RBAC cleaning, minor bug fixes, adds minimal logic for grant access

Author: Krish Chowdhary

cmd/minio-cosi-driver/internal/provisioner.go

@@ -16,13 +16,14 @@ package internal
 import (
 	"context"
 
-	"k8s.io/klog/v2"
-	"sigs.k8s.io/container-object-storage-interface-provisioner-sidecar/cmd/minio-cosi-driver/internal/minio"
-	cosi "sigs.k8s.io/container-object-storage-interface-spec"
-
 	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"k8s.io/klog/v2"
+
+	cosi "sigs.k8s.io/container-object-storage-interface-spec"
+
+	"sigs.k8s.io/container-object-storage-interface-provisioner-sidecar/cmd/minio-cosi-driver/internal/minio"
 )
 
 type ProvisionerServer struct {
@@ -40,9 +41,6 @@ type ProvisionerServer struct {
 func (s *ProvisionerServer) ProvisionerCreateBucket(ctx context.Context,
 	req *cosi.ProvisionerCreateBucketRequest) (*cosi.ProvisionerCreateBucketResponse, error) {
 
-	bucketName := req.GetName()
-	klog.V(3).InfoS("Create Bucket", "name", bucketName)
-
 	protocol := req.GetProtocol()
 	if protocol == nil {
 		klog.ErrorS(errors.New("Invalid Argument"), "Protocol is nil")
@@ -54,6 +52,9 @@ func (s *ProvisionerServer) ProvisionerCreateBucket(ctx context.Context,
 		return nil, status.Error(codes.InvalidArgument, "S3 Protocol is nil")
 	}
 
+	bucketName := s3.BucketName
+	klog.V(3).InfoS("Create Bucket", "name", bucketName)
+
 	options := minio.MakeBucketOptions{}
 
 	// MinIO regions, unlike AWS s3 does not strictly require the
@@ -91,7 +92,7 @@ func (s *ProvisionerServer) ProvisionerCreateBucket(ctx context.Context,
 			klog.InfoS("Bucket already exists", "name", bucketName)
 			return &cosi.ProvisionerCreateBucketResponse{
 				BucketId: bucketID,
-			}, status.Error(codes.AlreadyExists, "Bucket already exists")
+			}, nil
 		}
 		klog.ErrorS(err, "Bucket creation failed")
 		return nil, status.Error(codes.Internal, "Bucket creation failed")
@@ -111,7 +112,10 @@ func (s *ProvisionerServer) ProvisionerDeleteBucket(ctx context.Context,
 func (s *ProvisionerServer) ProvisionerGrantBucketAccess(ctx context.Context,
 	req *cosi.ProvisionerGrantBucketAccessRequest) (*cosi.ProvisionerGrantBucketAccessResponse, error) {
 
-	return &cosi.ProvisionerGrantBucketAccessResponse{}, nil
+	return &cosi.ProvisionerGrantBucketAccessResponse{
+		AccountId:               "minio",
+		CredentialsFileContents: "{\"username\":\"minio\", \"password\": \"minio123\"}",
+	}, nil
 }
 
 func (s *ProvisionerServer) ProvisionerRevokeBucketAccess(ctx context.Context,

go.mod

@@ -26,6 +26,6 @@ require (
 	k8s.io/apimachinery v0.19.4
 	k8s.io/client-go v0.19.4
 	k8s.io/klog/v2 v2.2.0
-	sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210330175159-2cdabb1a5dc7
+	sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210417043410-0af83d5058ab
 	sigs.k8s.io/container-object-storage-interface-spec v0.0.0-20210330184956-b0de747ccee4
 )

go.sum

@@ -717,6 +717,7 @@ k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
 k8s.io/kube-openapi v0.0.0-20200923155610-8b5066479488 h1:mNpvQf4lkIHNOXCoM+Veu/UXwA56Yx1J7hY1Tvcs/oM=
 k8s.io/kube-openapi v0.0.0-20200923155610-8b5066479488/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
@@ -726,8 +727,8 @@ k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
-sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210330175159-2cdabb1a5dc7 h1:M2ZMhWdq9Az8TFj8G6ZffFUpR4XG7Qy8h8ZGsZhi9Xg=
-sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210330175159-2cdabb1a5dc7/go.mod h1:5n4lNKN4uOMW2NTqJ9r8qRAiqh5dZRZB7CNOkFihLfM=
+sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210417043410-0af83d5058ab h1:mKZ+ua1nJHPYNb5NkyxFsObb0bElpCiwt8k6xeNsH1Y=
+sigs.k8s.io/container-object-storage-interface-api v0.0.0-20210417043410-0af83d5058ab/go.mod h1:WTzZGS4Q6MdQqDihJdMh2kCvqMx9Amhx0KIainA4lXQ=
 sigs.k8s.io/container-object-storage-interface-spec v0.0.0-20210329232956-3bbacbbc9c19/go.mod h1:kafkL5l/lTUrZXhVi/9p1GzpEE/ts29BkWkL3Ao33WU=
 sigs.k8s.io/container-object-storage-interface-spec v0.0.0-20210330184956-b0de747ccee4 h1:U+M87V77xKotSub2dqNlmxHMbb30QeC7wwTWdPGAhSI=
 sigs.k8s.io/container-object-storage-interface-spec v0.0.0-20210330184956-b0de747ccee4/go.mod h1:kafkL5l/lTUrZXhVi/9p1GzpEE/ts29BkWkL3Ao33WU=

pkg/bucket/bucket_controller.go

@@ -103,6 +103,7 @@ func (b *BucketListener) Add(ctx context.Context, inputBucket *v1alpha1.Bucket)
 				"bucket", bucket.Name)
 			return errors.Wrap(err, "Failed to create bucket")
 		}
+
 	}
 	if rsp == nil {
 		err := errors.New("ProvisionerCreateBucket returned a nil response")
@@ -111,16 +112,17 @@ func (b *BucketListener) Add(ctx context.Context, inputBucket *v1alpha1.Bucket)
 	}
 
 	if rsp.BucketId != "" {
-		bucket.Spec.BucketID = rsp.BucketId
+		bucket.Status.BucketID = rsp.BucketId
 	}
+
 	bucket.Status.Message = "Bucket Provisioned"
 	bucket.Status.BucketAvailable = true
 
 	// if this step fails, then controller will retry with backoff
-	if _, err := b.Buckets().Update(ctx, bucket, metav1.UpdateOptions{}); err != nil {
-		klog.ErrorS(err, "Failed to update bucket",
+	if _, err := b.Buckets().UpdateStatus(ctx, bucket, metav1.UpdateOptions{}); err != nil {
+		klog.ErrorS(err, "Failed to update bucket status",
 			"bucket", bucket.Name)
-		return errors.Wrap(err, "Failed to update bucket")
+		return errors.Wrap(err, "Failed to update bucket status")
 	}
 
 	return nil
@@ -158,7 +160,7 @@ func (b *BucketListener) Delete(ctx context.Context, inputBucket *v1alpha1.Bucke
 	}
 
 	req := &cosi.ProvisionerDeleteBucketRequest{
-		BucketId: bucket.Spec.BucketID,
+		BucketId: bucket.Status.BucketID,
 	}
 
 	if _, err := b.provisionerClient.ProvisionerDeleteBucket(ctx, req); err != nil {
@@ -170,10 +172,12 @@ func (b *BucketListener) Delete(ctx context.Context, inputBucket *v1alpha1.Bucke
 		}
 	}
 
+	// TODO, check bucket.Spec.DeletionPolicy
+
 	bucket.Status.BucketAvailable = false
 
 	// if this step fails, then controller will retry with backoff
-	if _, err := b.Buckets().Update(ctx, bucket, metav1.UpdateOptions{}); err != nil {
+	if _, err := b.Buckets().UpdateStatus(ctx, bucket, metav1.UpdateOptions{}); err != nil {
 		klog.ErrorS(err, "Failed to update bucket",
 			"bucket", bucket.Name)
 		return errors.Wrap(err, "Failed to update bucket")

pkg/bucket/bucket_controller_test.go

@@ -139,7 +139,7 @@ func TestBucketDeletion(t *testing.T) {
 		{
 			name: "BucketDeletion",
 			setFields: func(b *v1alpha1.Bucket) {
-				b.Spec.BucketID = bucketId
+				b.Status.BucketID = bucketId
 			},
 			deleteFunc: func(ctx context.Context,
 				req *cosi.ProvisionerDeleteBucketRequest,

pkg/bucketaccess/bucketaccess_controller.go

@@ -82,7 +82,7 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 		"bucket", bucketName,
 	)
 
-	if bucketAccess.Spec.MintedSecretName != "" {
+	if bucketAccess.Status.MintedSecret != nil {
 		klog.V(5).InfoS("AccessAlreadyGranted",
 			"bucketAccess", bucketAccess.Name,
 			"bucket", bucketName,
@@ -112,7 +112,7 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 		return nil
 	}
 
-	if bucket.Spec.BucketID == "" {
+	if bucket.Status.BucketID == "" {
 		err := errors.New("BucketID cannot be empty")
 		klog.ErrorS(err,
 			"Invalid arguments",
@@ -123,7 +123,7 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 	}
 
 	req := &cosi.ProvisionerGrantBucketAccessRequest{
-		BucketId:     bucket.Spec.BucketID,
+		BucketId:     bucket.Status.BucketID,
 		AccountName:  bucketAccess.Name,
 		AccessPolicy: bucketAccess.Spec.PolicyActionsConfigMapData,
 	}
@@ -177,16 +177,19 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 		}
 	}
 
-	bucketAccess.Spec.AccountID = rsp.AccountId
+	bucketAccess.Status.AccountID = rsp.AccountId
+	bucketAccess.Status.MintedSecret = &corev1.SecretReference{
+		Namespace: bal.namespace,
+		Name:      mintedSecretName,
+	}
 	bucketAccess.Status.AccessGranted = true
-	bucketAccess.Spec.MintedSecretName = mintedSecretName
 
 	// if this step fails, then controller will retry with backoff
-	if _, err := bal.BucketAccesses().Update(ctx, bucketAccess, metav1.UpdateOptions{}); err != nil {
-		klog.ErrorS(err, "Failed to update BucketAccess",
+	if _, err := bal.BucketAccesses().UpdateStatus(ctx, bucketAccess, metav1.UpdateOptions{}); err != nil {
+		klog.ErrorS(err, "Failed to update BucketAccess Status",
 			"bucketAccess", bucketAccess.Name,
 			"bucket", bucket.Name)
-		return errors.Wrap(err, "Failed to update BucketAccess")
+		return errors.Wrap(err, "Failed to update BucketAccess Status")
 	}
 
 	return nil
@@ -212,6 +215,18 @@ func (bal *BucketAccessListener) Delete(ctx context.Context, bucketAccess *v1alp
 		"name", bucketAccess.Name,
 		"bucket", bucketAccess.Spec.BucketName,
 	)
+
+	// TODO, check bucketAccess.Spec.DeletionPolicy
+
+	bucketAccess.Status.AccessGranted = false
+
+	// if this step fails, then controller will retry with backoff
+	if _, err := bal.BucketAccesses().UpdateStatus(ctx, bucketAccess, metav1.UpdateOptions{}); err != nil {
+		klog.ErrorS(err, "Failed to update BucketAccess Status",
+			"bucketAccess", bucketAccess.Name)
+		return errors.Wrap(err, "Failed to update BucketAccess Status")
+	}
+
 	return nil
 }
 

pkg/bucketaccess/bucketaccess_controller_test.go

@@ -21,19 +21,18 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/container-object-storage-interface-api/apis/objectstorage.k8s.io/v1alpha1"
-	fakebucketclientset "sigs.k8s.io/container-object-storage-interface-api/clientset/fake"
-	cosi "sigs.k8s.io/container-object-storage-interface-spec"
-	fakespec "sigs.k8s.io/container-object-storage-interface-spec/fake"
-
+	"google.golang.org/grpc"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/version"
 	fakediscovery "k8s.io/client-go/discovery/fake"
 	fakekubeclientset "k8s.io/client-go/kubernetes/fake"
 
-	"google.golang.org/grpc"
+	"sigs.k8s.io/container-object-storage-interface-api/apis/objectstorage.k8s.io/v1alpha1"
+	fakebucketclientset "sigs.k8s.io/container-object-storage-interface-api/clientset/fake"
+	cosi "sigs.k8s.io/container-object-storage-interface-spec"
+	fakespec "sigs.k8s.io/container-object-storage-interface-spec/fake"
 )
 
 func TestInitializeKubeClient(t *testing.T) {
@@ -97,7 +96,9 @@ func TestAddWrongProvisioner(t *testing.T) {
 		Spec: v1alpha1.BucketSpec{
 			Provisioner: provisioner + "-invalid",
 			Protocol:    v1alpha1.Protocol{},
-			BucketID:    bucketId,
+		},
+		Status: v1alpha1.BucketStatus{
+			BucketID: bucketId,
 		},
 	}
 
@@ -172,7 +173,9 @@ func TestAddBucketAccess(t *testing.T) {
 			Spec: v1alpha1.BucketSpec{
 				Provisioner: provisioner,
 				Protocol:    v1alpha1.Protocol{},
-				BucketID:    bucketId,
+			},
+			Status: v1alpha1.BucketStatus{
+				BucketID: bucketId,
 			},
 		}
 
@@ -211,8 +214,8 @@ func TestAddBucketAccess(t *testing.T) {
 		if updatedBA.Status.AccessGranted != true {
 			t.Errorf("Expected %t, got %t", true, ba.Status.AccessGranted)
 		}
-		if !strings.EqualFold(updatedBA.Spec.AccountID, accountId) {
-			t.Errorf("Expected %s, got %s", accountId, updatedBA.Spec.AccountID)
+		if !strings.EqualFold(updatedBA.Status.AccountID, accountId) {
+			t.Errorf("Expected %s, got %s", accountId, updatedBA.Status.AccountID)
 		}
 
 		secretName := "ba-" + string(ba.UID)

resources/deployment.yaml

@@ -38,6 +38,7 @@ spec:
       containers:
       - name: minio-cosi-driver
         image: $(IMAGE_ORG)/minio-cosi-driver:$(IMAGE_VERSION)
+        imagePullPolicy: Always
         envFrom:
         - secretRef:
             name: objectstorage-provisioner
@@ -46,6 +47,7 @@ spec:
           name: socket
       - name: objectstorage-provisioner-sidecar
         image: $(IMAGE_ORG)/objectstorage-sidecar:$(IMAGE_VERSION)
+        imagePullPolicy: Always
         envFrom:
         - secretRef:
             name: objectstorage-provisioner

resources/minio.yaml

@@ -34,6 +34,12 @@ spec:
         - /data
         env:
         - name: MINIO_ACCESS_KEY
-          value: minio
+          valueFrom:
+            secretKeyRef:
+              name: objectstorage-provisioner
+              key: MINIO_ACCESS_KEY
         - name: MINIO_SECRET_KEY
-          value: minio123
+          valueFrom:
+            secretKeyRef:
+              name: objectstorage-provisioner
+              key: MINIO_SECRET_KEY

resources/rbac.yaml

@@ -10,19 +10,13 @@ metadata:
     app.kubernetes.io/name: container-object-storage-interface-provisioner
 rules:
 - apiGroups: ["objectstorage.k8s.io"]
-  resources: ["buckets", "bucketaccess"]
+  resources: ["buckets", "bucketaccesses","buckets/status", "bucketaccesses/status"]
   verbs: ["get", "list", "watch", "update", "create", "delete"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["list", "watch", "create", "update", "patch"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "watch", "list", "delete", "update", "create"]
-- apiGroups: ["objectstorage.k8s.io"]
-  resources: ["bucketaccesses"]
-  verbs: ["get", "watch", "list", "delete", "update", "create"]
 - apiGroups: [""]
-  resources: ["secrets"]
+  resources: ["secrets", "events"]
   verbs: ["get", "delete", "update", "create"]
 ---
 kind: ClusterRoleBinding