Skip to content

Commit

Permalink
get identity provider using kubectl for csi node server
Browse files Browse the repository at this point in the history
  • Loading branch information
songjiaxun committed Apr 22, 2024
1 parent ed0777b commit 9b84550
Show file tree
Hide file tree
Showing 12 changed files with 23 additions and 42 deletions.
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ GCSFUSE_PATH ?= $(shell cat cmd/sidecar_mounter/gcsfuse_binary)
LDFLAGS ?= -s -w -X main.version=${STAGINGVERSION} -extldflags '-static'
PROJECT ?= $(shell gcloud config get-value project 2>&1 | head -n 1)
CA_BUNDLE ?= $(shell kubectl config view --raw -o json | jq '.clusters[]' | jq "select(.name == \"$(shell kubectl config current-context)\")" | jq '.cluster."certificate-authority-data"' | head -n 1)
IDENTITY_PROVIDER ?= $(shell kubectl get --raw /.well-known/openid-configuration | jq -r .issuer)

DRIVER_BINARY = gcs-fuse-csi-driver
SIDECAR_BINARY = gcs-fuse-csi-driver-sidecar-mounter
Expand Down Expand Up @@ -192,10 +193,12 @@ generate-spec-yaml:
cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit add configmap gcsfusecsi-image-config --behavior=merge --disableNameSuffixHash --from-literal=sidecar-image=${SIDECAR_IMAGE}:${STAGINGVERSION};
echo "[{\"op\": \"replace\",\"path\": \"/spec/tokenRequests/0/audience\",\"value\": \"${PROJECT}.svc.id.goog\"}]" > ./deploy/overlays/${OVERLAY}/project_patch_csi_driver.json
echo "[{\"op\": \"replace\",\"path\": \"/webhooks/0/clientConfig/caBundle\",\"value\": \"${CA_BUNDLE}\"}]" > ./deploy/overlays/${OVERLAY}/caBundle_patch_MutatingWebhookConfiguration.json
echo "[{\"op\": \"replace\",\"path\": \"/spec/template/spec/containers/0/env/1/value\",\"value\": \"${IDENTITY_PROVIDER}\"}]" > ./deploy/overlays/${OVERLAY}/identity_provider_patch_csi_node.json
kubectl kustomize deploy/overlays/${OVERLAY} | tee ${BINDIR}/gcs-fuse-csi-driver-specs-generated.yaml > /dev/null
git restore ./deploy/overlays/${OVERLAY}/kustomization.yaml
git restore ./deploy/overlays/${OVERLAY}/project_patch_csi_driver.json
git restore ./deploy/overlays/${OVERLAY}/caBundle_patch_MutatingWebhookConfiguration.json
git restore ./deploy/overlays/${OVERLAY}/identity_provider_patch_csi_node.json

verify:
hack/verify-all.sh
Expand Down
2 changes: 1 addition & 1 deletion cmd/csi_driver/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func main() {
klog.Fatal("Failed to configure k8s client")
}

meta, err := metadata.NewMetadataService(*identityPool, *identityProvider, clientset)
meta, err := metadata.NewMetadataService(*identityPool, *identityProvider)
if err != nil {
klog.Fatalf("Failed to set up metadata service: %v", err)
}
Expand Down
3 changes: 3 additions & 0 deletions deploy/base/node/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ spec:
- --endpoint=unix:/csi/csi.sock
- --nodeid=$(KUBE_NODE_NAME)
- --node=true
- --identity-provider=$(IDENTITY_PROVIDER)
resources:
limits:
cpu: 200m
Expand All @@ -63,6 +64,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: IDENTITY_PROVIDER
value: ""
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet/pods
Expand Down
3 changes: 0 additions & 3 deletions deploy/base/node/node_setup.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,6 @@ rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
Expand Down
1 change: 1 addition & 0 deletions deploy/overlays/dev/identity_provider_patch_csi_node.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[]
6 changes: 6 additions & 0 deletions deploy/overlays/dev/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,10 @@ patches:
group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
name: gcsfuse-sidecar-injector.csi.storage.gke.io
version: v1
- path: identity_provider_patch_csi_node.json
target:
group: apps
kind: DaemonSet
name: gcsfusecsi-node
version: v1
Original file line number Diff line number Diff line change
@@ -1 +1 @@
[{"op": "replace","path": "/webhooks/0/clientConfig/caBundle","value": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUlPMU8rUDlrMkswUVMyMTE2NThQbWt3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa05HVTROMlV3WmpFdE56TmxZeTAwWkRRd0xUbGxOamd0TkRobU1tTXlZemsyTkRJeQpNQ0FYRFRJek1EUXlOREUzTVRNMU1Wb1lEekl3TlRNd05ERTJNVGd4TXpVeFdqQXZNUzB3S3dZRFZRUURFeVEwClpUZzNaVEJtTVMwM00yVmpMVFJrTkRBdE9XVTJPQzAwT0dZeVl6SmpPVFkwTWpJd2dnR2lNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCandBd2dnR0tBb0lCZ1FDbXZxeW5qY095K3kxb0c1MWhFc3ArenpZU1pDak1zYW5sczRaagp0Ly9XMTMwZkozS0ZSVCtLSXdmSXpIQkJ2TU5hNXN1aGsrUnFkd1VkODI0d1JhT0Z4NjFKa2tPZ3R0R1FLeTVRCjU0N29iOHZoRHJTS3VnVWFKa3R2bXZmUGFEZEVXbXNCUzgxbmNRQXRONktnek0wWHJjdFBQenYvMjBKQ0VFR3MKZko0cExmQjRBY2ZMSEdHQStrTGs0K3BUTDN3WTRpcktZSUNiUzArQ0c5U2lUMk8vUjM5UE9iZGNFcVljQm9FTwpWMXg2VnNXRHNHa09tYzgzeUFTKzNKRzJhTlJ3L2UyRmpYZS96M04yZEVaQ05LWW94SGp0c0d4MWNjN0Y0STR2CllkbVJ4VGNpejN3TksyTmRCc1lyOXMyeDA0cFp5SG9TeWZ4NnMwT0hqWWRXS3B3MzErY1lQUi9veklta0xENlIKL1pTeUltU3AvTHV6cG5Yb1VNK3JTWmoyZXUwcTVaZDI5WjdNbm1vQWtRZXhKUm1lYkdGY1ArQlN6cDZ4SGY0QwpOZ1dyZFpqb25DRk5BK3ZoK2dqUG5oTDlMQWxmYWwzbndmSm92SG1wYTdEUkFZNnhDeDkrVFQwdzdFTkJzVjh2ClZKZ0F1Ri9Vbk1ybmRNbGttb05Ec0hrVjhUVUNBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRUhlNjlOajJGQ2ovZTlOYVBBMTVKTWY3eE5ITUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQmdRQXZwY1JPWWcrM0MrWGQrbkRaLzFHaVdwaWpFcHRCbjdUait2N09nRWhRClNMWEF3UEhtZjB6aWZtSXhocEdrbk50dCtWV0Nqazl5UXFJWUVRTFFRdEFiRGtET3JSa1dxTld1RE1MV2M3T1UKcHpsQ1huaWgwbi9ySFpmbEtlR0VCVkpHWlBEY2F5YThRQUxhVjIwUG1FbXc5cXFDK05KME96R2c3aVRUM21OaQpQcGxROXJZNVBub2xXTk9oZEg2QXcwS3FSenJOVUo2ZWc0cGIwNWgzak9NSW1pVlprZ2ttVXVqRkNJSFFCODczCi9DUGtpeTQwV1dzK2p6WVBhdU0zVFYwbW84RmJKeUhZOWhsZHkvaDNIcGpsSkFjMEF3RTRlOHpCbUViR3VmTkMKUU5ybmNkL0U0N09sNG5XcFlFc3RCcVhjdkliWkN5dnVLOTZ0bzFwMWk1dWRpUHBNbklYZTA3a0ZuRUE2TXlBUwpmV0tjcnliZDk2djl5VFJrVVlybjNEa1lnZmVJa1kzblpMY0dKUE1jK2VkRzFMMkx4WU41QktKb0lydmJaMDhnCjEzYTZzTll4RjlzY1dJdFpmVi9YUHZqc0drMnAvSFVhY0FCK3dNRUdZZ0xxS1UrR0hSR0dXeXQ4RnJFTjk1VG8KWTM2eTFGQnFrN0tpbi9ZR2hpUzBvKzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"}]
[]
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[]
6 changes: 6 additions & 0 deletions deploy/overlays/stable/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,10 @@ patches:
group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
name: gcsfuse-sidecar-injector.csi.storage.gke.io
version: v1
- path: identity_provider_patch_csi_node.json
target:
group: apps
kind: DaemonSet
name: gcsfusecsi-node
version: v1
6 changes: 0 additions & 6 deletions pkg/cloud_provider/clientset/clientset.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"context"
"fmt"

appsv1 "k8s.io/api/apps/v1"
authenticationv1 "k8s.io/api/authentication/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -33,7 +32,6 @@ import (

type Interface interface {
GetPod(ctx context.Context, namespace, name string) (*corev1.Pod, error)
GetDaemonSet(ctx context.Context, namespace, name string) (*appsv1.DaemonSet, error)
CreateServiceAccountToken(ctx context.Context, namespace, name string, tokenRequest *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error)
GetGCPServiceAccountName(ctx context.Context, namespace, name string) (string, error)
}
Expand Down Expand Up @@ -73,10 +71,6 @@ func (c *Clientset) GetPod(ctx context.Context, namespace, name string) (*corev1
return c.k8sClients.CoreV1().Pods(namespace).Get(ctx, name, metav1.GetOptions{})
}

func (c *Clientset) GetDaemonSet(ctx context.Context, namespace, name string) (*appsv1.DaemonSet, error) {
return c.k8sClients.AppsV1().DaemonSets(namespace).Get(ctx, name, metav1.GetOptions{})
}

func (c *Clientset) CreateServiceAccountToken(ctx context.Context, namespace, name string, tokenRequest *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
resp, err := c.k8sClients.
CoreV1().
Expand Down
5 changes: 0 additions & 5 deletions pkg/cloud_provider/clientset/fake.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"context"

"github.com/googlecloudplatform/gcs-fuse-csi-driver/pkg/webhook"
appsv1 "k8s.io/api/apps/v1"
authenticationv1 "k8s.io/api/authentication/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -47,10 +46,6 @@ func (c *FakeClientset) GetPod(_ context.Context, namespace, name string) (*core
return pod, nil
}

func (c *FakeClientset) GetDaemonSet(_ context.Context, _, _ string) (*appsv1.DaemonSet, error) {
return &appsv1.DaemonSet{}, nil
}

func (c *FakeClientset) CreateServiceAccountToken(_ context.Context, _, _ string, _ *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
return &authenticationv1.TokenRequest{}, nil
}
Expand Down
27 changes: 1 addition & 26 deletions pkg/cloud_provider/metadata/metadata.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,9 @@ limitations under the License.
package metadata

import (
"context"
"fmt"
"strings"

"cloud.google.com/go/compute/metadata"
"github.com/googlecloudplatform/gcs-fuse-csi-driver/pkg/cloud_provider/clientset"
appsv1 "k8s.io/api/apps/v1"
"k8s.io/klog/v2"
)

Expand All @@ -42,7 +38,7 @@ type metadataServiceManager struct {

var _ Service = &metadataServiceManager{}

func NewMetadataService(identityPool, identityProvider string, clientset clientset.Interface) (Service, error) {
func NewMetadataService(identityPool, identityProvider string) (Service, error) {
projectID, err := metadata.ProjectID()
if err != nil {
return nil, fmt.Errorf("failed to get project: %w", err)
Expand All @@ -53,16 +49,6 @@ func NewMetadataService(identityPool, identityProvider string, clientset clients
identityPool = projectID + ".svc.id.goog"
}

if identityProvider == "" {
klog.Infof("got empty identityProvider, constructing the identityProvider using the gke-metadata-server flags")
ds, err := clientset.GetDaemonSet(context.TODO(), "kube-system", "gke-metadata-server")
if err != nil {
return nil, fmt.Errorf("failed to get gke-metadata-server DaemonSet spec: %w", err)
}

identityProvider = getIdentityProvider(ds)
}

return &metadataServiceManager{
projectID: projectID,
identityPool: identityPool,
Expand All @@ -81,14 +67,3 @@ func (manager *metadataServiceManager) GetIdentityPool() string {
func (manager *metadataServiceManager) GetIdentityProvider() string {
return manager.identityProvider
}

func getIdentityProvider(ds *appsv1.DaemonSet) string {
for _, c := range ds.Spec.Template.Spec.Containers[0].Command {
l := strings.Split(c, "=")
if len(l) == 2 && l[0] == "--identity-provider" {
return l[1]
}
}

return ""
}

0 comments on commit 9b84550

Please sign in to comment.