Move CSI secret handling logic to library

go.mod

@@ -10,6 +10,7 @@ require (
 	golang.org/x/net v0.0.0-20210520170846-37e1c6afe023
 	google.golang.org/grpc v1.38.0
 	k8s.io/api v0.22.0-beta.1
+	k8s.io/apimachinery v0.22.0-beta.1
 	k8s.io/client-go v0.22.0-beta.1
 	k8s.io/component-base v0.22.0-beta.1
 	k8s.io/klog/v2 v2.9.0

params/common.go

@@ -0,0 +1,114 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package params
+
+import (
+	"fmt"
+	"os"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
+)
+
+//SecretParamsMap provides a mapping of current as well as deprecated secret keys
+type SecretParamsMap struct {
+	name                         string
+	deprecatedSecretNameKey      string
+	deprecatedSecretNamespaceKey string
+	secretNameKey                string
+	secretNamespaceKey           string
+}
+
+func (s SecretParamsMap) GetSecretNameKey() string {
+	return s.secretNameKey
+}
+
+func (s SecretParamsMap) GetSecretNamespaceKey() string {
+	return s.secretNamespaceKey
+}
+
+// VerifyAndGetSecretNameAndNamespaceTemplate gets the values (templates) associated
+// with the parameters specified in "secret" and verifies that they are specified correctly.
+func VerifyAndGetSecretNameAndNamespaceTemplate(secret SecretParamsMap, templateParams map[string]string) (nameTemplate, namespaceTemplate string, err error) {
+	numName := 0
+	numNamespace := 0
+
+	if t, ok := templateParams[secret.deprecatedSecretNameKey]; ok {
+		nameTemplate = t
+		numName++
+		klog.Warning(deprecationWarning(secret.deprecatedSecretNameKey, secret.secretNameKey, ""))
+	}
+	if t, ok := templateParams[secret.deprecatedSecretNamespaceKey]; ok {
+		namespaceTemplate = t
+		numNamespace++
+		klog.Warning(deprecationWarning(secret.deprecatedSecretNamespaceKey, secret.secretNamespaceKey, ""))
+	}
+	if t, ok := templateParams[secret.secretNameKey]; ok {
+		nameTemplate = t
+		numName++
+	}
+	if t, ok := templateParams[secret.secretNamespaceKey]; ok {
+		namespaceTemplate = t
+		numNamespace++
+	}
+
+	if numName > 1 || numNamespace > 1 {
+		// Double specified error
+		return "", "", fmt.Errorf("%s secrets specified in parameters with both \"csi\" and \"%s\" keys", secret.name, csiParameterPrefix)
+	} else if numName != numNamespace {
+		// Not both 0 or both 1
+		return "", "", fmt.Errorf("either name and namespace for %s secrets specified, Both must be specified", secret.name)
+	} else if numName == 1 {
+		// Case where we've found a name and a namespace template
+		if nameTemplate == "" || namespaceTemplate == "" {
+			return "", "", fmt.Errorf("%s secrets specified in parameters but value of either namespace or name is empty", secret.name)
+		}
+		return nameTemplate, namespaceTemplate, nil
+	} else if numName == 0 {
+		// No secrets specified
+		return "", "", nil
+	} else {
+		// THIS IS NOT A VALID CASE
+		return "", "", fmt.Errorf("unknown error with getting secret name and namespace templates")
+	}
+}
+
+func resolveTemplate(template string, params map[string]string) (string, error) {
+	missingParams := sets.NewString()
+	resolved := os.Expand(template, func(k string) string {
+		v, ok := params[k]
+		if !ok {
+			missingParams.Insert(k)
+		}
+		return v
+	})
+	if missingParams.Len() > 0 {
+		return "", fmt.Errorf("invalid tokens: %q", missingParams.List())
+	}
+	return resolved, nil
+}
+
+func deprecationWarning(deprecatedParam, newParam, removalVersion string) string {
+	if removalVersion == "" {
+		removalVersion = "a future release"
+	}
+	newParamPhrase := ""
+	if len(newParam) != 0 {
+		newParamPhrase = fmt.Sprintf(", please use \"%s\" instead", newParam)
+	}
+	return fmt.Sprintf("\"%s\" is deprecated and will be removed in %s%s", deprecatedParam, removalVersion, newParamPhrase)
+}

params/const.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package params
+
+const (
+	// CSI Parameters prefixed with csiParameterPrefix are not passed through
+	// to the driver on CreateVolumeRequest calls. Instead they are intended
+	// to used by the CSI external-provisioner and maybe used to populate
+	// fields in subsequent CSI calls or Kubernetes API objects.
+	csiParameterPrefix = "csi.storage.k8s.io/"
+
+	PrefixedFsTypeKey = csiParameterPrefix + "fstype"
+
+	prefixedDefaultSecretNameKey      = csiParameterPrefix + "secret-name"
+	prefixedDefaultSecretNamespaceKey = csiParameterPrefix + "secret-namespace"
+
+	prefixedProvisionerSecretNameKey      = csiParameterPrefix + "provisioner-secret-name"
+	prefixedProvisionerSecretNamespaceKey = csiParameterPrefix + "provisioner-secret-namespace"
+
+	prefixedControllerPublishSecretNameKey      = csiParameterPrefix + "controller-publish-secret-name"
+	prefixedControllerPublishSecretNamespaceKey = csiParameterPrefix + "controller-publish-secret-namespace"
+
+	prefixedNodeStageSecretNameKey      = csiParameterPrefix + "node-stage-secret-name"
+	prefixedNodeStageSecretNamespaceKey = csiParameterPrefix + "node-stage-secret-namespace"
+
+	prefixedNodePublishSecretNameKey      = csiParameterPrefix + "node-publish-secret-name"
+	prefixedNodePublishSecretNamespaceKey = csiParameterPrefix + "node-publish-secret-namespace"
+
+	prefixedControllerExpandSecretNameKey      = csiParameterPrefix + "controller-expand-secret-name"
+	prefixedControllerExpandSecretNamespaceKey = csiParameterPrefix + "controller-expand-secret-namespace"
+
+	prefixedSnapshotterSecretNameKey      = csiParameterPrefix + "snapshotter-secret-name"
+	prefixedSnapshotterSecretNamespaceKey = csiParameterPrefix + "snapshotter-secret-namespace"
+
+	prefixedSnapshotterListSecretNameKey      = csiParameterPrefix + "snapshotter-list-secret-name"
+	prefixedSnapshotterListSecretNamespaceKey = csiParameterPrefix + "snapshotter-list-secret-namespace"
+
+	prefixedVolumeSnapshotNameKey        = csiParameterPrefix + "volumesnapshot/name"
+	prefixedVolumeSnapshotNamespaceKey   = csiParameterPrefix + "volumesnapshot/namespace"
+	prefixedVolumeSnapshotContentNameKey = csiParameterPrefix + "volumesnapshotcontent/name"
+
+	// [Deprecated] CSI Parameters that are put into fields but
+	// NOT stripped from the parameters passed to CreateVolume
+	provisionerSecretNameKey      = "csiProvisionerSecretName"
+	provisionerSecretNamespaceKey = "csiProvisionerSecretNamespace"
+
+	controllerPublishSecretNameKey      = "csiControllerPublishSecretName"
+	controllerPublishSecretNamespaceKey = "csiControllerPublishSecretNamespace"
+
+	nodeStageSecretNameKey      = "csiNodeStageSecretName"
+	nodeStageSecretNamespaceKey = "csiNodeStageSecretNamespace"
+
+	nodePublishSecretNameKey      = "csiNodePublishSecretName"
+	nodePublishSecretNamespaceKey = "csiNodePublishSecretNamespace"
+
+	tokenPVNameKey       = "pv.name"
+	tokenPVCNameKey      = "pvc.name"
+	tokenPVCNameSpaceKey = "pvc.namespace"
+)

params/snapshot.go

@@ -0,0 +1,139 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package params
+
+import (
+	"fmt"
+	"strings"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/klog/v2"
+)
+
+var (
+	SnapshotterSecretParams = SecretParamsMap{
+		name:               "Snapshotter",
+		secretNameKey:      prefixedSnapshotterSecretNameKey,
+		secretNamespaceKey: prefixedSnapshotterSecretNamespaceKey,
+	}
+
+	SnapshotterListSecretParams = SecretParamsMap{
+		name:               "SnapshotterList",
+		secretNameKey:      prefixedSnapshotterListSecretNameKey,
+		secretNamespaceKey: prefixedSnapshotterListSecretNamespaceKey,
+	}
+)
+
+// GetSnapshotSecretReference returns a reference to the secret specified in the given nameTemplate
+//  and namespaceTemplate, or an error if the templates are not specified correctly.
+// No lookup of the referenced secret is performed, and the secret may or may not exist.
+//
+// supported tokens for name resolution:
+// - ${volumesnapshotcontent.name}
+// - ${volumesnapshot.namespace}
+// - ${volumesnapshot.name}
+//
+// supported tokens for namespace resolution:
+// - ${volumesnapshotcontent.name}
+// - ${volumesnapshot.namespace}
+//
+// an error is returned in the following situations:
+// - the nameTemplate or namespaceTemplate contains a token that cannot be resolved
+// - the resolved name is not a valid secret name
+// - the resolved namespace is not a valid namespace name
+func GetSnapshotSecretReference(secretParams SecretParamsMap, snapshotClassParams map[string]string, snapContentName string, snapNamespace string, snapName string) (*v1.SecretReference, error) {
+	nameTemplate, namespaceTemplate, err := VerifyAndGetSecretNameAndNamespaceTemplate(secretParams, snapshotClassParams)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get name and namespace template from params: %v", err)
+	}
+
+	if nameTemplate == "" && namespaceTemplate == "" {
+		return nil, nil
+	}
+
+	ref := &v1.SecretReference{}
+
+	// Secret namespace template can make use of the VolumeSnapshotContent name, VolumeSnapshot name or namespace.
+	// Note that neither of those things are under the control of the VolumeSnapshot user.
+	namespaceParams := map[string]string{"volumesnapshotcontent.name": snapContentName}
+	// snapshot may be nil when resolving create/delete snapshot secret names because the
+	// snapshot may or may not exist at delete time
+	if snapNamespace != "" {
+		namespaceParams["volumesnapshot.namespace"] = snapNamespace
+	}
+
+	resolvedNamespace, err := resolveTemplate(namespaceTemplate, namespaceParams)
+	if err != nil {
+		return nil, fmt.Errorf("error resolving value %q: %v", namespaceTemplate, err)
+	}
+	klog.V(4).Infof("GetSecretReference namespaceTemplate %s, namespaceParams: %+v, resolved %s", namespaceTemplate, namespaceParams, resolvedNamespace)
+
+	if len(validation.IsDNS1123Label(resolvedNamespace)) > 0 {
+		if namespaceTemplate != resolvedNamespace {
+			return nil, fmt.Errorf("%q resolved to %q which is not a valid namespace name", namespaceTemplate, resolvedNamespace)
+		}
+		return nil, fmt.Errorf("%q is not a valid namespace name", namespaceTemplate)
+	}
+	ref.Namespace = resolvedNamespace
+
+	// Secret name template can make use of the VolumeSnapshotContent name, VolumeSnapshot name or namespace.
+	// Note that VolumeSnapshot name and namespace are under the VolumeSnapshot user's control.
+	nameParams := map[string]string{"volumesnapshotcontent.name": snapContentName}
+	if snapName != "" {
+		nameParams["volumesnapshot.name"] = snapName
+	}
+	if snapNamespace != "" {
+		nameParams["volumesnapshot.namespace"] = snapNamespace
+	}
+	resolvedName, err := resolveTemplate(nameTemplate, nameParams)
+	if err != nil {
+		return nil, fmt.Errorf("error resolving value %q: %v", nameTemplate, err)
+	}
+	if len(validation.IsDNS1123Subdomain(resolvedName)) > 0 {
+		if nameTemplate != resolvedName {
+			return nil, fmt.Errorf("%q resolved to %q which is not a valid secret name", nameTemplate, resolvedName)
+		}
+		return nil, fmt.Errorf("%q is not a valid secret name", nameTemplate)
+	}
+	ref.Name = resolvedName
+
+	klog.V(4).Infof("GetSecretReference validated Secret: %+v", ref)
+	return ref, nil
+}
+
+func RemovePrefixedSnapshotParameters(param map[string]string) (map[string]string, error) {
+	newParam := map[string]string{}
+	for k, v := range param {
+		if strings.HasPrefix(k, csiParameterPrefix) {
+			// Check if its well known
+			switch k {
+			case prefixedSnapshotterSecretNameKey:
+			case prefixedSnapshotterSecretNamespaceKey:
+			case prefixedSnapshotterListSecretNameKey:
+			case prefixedSnapshotterListSecretNamespaceKey:
+			default:
+				return map[string]string{}, fmt.Errorf("found unknown parameter key \"%s\" with reserved namespace %s", k, csiParameterPrefix)
+			}
+		} else {
+			// Don't strip, add this key-value to new map
+			// Deprecated parameters prefixed with "csi" are not stripped to preserve backwards compatibility
+			newParam[k] = v
+		}
+	}
+	return newParam, nil
+}