new directories, using kube config files, etc.
pkg/oci/driver/driver.go
Outdated
| func findNodeID(k kubernetes.Interface, nodeName string) (string, error) { | ||
| var id string | ||
|
|
||
| nodeList, err := k.CoreV1().Nodes().List(metav1.ListOptions{}) |
There was a problem hiding this comment.
If we have the name name why not use a get?
pkg/oci/driver/driver.go
Outdated
| } | ||
| for _, node := range nodeList.Items { | ||
| if node.Name == nodeName { | ||
| id = node.Spec.ProviderID |
There was a problem hiding this comment.
Should we strip the oci prefix that can be on id's here?
|
@simonlord We should avoid trying to do fancy tactics to provide authentication in the driver itself. This ultimately will depend on the users setup. The recommended way in Kubernetes to do this type of authentication is via kubeconfigs; not copying service accounts. An example of when this pattern breaks down is when the flex volume driver container is used as part of self-hosted deployment where it's a sidecar in the KCM deployment. Since it's a sidecar t'll already have access to the service account of the KCM. That pattern is used today by ODC. Also, what happens when SA's can be rotated which is a feature under fairly active discussion. The goal of this driver should be to provide a generic solution to authentication just as every core component does which helps support multiple paradigms of setting up k8s. |
|
Nit: Upgrading client-go doesn't need to be part of this PR. |
simonlord
force-pushed
the
sl/with-apiserver
branch
from
9c33bdf to
ee71309
Compare
| @@ -31,6 +32,9 @@ spec: | |||
| - mountPath: /tmp | |||
| name: config | |||
| readOnly: true | |||
| - mountPath: /tmp2 | |||
There was a problem hiding this comment.
An aside (to this PR) but do we really want to mount in /tmp vs something else? (above).
There was a problem hiding this comment.
honestly i don't know, i was just following suit
There was a problem hiding this comment.
Separate discussion maybe but these should be written to more sensible locations IMO.
simonlord
force-pushed
the
sl/with-apiserver
branch
from
ee71309 to
fe8eb2a
Compare
README.md
Outdated
| --from-file=kubeconfig=kubeconfig | ||
| ``` | ||
|
|
||
| Once the Secret is set and the daemonsets deployed, the kubeconfig file will be placed onto the master nodes. |
There was a problem hiding this comment.
Once the Secret is set and the DaemonSet is deployed, the kubeconfig file will be placed onto the master nodes.
| @@ -17,12 +17,17 @@ package framework | |||
| import ( | |||
| "errors" | |||
| "os" | |||
|
|
|||
| "github.com/oracle/oci-flexvolume-driver/pkg/oci/driver" | |||
There was a problem hiding this comment.
Sorry I don't understand
There was a problem hiding this comment.
Oops my bad. Yeah, supper nit picky but we normally group imports like so:
import (
<stdlib>
<k8s.io/...>
<third party>
<internal>
)| @@ -0,0 +1,30 @@ | |||
| --- | |||
There was a problem hiding this comment.
I like the separation of rbac as a separate manifest 👍
README.md
Outdated
|
|
||
| NOTE: If running kube-controller-managers in a container you _must_ ensure that | ||
| the plugin directory is mounted into the container. | ||
| You'll still need to add the config file as a kubernetes secret. |
simonlord
force-pushed
the
sl/with-apiserver
branch
2 times, most recently
from
8f2df6b to
4132852
Compare
pkg/oci/client/oci.go
Outdated
| // GetInstanceByNodeName retrieves the oci.Instance corresponding or | ||
| // a SearchError if no instance matching the node name is found. | ||
| GetInstanceByNodeName(name string) (*core.Instance, error) | ||
| // GetInstance retrieves the oci.Instance for a given ocid. |
|
Looking good. Some follow on work needed to coordinate changes with consumers of the driver. |
Gopkg.toml
Outdated
| [[constraint]] | ||
| name = "gopkg.in/yaml.v2" | ||
| branch = "v2" | ||
|
|
||
| [[constraint]] | ||
| name = "github.com/oracle/oci-go-sdk" | ||
| version = "v1.0.0" | ||
|
|
||
| [[constraint]] | ||
| branch = "release-1.11" |
There was a problem hiding this comment.
Do i need to do anything for this?
There was a problem hiding this comment.
We've generally moved from using the release branch to specifying specific versions of kube deps. We should already have pre-approvals of specific 1.11.x versions of apimachinery I believe too 🙂
There was a problem hiding this comment.
Approved for kubernetes-1.11.1
simonlord
force-pushed
the
sl/with-apiserver
branch
from
4132852 to
036a225
Compare
simonlord
force-pushed
the
sl/with-apiserver
branch
from
036a225 to
2d218d8
Compare
simonlord
force-pushed
the
sl/with-apiserver
branch
from
2d218d8 to
6d3793d
Compare
manifests/rbac.yaml
Outdated
| --- | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: |
There was a problem hiding this comment.
nit: The service account should be above / in the deployment file. Otherwise there is a race condition on the pods being created and the service account being created which will cause failure events for a short period after deployment.
pkg/oci/driver/driver.go
Outdated
| return "", err | ||
| } | ||
| if n.Spec.ProviderID == "" { | ||
| return "", errors.New("failed to find node's OCID in returned node spec") |
There was a problem hiding this comment.
nit: this error should be something like node is missing provider id so it's clear where it couldn't find the ocid.
pkg/oci/driver/driver.go
Outdated
| path := GetConfigPath() | ||
| if _, err := os.Stat(path); !os.IsNotExist(err) { | ||
| k, err := constructKubeClient() | ||
| return &OCIFlexvolumeDriver{K: k, master: true}, err |
There was a problem hiding this comment.
nit: this should be
if err != nil {
return nil, err
}
return &OCIFlexvolumeDriver{K: k, master: true}, nil
6d3793d to
25f8e03
Compare
…esolution Completely removed cache and vcn/subnet based lookup. Requires nodes have node.spec.ProviderID set correctly. deploy.sh now drops enough info to disk for the flexvolume driver binary to find, auth and use the kube master api server to query for a list of nodes.
OKE-1853: Refactor lookup node id from node.spec.ProviderID …
Completely removed cache and vcn/subnet based lookup. Requires nodes have
node.spec.ProviderID set correctly.
deploy.sh now drops enough info to disk for the flexvolume driver binary to
find, auth and use the kube master api server to query for a list of nodes.
DISCUSS: do we need a non rbac manifest now that we're using a service account?:
DISCUSS: should the rbac roles be rolled into the main driver manifest file?