Skip to content

Commit

Permalink
Use projected volumes for sinkbinding trust bundles (knative#7630) (#552
Browse files Browse the repository at this point in the history 
)

When there are multiple trust bundle ConfigMaps the only
option to mount on the same directory is to use projected
volumes.

Signed-off-by: Pierangelo Di Pilato <[email protected]>
Co-authored-by: Pierangelo Di Pilato <[email protected]>
  • Loading branch information
@openshift-cherrypick-robot @pierDipi
openshift-cherrypick-robot and pierDipi authored Mar 1, 2024
1 parent dfd51c4 commit 9b1f638
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 90 deletions.
124 changes: 36 additions & 88 deletions pkg/apis/sources/v1/sinkbinding_lifecycle_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,23 @@ func TestSinkBindingUndo(t *testing.T) {
},
},
},
{
Name: "kne-bundle-volume",
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
Sources: []corev1.VolumeProjection{
{
ConfigMap: &corev1.ConfigMapProjection{
LocalObjectReference: corev1.LocalObjectReference{
Name: "knative-eventing-bundle",
},
},
},
},
DefaultMode: nil,
},
},
},
},
Containers: []corev1.Container{{
Name: "blah",
Expand All @@ -249,6 +266,11 @@ func TestSinkBindingUndo(t *testing.T) {
MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 29),
ReadOnly: true,
},
{
Name: "kne-bundle-volume",
MountPath: "/knative-custom-certs",
ReadOnly: true,
},
},
}},
},
Expand Down Expand Up @@ -460,93 +482,19 @@ func TestSinkBindingDo(t *testing.T) {
Spec: corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: "kne-bundle-knative-eventing-bundle" + strings.Repeat("a", 29),
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "knative-eventing-bundle" + strings.Repeat("a", 29),
},
},
},
},
},
Containers: []corev1.Container{{
Name: "blah",
Image: "busybox",
Env: []corev1.EnvVar{{
Name: "K_SINK",
Value: destination.URI.String(),
}, {
Name: "K_CA_CERTS",
Value: caCert,
}, {
Name: "K_CE_OVERRIDES",
Value: `{"extensions":{"foo":"bar"}}`,
}},
VolumeMounts: []corev1.VolumeMount{
{
Name: "kne-bundle-knative-eventing-bundle" + strings.Repeat("a", 29),
MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 29),
ReadOnly: true,
},
},
}},
},
},
},
},
in: &duckv1.WithPod{
Spec: duckv1.WithPodSpec{
Template: duckv1.PodSpecable{
Spec: corev1.PodSpec{
Containers: []corev1.Container{{
Name: "blah",
Image: "busybox",
Env: []corev1.EnvVar{{
Name: "K_SINK",
Value: destination.URI.String(),
}, {
Name: "K_CA_CERTS",
Value: caCert,
}, {
Name: "K_CE_OVERRIDES",
Value: `{"extensions":{"foo":"bar"}}`,
}},
}},
},
},
},
},
configMaps: []*corev1.ConfigMap{
{
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Namespace: "knative-eventing",
Name: "knative-eventing-bundle" + strings.Repeat("a", 29),
Labels: map[string]string{
"networking.knative.dev/trust-bundle": "true",
},
},
Immutable: nil,
Data: map[string]string{
"knative-eventing-bundle.pem": "something",
},
},
},
}, {
name: "add trust bundles - long CM name",
want: &duckv1.WithPod{
Spec: duckv1.WithPodSpec{
Template: duckv1.PodSpecable{
Spec: corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: "kne-bundle-7840a1e43e73e2ce40d1180208cba2a6knative-eventing-bun",
Name: "kne-bundle-volume",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "knative-eventing-bundle" + strings.Repeat("a", 30),
Projected: &corev1.ProjectedVolumeSource{
Sources: []corev1.VolumeProjection{
{
ConfigMap: &corev1.ConfigMapProjection{
LocalObjectReference: corev1.LocalObjectReference{
Name: "knative-eventing-bundle",
},
},
},
},
DefaultMode: nil,
},
},
},
Expand All @@ -566,8 +514,8 @@ func TestSinkBindingDo(t *testing.T) {
}},
VolumeMounts: []corev1.VolumeMount{
{
Name: "kne-bundle-7840a1e43e73e2ce40d1180208cba2a6knative-eventing-bun",
MountPath: "/knative-custom-certs/knative-eventing-bundle" + strings.Repeat("a", 30),
Name: "kne-bundle-volume",
MountPath: "/knative-custom-certs",
ReadOnly: true,
},
},
Expand Down Expand Up @@ -603,7 +551,7 @@ func TestSinkBindingDo(t *testing.T) {
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Namespace: "knative-eventing",
Name: "knative-eventing-bundle" + strings.Repeat("a", 30),
Name: "knative-eventing-bundle",
Labels: map[string]string{
"networking.knative.dev/trust-bundle": "true",
},
Expand Down
2 changes: 1 addition & 1 deletion pkg/eventingtls/eventingtls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ func loadCertPool(config ClientConfig) (*x509.CertPool, error) {
return nil, err
}

_ = filepath.WalkDir(fmt.Sprintf("/%s", TrustBundleMountPath), func(path string, d fs.DirEntry, err error) error {
_ = filepath.WalkDir(TrustBundleMountPath, func(path string, d fs.DirEntry, err error) error {
if err != nil || d.IsDir() {
return nil
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/eventingtls/trust_bundle.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ const (
// TrustBundleLabelSelector is the ConfigMap label selector for trust bundles.
TrustBundleLabelSelector = "networking.knative.dev/trust-bundle=true"

TrustBundleMountPath = "knative-custom-certs"
TrustBundleMountPath = "/knative-custom-certs"

TrustBundleVolumeNamePrefix = "kne-bundle-"
)
Expand Down

0 comments on commit 9b1f638

Please sign in to comment.