squashed commit for Allow Fileownership

Author: mytreya-rh

apis/v1/secretproviderclasspodstatus_types.go

@@ -32,6 +32,7 @@ type SecretProviderClassPodStatusStatus struct {
 	Mounted                 bool                        `json:"mounted,omitempty"`
 	TargetPath              string                      `json:"targetPath,omitempty"`
 	Objects                 []SecretProviderClassObject `json:"objects,omitempty"`
+	FSGroup                 string                      `json:"fsGroup,omitempty"`
 }
 
 // SecretProviderClassObject defines the object fetched from external secrets store

charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -41,6 +41,8 @@ spec:
             description: SecretProviderClassPodStatusStatus defines the observed state
               of SecretProviderClassPodStatus
             properties:
+              fsGroup:
+                type: string
               mounted:
                 type: boolean
               objects:

config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -41,6 +41,8 @@ spec:
             description: SecretProviderClassPodStatusStatus defines the observed state
               of SecretProviderClassPodStatus
             properties:
+              fsGroup:
+                type: string
               mounted:
                 type: boolean
               objects:

deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -41,6 +41,8 @@ spec:
             description: SecretProviderClassPodStatusStatus defines the observed state
               of SecretProviderClassPodStatus
             properties:
+              fsGroup:
+                type: string
               mounted:
                 type: boolean
               objects:

manifest_staging/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -41,6 +41,8 @@ spec:
             description: SecretProviderClassPodStatusStatus defines the observed state
               of SecretProviderClassPodStatus
             properties:
+              fsGroup:
+                type: string
               mounted:
                 type: boolean
               objects:

manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -41,6 +41,8 @@ spec:
             description: SecretProviderClassPodStatusStatus defines the observed state
               of SecretProviderClassPodStatus
             properties:
+              fsGroup:
+                type: string
               mounted:
                 type: boolean
               objects:

pkg/constants/constants.go

@@ -0,0 +1,5 @@
+package constants
+
+const (
+	NO_GID = int64(-1) // Use the default gid -1 to indicate no change in FSGroup
+)

pkg/errors/errors.go

@@ -44,5 +44,6 @@ const (
 	// PodVolumeNotFound error
 	PodVolumeNotFound = "PodVolumeNotFound"
 	// FileWriteError error
-	FileWriteError = "FileWriteError"
+	FileWriteError       = "FileWriteError"
+	FailedToParseFSGroup = "FailedToParseFSGroup"
 )

pkg/rotation/reconciler.go

@@ -21,12 +21,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 	"sigs.k8s.io/secrets-store-csi-driver/controllers"
 	secretsStoreClient "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned"
+	"sigs.k8s.io/secrets-store-csi-driver/pkg/constants"
 	internalerrors "sigs.k8s.io/secrets-store-csi-driver/pkg/errors"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
 	secretsstore "sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store"
@@ -398,7 +400,18 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *secretsstorev1.Secret
 		r.generateEvent(pod, corev1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to lookup provider client: %q", providerName))
 		return fmt.Errorf("failed to lookup provider client: %q", providerName)
 	}
-	newObjectVersions, errorReason, err := secretsstore.MountContent(ctx, providerClient, string(paramsJSON), string(secretsJSON), spcps.Status.TargetPath, string(permissionJSON), oldObjectVersions)
+	gid := constants.NO_GID
+	if spcps.Status.FSGroup != "" {
+		gid, err = strconv.ParseInt(spcps.Status.FSGroup, 10, 64)
+		if err != nil {
+			errorReason = internalerrors.FailedToParseFSGroup
+			errStr := fmt.Sprintf("failed to rotate objects for pod %s/%s, err: %v, invalid FSGroup:%s", spcps.Namespace, spcps.Status.PodName, err, spcps.Status.FSGroup)
+			r.generateEvent(pod, corev1.EventTypeWarning, mountRotationFailedReason, errStr)
+			return fmt.Errorf("%s", errStr)
+		}
+	}
+	klog.V(5).Infof("Reconciling pod %s/%s with fsGroup: %v\n", spcps.Namespace, spcps.Status.PodName, gid)
+	newObjectVersions, errorReason, err := secretsstore.MountContent(ctx, providerClient, string(paramsJSON), string(secretsJSON), spcps.Status.TargetPath, string(permissionJSON), oldObjectVersions, gid)
 	if err != nil {
 		r.generateEvent(pod, corev1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("provider mount err: %+v", err))
 		return fmt.Errorf("failed to rotate objects for pod %s/%s, err: %w", spcps.Namespace, spcps.Status.PodName, err)