Skip to content

Commit 8a5dba2

Browse files
author
Mateus Oliveira
authored
OADP-4935: Default permission for Secrets (#1539) (#1561)
* fix: Default permission for Secrets Signed-off-by: Mateus Oliveira <[email protected]> * fixup! fix: Default permission for Secrets Signed-off-by: Mateus Oliveira <[email protected]> * fixup! fix: Default permission for Secrets Signed-off-by: Mateus Oliveira <[email protected]> * fixup! fix: Default permission for Secrets Signed-off-by: Mateus Oliveira <[email protected]> --------- Signed-off-by: Mateus Oliveira <[email protected]> (cherry picked from commit 1a17d7c)
1 parent 4d30f10 commit 8a5dba2

File tree

4 files changed

+49
-59
lines changed

4 files changed

+49
-59
lines changed

controllers/common.go

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ package controllers
33
import (
44
"github.com/openshift/oadp-operator/pkg/common"
55
corev1 "k8s.io/api/core/v1"
6-
"k8s.io/utils/pointer"
6+
"k8s.io/utils/ptr"
77
)
88

99
// setting defaults to avoid emitting update events
@@ -36,7 +36,7 @@ func setPodTemplateSpecDefaults(template *corev1.PodTemplateSpec) {
3636
template.Spec.RestartPolicy = corev1.RestartPolicyAlways
3737
}
3838
if template.Spec.TerminationGracePeriodSeconds == nil {
39-
template.Spec.TerminationGracePeriodSeconds = pointer.Int64(30)
39+
template.Spec.TerminationGracePeriodSeconds = ptr.To(int64(30))
4040
}
4141
if template.Spec.DNSPolicy == "" {
4242
template.Spec.DNSPolicy = corev1.DNSClusterFirst
@@ -50,18 +50,17 @@ func setPodTemplateSpecDefaults(template *corev1.PodTemplateSpec) {
5050
if template.Spec.SchedulerName == "" {
5151
template.Spec.SchedulerName = "default-scheduler"
5252
}
53-
// for each volumes, if volumeSource is Projected or SecretVolumeSource, set default mode
53+
// for each volumes, if volumeSource is Projected or SecretVolumeSource, set default permission
5454
for i := range template.Spec.Volumes {
5555
if template.Spec.Volumes[i].Projected != nil {
5656
if template.Spec.Volumes[i].Projected != nil {
57-
template.Spec.Volumes[i].Projected.DefaultMode = common.DefaultModePtr()
57+
template.Spec.Volumes[i].Projected.DefaultMode = ptr.To(common.DefaultProjectedPermission)
5858
}
5959
} else if template.Spec.Volumes[i].Secret != nil {
60-
template.Spec.Volumes[i].Secret.DefaultMode = common.DefaultModePtr()
60+
template.Spec.Volumes[i].Secret.DefaultMode = ptr.To(common.DefaultSecretPermission)
6161
} else if template.Spec.Volumes[i].HostPath != nil {
6262
if template.Spec.Volumes[i].HostPath.Type == nil {
63-
defaultHostPathType := corev1.HostPathType("")
64-
template.Spec.Volumes[i].HostPath.Type = &defaultHostPathType
63+
template.Spec.Volumes[i].HostPath.Type = ptr.To(corev1.HostPathType(""))
6564
}
6665
}
6766
}

controllers/velero.go

Lines changed: 34 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,7 @@ import (
2626
"k8s.io/apimachinery/pkg/api/resource"
2727
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2828
"k8s.io/apimachinery/pkg/types"
29-
"k8s.io/utils/pointer"
30-
29+
"k8s.io/utils/ptr"
3130
"sigs.k8s.io/controller-runtime/pkg/client"
3231
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
3332
)
@@ -266,18 +265,16 @@ func (r *DPAReconciler) customizeVeleroDeployment(dpa *oadpv1alpha1.DataProtecti
266265
})
267266

268267
if hasShortLivedCredentials {
269-
expirationSeconds := int64(3600)
270268
veleroDeployment.Spec.Template.Spec.Volumes = append(veleroDeployment.Spec.Template.Spec.Volumes,
271269
corev1.Volume{
272270
Name: "bound-sa-token",
273271
VolumeSource: corev1.VolumeSource{
274272
Projected: &corev1.ProjectedVolumeSource{
275-
DefaultMode: common.DefaultModePtr(),
276273
Sources: []corev1.VolumeProjection{
277274
{
278275
ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
279276
Audience: "openshift",
280-
ExpirationSeconds: &expirationSeconds,
277+
ExpirationSeconds: ptr.To(int64(3600)),
281278
Path: "token",
282279
},
283280
},
@@ -398,18 +395,30 @@ func (r *DPAReconciler) customizeVeleroDeployment(dpa *oadpv1alpha1.DataProtecti
398395
}
399396
}
400397
if veleroDeployment.Spec.RevisionHistoryLimit == nil {
401-
veleroDeployment.Spec.RevisionHistoryLimit = pointer.Int32(10)
398+
veleroDeployment.Spec.RevisionHistoryLimit = ptr.To(int32(10))
402399
}
403400
if veleroDeployment.Spec.ProgressDeadlineSeconds == nil {
404-
veleroDeployment.Spec.ProgressDeadlineSeconds = pointer.Int32(600)
401+
veleroDeployment.Spec.ProgressDeadlineSeconds = ptr.To(int32(600))
405402
}
403+
r.appendPluginSpecificSpecs(dpa, veleroDeployment, veleroContainer, providerNeedsDefaultCreds, hasCloudStorage)
406404
setPodTemplateSpecDefaults(&veleroDeployment.Spec.Template)
407-
return r.appendPluginSpecificSpecs(dpa, veleroDeployment, veleroContainer, providerNeedsDefaultCreds, hasCloudStorage)
405+
if configMapName, ok := dpa.Annotations[common.UnsupportedVeleroServerArgsAnnotation]; ok {
406+
if configMapName != "" {
407+
unsupportedServerArgsCM := corev1.ConfigMap{}
408+
if err := r.Get(r.Context, types.NamespacedName{Namespace: dpa.Namespace, Name: configMapName}, &unsupportedServerArgsCM); err != nil {
409+
return err
410+
}
411+
if err := common.ApplyUnsupportedServerArgsOverride(veleroContainer, unsupportedServerArgsCM, common.Velero); err != nil {
412+
return err
413+
}
414+
}
415+
}
416+
417+
return nil
408418
}
409419

410420
// add plugin specific specs to velero deployment
411-
func (r *DPAReconciler) appendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, veleroDeployment *appsv1.Deployment, veleroContainer *corev1.Container, providerNeedsDefaultCreds map[string]bool, hasCloudStorage bool) error {
412-
421+
func (r *DPAReconciler) appendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, veleroDeployment *appsv1.Deployment, veleroContainer *corev1.Container, providerNeedsDefaultCreds map[string]bool, hasCloudStorage bool) {
413422
init_container_resources := veleroContainer.Resources
414423

415424
for _, plugin := range dpa.Spec.Configuration.Velero.DefaultPlugins {
@@ -453,22 +462,20 @@ func (r *DPAReconciler) appendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtecti
453462
// set default secret name to use
454463
secretName := pluginSpecificMap.SecretName
455464
// append plugin specific volume mounts
456-
if veleroContainer != nil {
457-
veleroContainer.VolumeMounts = append(
458-
veleroContainer.VolumeMounts,
459-
corev1.VolumeMount{
460-
Name: secretName,
461-
MountPath: pluginSpecificMap.MountPath,
462-
})
463-
464-
// append plugin specific env vars
465-
veleroContainer.Env = append(
466-
veleroContainer.Env,
467-
corev1.EnvVar{
468-
Name: pluginSpecificMap.EnvCredentialsFile,
469-
Value: pluginSpecificMap.MountPath + "/" + credentials.CloudFieldPath,
470-
})
471-
}
465+
veleroContainer.VolumeMounts = append(
466+
veleroContainer.VolumeMounts,
467+
corev1.VolumeMount{
468+
Name: secretName,
469+
MountPath: pluginSpecificMap.MountPath,
470+
})
471+
472+
// append plugin specific env vars
473+
veleroContainer.Env = append(
474+
veleroContainer.Env,
475+
corev1.EnvVar{
476+
Name: pluginSpecificMap.EnvCredentialsFile,
477+
Value: pluginSpecificMap.MountPath + "/" + credentials.CloudFieldPath,
478+
})
472479

473480
// append plugin specific volumes
474481
veleroDeployment.Spec.Template.Spec.Volumes = append(
@@ -477,8 +484,7 @@ func (r *DPAReconciler) appendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtecti
477484
Name: secretName,
478485
VolumeSource: corev1.VolumeSource{
479486
Secret: &corev1.SecretVolumeSource{
480-
SecretName: secretName,
481-
DefaultMode: common.DefaultModePtr(),
487+
SecretName: secretName,
482488
},
483489
},
484490
})
@@ -509,20 +515,6 @@ func (r *DPAReconciler) appendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtecti
509515
})
510516
}
511517
}
512-
513-
if configMapName, ok := dpa.Annotations[common.UnsupportedVeleroServerArgsAnnotation]; ok {
514-
if configMapName != "" {
515-
unsupportedServerArgsCM := corev1.ConfigMap{}
516-
if err := r.Get(r.Context, types.NamespacedName{Namespace: dpa.Namespace, Name: configMapName}, &unsupportedServerArgsCM); err != nil {
517-
return err
518-
}
519-
if err := common.ApplyUnsupportedServerArgsOverride(veleroContainer, unsupportedServerArgsCM, common.Velero); err != nil {
520-
return err
521-
}
522-
}
523-
}
524-
525-
return nil
526518
}
527519

528520
func (r *DPAReconciler) customizeVeleroContainer(dpa *oadpv1alpha1.DataProtectionApplication, veleroDeployment *appsv1.Deployment, veleroContainer *corev1.Container, hasShortLivedCredentials bool, prometheusPort *int) error {
@@ -774,12 +766,10 @@ func (r DPAReconciler) noDefaultCredentials(dpa oadpv1alpha1.DataProtectionAppli
774766
hasCloudStorage := false
775767
if dpa.Spec.Configuration.Velero.NoDefaultBackupLocation {
776768
needDefaultCred := false
777-
778769
if dpa.Spec.UnsupportedOverrides[oadpv1alpha1.OperatorTypeKey] == oadpv1alpha1.OperatorTypeMTC {
779770
// MTC requires default credentials
780771
needDefaultCred = true
781772
}
782-
// go through cloudprovider plugins and mark providerNeedsDefaultCreds to false
783773
for _, provider := range dpa.Spec.Configuration.Velero.DefaultPlugins {
784774
if psf, ok := credentials.PluginSpecificFields[provider]; ok && psf.IsCloudProvider {
785775
providerNeedsDefaultCreds[psf.PluginName] = needDefaultCred

controllers/velero_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ func deploymentVolumeSecret(name string) corev1.Volume {
314314
VolumeSource: corev1.VolumeSource{
315315
Secret: &corev1.SecretVolumeSource{
316316
SecretName: name,
317-
DefaultMode: ptr.To(int32(420)),
317+
DefaultMode: ptr.To(int32(0440)),
318318
},
319319
},
320320
}
@@ -1450,7 +1450,7 @@ func TestDPAReconciler_buildVeleroDeployment(t *testing.T) {
14501450
Name: "bound-sa-token",
14511451
VolumeSource: corev1.VolumeSource{
14521452
Projected: &corev1.ProjectedVolumeSource{
1453-
DefaultMode: ptr.To(int32(420)),
1453+
DefaultMode: ptr.To(int32(0644)),
14541454
Sources: []corev1.VolumeProjection{
14551455
{
14561456
ServiceAccountToken: &corev1.ServiceAccountTokenProjection{

pkg/common/common.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -98,12 +98,13 @@ const (
9898
UnsupportedNodeAgentServerArgsAnnotation = "oadp.openshift.io/unsupported-node-agent-server-args"
9999
)
100100

101-
const defaultMode = int32(420)
102-
103-
func DefaultModePtr() *int32 {
104-
var mode int32 = defaultMode
105-
return &mode
106-
}
101+
// Volume permissions
102+
const (
103+
// Owner and Group can read; Public do not have any permissions
104+
DefaultSecretPermission = int32(0440)
105+
// Owner can read and write; Group and Public can read
106+
DefaultProjectedPermission = int32(0644)
107+
)
107108

108109
func AppendUniqueKeyTOfTMaps[T comparable](userLabels ...map[T]T) (map[T]T, error) {
109110
var base map[T]T

0 commit comments

Comments
 (0)