Skip to content

Commit 1ebe577

Browse files
committed
kubelet: Support ClusterTrustBundlePEM projections
1 parent e83badd commit 1ebe577

File tree

17 files changed

+1322
-34
lines changed

17 files changed

+1322
-34
lines changed

pkg/api/pod/util.go

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1002,18 +1002,14 @@ func dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec *api.PodSpec)
10021002
return
10031003
}
10041004

1005-
for _, v := range podSpec.Volumes {
1006-
if v.Projected == nil {
1005+
for i := range podSpec.Volumes {
1006+
if podSpec.Volumes[i].Projected == nil {
10071007
continue
10081008
}
10091009

1010-
filteredSources := []api.VolumeProjection{}
1011-
for _, s := range v.Projected.Sources {
1012-
if s.ClusterTrustBundle == nil {
1013-
filteredSources = append(filteredSources, s)
1014-
}
1010+
for j := range podSpec.Volumes[i].Projected.Sources {
1011+
podSpec.Volumes[i].Projected.Sources[j].ClusterTrustBundle = nil
10151012
}
1016-
v.Projected.Sources = filteredSources
10171013
}
10181014
}
10191015

pkg/api/pod/util_test.go

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3237,3 +3237,156 @@ func TestMarkPodProposedForResize(t *testing.T) {
32373237
})
32383238
}
32393239
}
3240+
3241+
func TestDropClusterTrustBundleProjectedVolumes(t *testing.T) {
3242+
testCases := []struct {
3243+
description string
3244+
clusterTrustBundleProjectionEnabled bool
3245+
oldPod *api.PodSpec
3246+
newPod *api.PodSpec
3247+
wantPod *api.PodSpec
3248+
}{
3249+
{
3250+
description: "feature gate disabled, cannot add CTB volume to pod",
3251+
oldPod: &api.PodSpec{
3252+
Volumes: []api.Volume{},
3253+
},
3254+
newPod: &api.PodSpec{
3255+
Volumes: []api.Volume{
3256+
{
3257+
Name: "foo",
3258+
VolumeSource: api.VolumeSource{
3259+
Projected: &api.ProjectedVolumeSource{
3260+
Sources: []api.VolumeProjection{
3261+
{
3262+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3263+
Name: pointer.String("foo"),
3264+
},
3265+
},
3266+
},
3267+
}},
3268+
},
3269+
},
3270+
},
3271+
wantPod: &api.PodSpec{
3272+
Volumes: []api.Volume{
3273+
{
3274+
Name: "foo",
3275+
VolumeSource: api.VolumeSource{
3276+
Projected: &api.ProjectedVolumeSource{
3277+
Sources: []api.VolumeProjection{
3278+
{},
3279+
},
3280+
}},
3281+
},
3282+
},
3283+
},
3284+
},
3285+
{
3286+
description: "feature gate disabled, can keep CTB volume on pod",
3287+
oldPod: &api.PodSpec{
3288+
Volumes: []api.Volume{
3289+
{
3290+
Name: "foo",
3291+
VolumeSource: api.VolumeSource{
3292+
Projected: &api.ProjectedVolumeSource{
3293+
Sources: []api.VolumeProjection{
3294+
{
3295+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3296+
Name: pointer.String("foo"),
3297+
},
3298+
},
3299+
},
3300+
}},
3301+
},
3302+
},
3303+
},
3304+
newPod: &api.PodSpec{
3305+
Volumes: []api.Volume{
3306+
{
3307+
Name: "foo",
3308+
VolumeSource: api.VolumeSource{
3309+
Projected: &api.ProjectedVolumeSource{
3310+
Sources: []api.VolumeProjection{
3311+
{
3312+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3313+
Name: pointer.String("foo"),
3314+
},
3315+
},
3316+
},
3317+
}},
3318+
},
3319+
},
3320+
},
3321+
wantPod: &api.PodSpec{
3322+
Volumes: []api.Volume{
3323+
{
3324+
Name: "foo",
3325+
VolumeSource: api.VolumeSource{
3326+
Projected: &api.ProjectedVolumeSource{
3327+
Sources: []api.VolumeProjection{
3328+
{
3329+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3330+
Name: pointer.String("foo"),
3331+
},
3332+
},
3333+
},
3334+
}},
3335+
},
3336+
},
3337+
},
3338+
},
3339+
{
3340+
description: "feature gate enabled, can add CTB volume to pod",
3341+
clusterTrustBundleProjectionEnabled: true,
3342+
oldPod: &api.PodSpec{
3343+
Volumes: []api.Volume{},
3344+
},
3345+
newPod: &api.PodSpec{
3346+
Volumes: []api.Volume{
3347+
{
3348+
Name: "foo",
3349+
VolumeSource: api.VolumeSource{
3350+
Projected: &api.ProjectedVolumeSource{
3351+
Sources: []api.VolumeProjection{
3352+
{
3353+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3354+
Name: pointer.String("foo"),
3355+
},
3356+
},
3357+
},
3358+
}},
3359+
},
3360+
},
3361+
},
3362+
wantPod: &api.PodSpec{
3363+
Volumes: []api.Volume{
3364+
{
3365+
Name: "foo",
3366+
VolumeSource: api.VolumeSource{
3367+
Projected: &api.ProjectedVolumeSource{
3368+
Sources: []api.VolumeProjection{
3369+
{
3370+
ClusterTrustBundle: &api.ClusterTrustBundleProjection{
3371+
Name: pointer.String("foo"),
3372+
},
3373+
},
3374+
},
3375+
}},
3376+
},
3377+
},
3378+
},
3379+
},
3380+
}
3381+
3382+
for _, tc := range testCases {
3383+
t.Run(tc.description, func(t *testing.T) {
3384+
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClusterTrustBundleProjection, tc.clusterTrustBundleProjectionEnabled)()
3385+
3386+
dropDisabledClusterTrustBundleProjection(tc.newPod, tc.oldPod)
3387+
if diff := cmp.Diff(tc.newPod, tc.wantPod); diff != "" {
3388+
t.Fatalf("Unexpected modification to new pod; diff (-got +want)\n%s", diff)
3389+
}
3390+
})
3391+
}
3392+
}

0 commit comments

Comments
 (0)