Add deletion secret as annotation to content

kubernetes-csi · Aug 24, 2019 · 490ab05 · 490ab05
1 parent ffee5f4
commit 490ab05
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 31 deletions.
diff --git a/pkg/controller/snapshot_controller.go b/pkg/controller/snapshot_controller.go
@@ -523,7 +523,7 @@ func (ctrl *csiSnapshotController) checkandBindSnapshotContent(snapshot *crdv1.V
 	return newContent, nil
 }
 
-func (ctrl *csiSnapshotController) getCreateSnapshotInput(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshotClass, *v1.PersistentVolume, string, map[string]string, error) {
+func (ctrl *csiSnapshotController) getCreateSnapshotInput(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshotClass, *v1.PersistentVolume, string, *v1.SecretReference, error) {
 	className := snapshot.Spec.VolumeSnapshotClassName
 	klog.V(5).Infof("getCreateSnapshotInput [%s]: VolumeSnapshotClassName [%s]", snapshot.Name, *className)
 	var class *crdv1.VolumeSnapshotClass
@@ -553,12 +553,8 @@ func (ctrl *csiSnapshotController) getCreateSnapshotInput(snapshot *crdv1.Volume
 	if err != nil {
 		return nil, nil, "", nil, err
 	}
-	snapshotterCredentials, err := getCredentials(ctrl.client, snapshotterSecretRef)
-	if err != nil {
-		return nil, nil, "", nil, err
-	}
 
-	return class, volume, contentName, snapshotterCredentials, nil
+	return class, volume, contentName, snapshotterSecretRef, nil
 }
 
 func (ctrl *csiSnapshotController) checkandUpdateBoundSnapshotStatusOperation(snapshot *crdv1.VolumeSnapshot, content *crdv1.VolumeSnapshotContent) (*crdv1.VolumeSnapshot, error) {
@@ -580,10 +576,14 @@ func (ctrl *csiSnapshotController) checkandUpdateBoundSnapshotStatusOperation(sn
 			driverName, snapshotID = content.Spec.CSI.Driver, content.Spec.CSI.SnapshotHandle
 		}
 	} else {
-		class, volume, _, snapshotterCredentials, err := ctrl.getCreateSnapshotInput(snapshot)
+		class, volume, _, snapshotterSecretRef, err := ctrl.getCreateSnapshotInput(snapshot)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get input parameters to create snapshot %s: %q", snapshot.Name, err)
 		}
+		snapshotterCredentials, err := getCredentials(ctrl.client, snapshotterSecretRef)
+		if err != nil {
+			return nil, err
+		}
 		driverName, snapshotID, creationTime, size, readyToUse, err = ctrl.handler.CreateSnapshot(snapshot, volume, class.Parameters, snapshotterCredentials)
 		if err != nil {
 			klog.Errorf("checkandUpdateBoundSnapshotStatusOperation: failed to call create snapshot to check whether the snapshot is ready to use %q", err)
@@ -627,11 +627,16 @@ func (ctrl *csiSnapshotController) createSnapshotOperation(snapshot *crdv1.Volum
 		return nil, err
 	}
 
-	class, volume, contentName, snapshotterCredentials, err := ctrl.getCreateSnapshotInput(snapshot)
+	class, volume, contentName, snapshotterSecretRef, err := ctrl.getCreateSnapshotInput(snapshot)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get input parameters to create snapshot %s: %q", snapshot.Name, err)
 	}
 
+	snapshotterCredentials, err := getCredentials(ctrl.client, snapshotterSecretRef)
+	if err != nil {
+		return nil, err
+	}
+
 	driverName, snapshotID, creationTime, size, readyToUse, err := ctrl.handler.CreateSnapshot(snapshot, volume, class.Parameters, snapshotterCredentials)
 	if err != nil {
 		return nil, fmt.Errorf("failed to take snapshot of the volume, %s: %q", volume.Name, err)
@@ -687,6 +692,19 @@ func (ctrl *csiSnapshotController) createSnapshotOperation(snapshot *crdv1.Volum
 			DeletionPolicy:          class.DeletionPolicy,
 		},
 	}
+
+	// Set AnnSecretRefName and AnnSecretRefNamespace
+	if snapshotterSecretRef != nil {
+		if !metav1.HasAnnotation(snapshotContent.ObjectMeta, AnnSecretRefName) {
+			klog.V(5).Infof("createSnapshotOperation: set annotation [%s] on content [%s].", AnnSecretRefName, snapshotContent.Name)
+			metav1.SetMetaDataAnnotation(&snapshotContent.ObjectMeta, AnnSecretRefName, snapshotterSecretRef.Name)
+		}
+		if !metav1.HasAnnotation(snapshotContent.ObjectMeta, AnnSecretRefNamespace) {
+			klog.V(5).Infof("syncContent: set annotation [%s] on content [%s].", AnnSecretRefNamespace, snapshotContent.Name)
+			metav1.SetMetaDataAnnotation(&snapshotContent.ObjectMeta, AnnSecretRefNamespace, snapshotterSecretRef.Namespace)
+		}
+	}
+
 	klog.V(3).Infof("volume snapshot content %v", snapshotContent)
 	// Try to create the VolumeSnapshotContent object several times
 	for i := 0; i < ctrl.createSnapshotContentRetryCount; i++ {
@@ -736,23 +754,30 @@ func (ctrl *csiSnapshotController) deleteSnapshotContentOperation(content *crdv1
 
 	// get secrets if VolumeSnapshotClass specifies it
 	var snapshotterCredentials map[string]string
-	snapshotClassName := content.Spec.VolumeSnapshotClassName
-	if snapshotClassName != nil {
-		if snapshotClass, err := ctrl.classLister.Get(*snapshotClassName); err == nil {
-			// Resolve snapshotting secret credentials.
-			// No VolumeSnapshot is provided when resolving delete secret names, since the VolumeSnapshot may or may not exist at delete time.
-			snapshotterSecretRef, err := getSecretReference(snapshotClass.Parameters, content.Name, nil)
-			if err != nil {
-				return err
-			}
-			snapshotterCredentials, err = getCredentials(ctrl.client, snapshotterSecretRef)
-			if err != nil {
-				return err
-			}
+	var err error
+
+	// Check if annotation exists
+	if metav1.HasAnnotation(content.ObjectMeta, AnnSecretRefName) && metav1.HasAnnotation(content.ObjectMeta, AnnSecretRefNamespace) {
+		annSecretName := content.Annotations[AnnSecretRefName]
+		annSecretNamespace := content.Annotations[AnnSecretRefNamespace]
+
+		snapshotterSecretRef := &v1.SecretReference{}
+
+		if annSecretName != "" {
+			snapshotterSecretRef.Name = annSecretName
+		}
+
+		if annSecretNamespace != "" {
+			snapshotterSecretRef.Namespace = annSecretNamespace
+		}
+
+		snapshotterCredentials, err = getCredentials(ctrl.client, snapshotterSecretRef)
+		if err != nil {
+			return err
 		}
 	}
 
-	err := ctrl.handler.DeleteSnapshot(content, snapshotterCredentials)
+	err = ctrl.handler.DeleteSnapshot(content, snapshotterCredentials)
 	if err != nil {
 		ctrl.eventRecorder.Event(content, v1.EventTypeWarning, "SnapshotDeleteError", "Failed to delete snapshot")
 		return fmt.Errorf("failed to delete snapshot %#v, err: %v", content.Name, err)

diff --git a/pkg/controller/util.go b/pkg/controller/util.go
@@ -65,6 +65,11 @@ const (
 	// Name of finalizer on VolumeSnapshotContents that are bound by VolumeSnapshots
 	VolumeSnapshotContentFinalizer = "snapshot.storage.kubernetes.io/volumesnapshotcontent-protection"
 	VolumeSnapshotFinalizer        = "snapshot.storage.kubernetes.io/volumesnapshot-protection"
+
+	// Annotation for secret name and namespace will be added to the content
+	// and used at snapshot content deletion time.
+	AnnSecretRefName      = "snapshot.storage.kubernetes.io/secret-name"
+	AnnSecretRefNamespace = "snapshot.storage.kubernetes.io/secret-namespace"
 )
 
 var snapshotterSecretParams = deprecatedSecretParamsMap{
@@ -217,7 +222,6 @@ func verifyAndGetSecretNameAndNamespaceTemplate(secret deprecatedSecretParamsMap
 // - ${volumesnapshotcontent.name}
 // - ${volumesnapshot.namespace}
 // - ${volumesnapshot.name}
-// - ${volumesnapshot.annotations['ANNOTATION_KEY']} (e.g. ${pvc.annotations['example.com/snapshot-create-secret-name']})
 //
 // supported tokens for namespace resolution:
 // - ${volumesnapshotcontent.name}
@@ -262,16 +266,12 @@ func getSecretReference(snapshotClassParams map[string]string, snapContentName s
 	}
 	ref.Namespace = resolvedNamespace
 
-	// Secret name template can make use of the VolumeSnapshotContent name, VolumeSnapshot name or namespace,
-	// or a VolumeSnapshot annotation.
+	// Secret name template can make use of the VolumeSnapshotContent name, VolumeSnapshot name or namespace.
 	// Note that VolumeSnapshot name and annotations are under the VolumeSnapshot user's control.
 	nameParams := map[string]string{"volumesnapshotcontent.name": snapContentName}
 	if snapshot != nil {
 		nameParams["volumesnapshot.name"] = snapshot.Name
 		nameParams["volumesnapshot.namespace"] = snapshot.Namespace
-		for k, v := range snapshot.Annotations {
-			nameParams["volumesnapshot.annotations['"+k+"']"] = v
-		}
 	}
 	resolvedName, err := resolveTemplate(nameTemplate, nameParams)
 	if err != nil {

diff --git a/pkg/controller/util_test.go b/pkg/controller/util_test.go
@@ -19,7 +19,6 @@ package controller
 import (
 	crdv1 "github.com/kubernetes-csi/external-snapshotter/pkg/apis/volumesnapshot/v1alpha1"
 	"k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"reflect"
 	"testing"
 )
@@ -70,7 +69,7 @@ func TestGetSecretReference(t *testing.T) {
 			expectRef: nil,
 			expectErr: true,
 		},
-		"template - valid": {
+		/*"template - valid": {
 			params: map[string]string{
 				prefixedSnapshotterSecretNameKey:      "static-${volumesnapshotcontent.name}-${volumesnapshot.namespace}-${volumesnapshot.name}-${volumesnapshot.annotations['akey']}",
 				prefixedSnapshotterSecretNamespaceKey: "static-${volumesnapshotcontent.name}-${volumesnapshot.namespace}",
@@ -84,7 +83,7 @@ func TestGetSecretReference(t *testing.T) {
 				},
 			},
 			expectRef: &v1.SecretReference{Name: "static-snapcontentname-snapshotnamespace-snapshotname-avalue", Namespace: "static-snapcontentname-snapshotnamespace"},
-		},
+		},*/
 		"template - invalid namespace tokens": {
 			params: map[string]string{
 				snapshotterSecretNameKey:      "myname",