1818 - [ COSI API] ( #cosi-api )
1919 - [ Bucket Creation] ( #bucket-creation )
2020 - [ Generating Access Credentials for Buckets] ( #generating-access-credentials-for-buckets )
21- - [ Attaching Buckets ] ( #attaching-buckets )
21+ - [ Attaching Bucket Information to Pods ] ( #attaching-bucket-information-to-pods )
2222 - [ Sharing Buckets] ( #sharing-buckets )
2323 - [ Accessing existing Buckets] ( #accessing-existing-buckets )
24+ - [ Bucket deletion] ( #bucket-deletion )
2425- [ Usability] ( #usability )
2526 - [ Self Service] ( #self-service )
2627 - [ Mutating Buckets] ( #mutating-buckets )
@@ -188,11 +189,12 @@ The BucketClaim is a claim to create a new Bucket. This resource can be used to
188189 |------------------------------| |--------------------------------|
189190 | metadata: | | deletionPolicy: delete |
190191 | namespace: ns1 | | provisioner: s3.amazonaws.com |
191- | spec: | | protocol: s3 |
192- | bucketClassName: bc1 | | parameters: |
193- | | | key: value |
194- |------------------------------| |--------------------------------|
195- ```
192+ | spec: | | protocols: |
193+ | bucketClassName: bc1 | | - s3 |
194+ | | | parameters: |
195+ |------------------------------| | key: value |
196+ |--------------------------------|
197+ ```
196198
197199###### 2. COSI creates an intermediate Bucket object
198200
@@ -206,7 +208,8 @@ More information about Bucket is [here](#bucket)
206208 | name: bcl-$uuid |
207209 | spec: |
208210 | bucketClassName: bc1 |
209- | protocol: s3 |
211+ | protocols: |
212+ | - s3 |
210213 | parameters: |
211214 | key: value |
212215 | provisioner: s3.amazonaws.com |
@@ -228,7 +231,7 @@ More information about COSI gRPC API is [here](#cosi-grpc-api)
228231 |------------------------------------------|
229232 | grpc ProvisionerCreateBucket({ |
230233 | "name": "bcl-$uuid", |
231- | "protocol ": "s3", |
234+ | "protocols ": [ "s3"], |
232235 | "parameters": { |
233236 | "key": "value" |
234237 | } |
@@ -272,6 +275,7 @@ The KEY based mechanism is where access and secret keys are generated to be prov
272275 | bucketAccessClassName: bac1 | | authenticationType: KEY |
273276 | bucketClaimName: bcl1 | |----------------------------------|
274277 | credentialsSecretName: bucketcreds1 |
278+ | protocol: s3 |
275279 | status: |
276280 | conditions: |
277281 | - name: AccessGranted |
@@ -293,6 +297,7 @@ In case of IAM style authentication, along with the `credentialsSecretName`, `se
293297 | bucketClaimName: bcl1 | |----------------------------------|
294298 | credentialsSecretName: bucketcreds1 |
295299 | serviceAccountName: svacc1 |
300+ | protocol: s3 |
296301 | status: |
297302 | conditions: |
298303 | - name: AccessGranted |
@@ -345,14 +350,21 @@ The secret mentioned in the `credentialsSecretName` field of the BucketAccess sh
345350 | spec: |
346351 | containers: |
347352 | - volumeMounts: |
348- | name: cosi-bucket |
349- | mountPath: /cosi/bucket1 |
353+ | - name: cosi-bucket1 |
354+ | mountPath: /cosi/bucket1 |
355+ | - name: cosi-bucket1 |
356+ | mountPath: /cosi/bucket1 |
350357 | volumes: |
351- | - name: cosi-bucket |
358+ | - name: cosi-bucket1 |
352359 | projected: |
353360 | sources: |
354361 | - secret: |
355362 | name: bucketcreds1 |
363+ | - name: cosi-bucket2 |
364+ | projected: |
365+ | sources: |
366+ | - secret: |
367+ | name: bucketcreds2 |
356368 |-------------------------------------------------|
357369```
358370
@@ -380,6 +392,8 @@ The volume `mountPath` will be the directory where bucket credentials and other
380392
381393NOTE: the contents of the files served in mountPath will be a COSI generated file containing credentials and other information required for accessing the bucket. ** This is NOT intended to specify a mountpoint to expose the bucket as a filesystem.**
382394
395+ NOTE: the secret containing bucketInfo can be provided to the pod using any other secret -> pod provisioning mechanism, including environment variables. In case of environment variables, the secrets will be exposed to other processes in the same host as environment variables are not inherently secure.
396+
383397###### 2. The secret containing BucketInfo is mounted in the specified directory
384398
385399The above volume definition will prompt kubernetes to retrieve the secret and place it in the volumeMount path defined above. The contents of the secret will be of the format shown below:
@@ -400,7 +414,9 @@ The above volume definition will prompt kubernetes to retrieve the secret and pl
400414 | accessKeyID: "AKIAIOSFODNN7EXAMPLE", |
401415 | accessSecretKey: "wJalrXUtnFEMI/K...", |
402416 | region: "us-west-1", |
403- | protocol: "s3" |
417+ | protocols: [ |
418+ | "s3" |
419+ | ] |
404420 | } |
405421 | } |
406422 |-----------------------------------------------|
@@ -423,7 +439,9 @@ In case IAM style authentication was specified, then metadataURL and serviceAcco
423439 | authenticationType: "IAM", |
424440 | endpoint: "https://s3.amazonaws.com", |
425441 | region: "us-west-1", |
426- | protocol: "s3" |
442+ | protocols: [ |
443+ | "s3" |
444+ | ] |
427445 | } |
428446 | } |
429447 |-------------------------------------------------|
@@ -450,22 +468,36 @@ When a Bucket object is manually created, and has its `bucketID` set, then COSI
450468 | name: bucketName123 |
451469 | spec: |
452470 | bucketID: bucketname123 |
453- | protocol: s3 |
471+ | protocols: |
472+ | - s3 |
454473 | parameters: |
455474 | key: value |
456475 | provisioner: s3.amazonaws.com |
457476 |-------------------------------------------------|
458477```
459478
460- ###### 2. User creates BucketAccess to generate credentials for that bucket
479+ ###### 2. User creates BucketClaim referring to the bucket
461480
462- Unlike the BucketAccess for COSI created bucket, this BucketAccess should directly reference the Bucket instead of a BucketClaim.
481+ ```
482+ BucketClaim - bucketClaim123
483+ |------------------------------------------|
484+ | name: bucketClaim123 |
485+ | spec: |
486+ | existingBucketName: bucketName123 |
487+ | |
488+ |------------------------------------------|
489+
490+ ```
491+
492+ ###### 3. User creates BucketAccess to generate credentials for that bucket
493+
494+ Similar to the BucketAccess for COSI created bucket, this BucketAccess should reference the BucketClaim that refers to this bucket.
463495
464496```
465497 BucketAccess - bac2
466498 |-------------------------------|
467499 | spec: |
468- | bucketName: bucketName123 |
500+ | bucketClaim: bucketClaim123 |
469501 | |
470502 |-------------------------------|
471503```
@@ -565,12 +597,12 @@ Bucket {
565597 // +optional
566598 BucketClaim corev1.ObjectReference
567599
568- // Protocol is the data API this bucket is expected to adhere to .
600+ // Protocols are the set of data APIs this bucket is expected to support .
569601 // The possible values for protocol are :
570602 // - S3 : Indicates Amazon S3 protocol
571603 // - Azure : Indicates Microsoft Azure BlobStore protocol
572604 // - GCS : Indicates Google Cloud Storage protocol
573- Protocol Protocol
605+ Protocols [] Protocol
574606
575607 // Parameters is an opaque map for passing in configuration to a driver
576608 // for creating the bucket
@@ -609,6 +641,11 @@ BucketClaim {
609641 Spec BucketClaimSpec {
610642 // Name of the BucketClass
611643 BucketClassName string
644+
645+ // Name of a bucket object that was manually
646+ // created to import a bucket created outside of COSI
647+ // +optional
648+ ExistingBucketName string
612649 }
613650
614651 Status BucketClaimStatus {
@@ -634,12 +671,12 @@ BucketClass {
634671 // Provisioner is the name of driver associated with this bucket
635672 Provisioner string
636673
637- // Protocol is the data API this bucket is expected to adhere to .
674+ // Protocols are the set of data API this bucket is expected to support .
638675 // The possible values for protocol are :
639676 // - S3 : Indicates Amazon S3 protocol
640677 // - Azure : Indicates Microsoft Azure BlobStore protocol
641678 // - GCS : Indicates Google Cloud Storage protocol
642- Protocol Protocol
679+ Protocols [] Protocol
643680
644681 // DeletionPolicy is used to specify how COSI should handle deletion of this
645682 // bucket. There are 3 possible values :
@@ -670,11 +707,13 @@ BucketAccess {
670707 // +optional
671708 BucketClaimName string
672709
673- // BucketName is the name of the Bucket for which
674- // credentials need to be generated
675- // Exactly one of BucketClaimName or BucketName must be set.
676- // +optional
677- BucketName string
710+ // Protcol is the name of the Protocol
711+ // that this access credential is supposed to support
712+ // If left empty, it will choose the protocol supported
713+ // by the bucket. If the bucket supports multiple protocols,
714+ // the end protocol is determined by the driver.
715+ // +optional
716+ Protocol Protocol
678717
679718 // BucketAccessClassName is the name of the BucketAccessClass
680719 BucketAccessClassName string
@@ -746,12 +785,12 @@ BucketInfo {
746785 // Region is the vendor-defined region where the bucket "resides"
747786 Region string
748787
749- // Protocol is the data API this bucket is expected to adhere to .
788+ // Protocols are the set of data APIs this bucket is expected to support .
750789 // The possible values for protocol are :
751790 // - S3 : Indicates Amazon S3 protocol
752791 // - Azure : Indicates Microsoft Azure BlobStore protocol
753792 // - GCS : Indicates Google Cloud Storage protocol
754- Protocol Protocol
793+ Protocols [] Protocol
755794 }
756795}
757796```
0 commit comments