Added ServiceAccountVolumeSource

When filled, the service account token etc. will be provided to the pod and VM Signed-off-by: Marc Sluiter <[email protected]>
webe745 · Oct 17, 2018 · b69c844 · b69c844
1 parent 6fbc282
commit b69c844
Show file tree

Hide file tree

Showing 21 changed files with 455 additions and 2 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -4411,6 +4411,15 @@
      }
     }
    },
+   "v1.ServiceAccountVolumeSource": {
+    "description": "ServiceAccountVolumeSource adapts a ServiceAccount into a volume.",
+    "properties": {
+     "serviceAccountName": {
+      "description": "Name of the service account in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
+      "type": "string"
+     }
+    }
+   },
    "v1.Status": {
     "description": "Status is a return value for calls that don't return other objects.",
     "properties": {
@@ -5123,6 +5132,10 @@
      "secret": {
       "description": "SecretVolumeSource represents a reference to a secret data in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/configuration/secret/\n+optional",
       "$ref": "#/definitions/v1.SecretVolumeSource"
+     },
+     "serviceAccount": {
+      "description": "ServiceAccountVolumeSource represents a reference to a service account.\nThere can only be one volume of this type!\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n+optional",
+      "$ref": "#/definitions/v1.ServiceAccountVolumeSource"
      }
     }
    },

diff --git a/cmd/virt-launcher/virt-launcher.go b/cmd/virt-launcher/virt-launcher.go
@@ -212,6 +212,11 @@ func initializeDirs(virtShareDir string,
 	if err != nil {
 		panic(err)
 	}
+
+	err = virtlauncher.InitializeDisksDirectories(config.ServiceAccountDiskDir)
+	if err != nil {
+		panic(err)
+	}
 }
 
 func waitForDomainUUID(timeout time.Duration, events chan watch.Event, stop chan struct{}, domainManager virtwrap.DomainManager) *api.Domain {

diff --git a/manifests/generated/vm-resource.yaml b/manifests/generated/vm-resource.yaml
@@ -325,6 +325,10 @@ spec:
                                 type: boolean
                               secretName:
                                 type: string
+                          serviceAccount:
+                            properties:
+                              serviceAccountName:
+                                type: string
                         required:
                         - name
                       type: array

diff --git a/manifests/generated/vmi-resource.yaml b/manifests/generated/vmi-resource.yaml
@@ -315,6 +315,10 @@ spec:
                         type: boolean
                       secretName:
                         type: string
+                  serviceAccount:
+                    properties:
+                      serviceAccountName:
+                        type: string
                 required:
                 - name
               type: array

diff --git a/manifests/generated/vmirs-resource.yaml b/manifests/generated/vmirs-resource.yaml
@@ -326,6 +326,10 @@ spec:
                                 type: boolean
                               secretName:
                                 type: string
+                          serviceAccount:
+                            properties:
+                              serviceAccountName:
+                                type: string
                         required:
                         - name
                       type: array

diff --git a/pkg/api/v1/deepcopy_generated.go b/pkg/api/v1/deepcopy_generated.go
diff --git a/pkg/api/v1/openapi_generated.go b/pkg/api/v1/openapi_generated.go
diff --git a/pkg/api/v1/schema.go b/pkg/api/v1/schema.go
@@ -77,6 +77,15 @@ type SecretVolumeSource struct {
 	Optional *bool `json:"optional,omitempty"`
 }
 
+// ServiceAccountVolumeSource adapts a ServiceAccount into a volume.
+// ---
+// +k8s:openapi-gen=true
+type ServiceAccountVolumeSource struct {
+	// Name of the service account in the pod's namespace to use.
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+}
+
 // Represents a cloud-init nocloud user data source.
 // More info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html
 // ---
@@ -384,6 +393,11 @@ type VolumeSource struct {
 	// More info: https://kubernetes.io/docs/concepts/configuration/secret/
 	// +optional
 	Secret *SecretVolumeSource `json:"secret,omitempty"`
+	// ServiceAccountVolumeSource represents a reference to a service account.
+	// There can only be one volume of this type!
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	// +optional
+	ServiceAccount *ServiceAccountVolumeSource `json:"serviceAccount,omitempty"`
 }
 
 // ---

diff --git a/pkg/api/v1/schema_swagger_generated.go b/pkg/api/v1/schema_swagger_generated.go
@@ -26,6 +26,13 @@ func (SecretVolumeSource) SwaggerDoc() map[string]string {
 	}
 }
 
+func (ServiceAccountVolumeSource) SwaggerDoc() map[string]string {
+	return map[string]string{
+		"":                   "ServiceAccountVolumeSource adapts a ServiceAccount into a volume.",
+		"serviceAccountName": "Name of the service account in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
+	}
+}
+
 func (CloudInitNoCloudSource) SwaggerDoc() map[string]string {
 	return map[string]string{
 		"":               "Represents a cloud-init nocloud user data source.\nMore info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html",
@@ -174,6 +181,7 @@ func (VolumeSource) SwaggerDoc() map[string]string {
 		"dataVolume":            "DataVolume represents the dynamic creation a PVC for this volume as well as\nthe process of populating that PVC with a disk image.\n+optional",
 		"configMap":             "ConfigMapSource represents a reference to a ConfigMap in the same namespace.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/\n+optional",
 		"secret":                "SecretVolumeSource represents a reference to a secret data in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/configuration/secret/\n+optional",
+		"serviceAccount":        "ServiceAccountVolumeSource represents a reference to a service account.\nThere can only be one volume of this type!\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n+optional",
 	}
 }
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -39,6 +39,9 @@ const (
 	// Secret represents a secret type,
 	// https://kubernetes.io/docs/concepts/configuration/secret/
 	Secret Type = "secret"
+	// ServiceAccount represents a secret type,
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	ServiceAccount Type = "serviceaccount"
 
 	mountBaseDir = "/var/run/kubevirt-private"
 )
@@ -48,11 +51,17 @@ var (
 	ConfigMapSourceDir = mountBaseDir + "/config-map"
 	// SecretSourceDir represents a location where Secrets is attached to the pod
 	SecretSourceDir = mountBaseDir + "/secret"
+	// ServiceAccountSourceDir represents the location where the ServiceAccount token is attached to the pod
+	ServiceAccountSourceDir = "/var/run/secrets/kubernetes.io/serviceaccount/"
 
 	// ConfigMapDisksDir represents a path to ConfigMap iso images
 	ConfigMapDisksDir = mountBaseDir + "/config-map-disks"
 	// SecretDisksDir represents a path to Secrets iso images
 	SecretDisksDir = mountBaseDir + "/secret-disks"
+	// ServiceAccountDisksDir represents a path to the ServiceAccount iso image
+	ServiceAccountDiskDir = mountBaseDir + "/service-account-disk"
+	// ServiceAccountDisksName represents the name of the ServiceAccount iso image
+	ServiceAccountDiskName = "service-account.iso"
 
 	createISOImage = defaultCreateIsoImage
 )

diff --git a/pkg/config/service-account.go b/pkg/config/service-account.go
@@ -0,0 +1,50 @@
+/*
+ * This file is part of the KubeVirt project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright 2018 Red Hat, Inc.
+ *
+ */
+
+package config
+
+import (
+	"path/filepath"
+
+	"kubevirt.io/kubevirt/pkg/api/v1"
+)
+
+// GetServiceAccountDiskPath returns a path to the ServiceAccount iso image
+func GetServiceAccountDiskPath() string {
+	return filepath.Join(ServiceAccountDiskDir, ServiceAccountDiskName)
+}
+
+// CreateServiceAccountDisk creates the ServiceAccount iso disk which is attached to vmis
+func CreateServiceAccountDisk(vmi *v1.VirtualMachineInstance) error {
+	for _, volume := range vmi.Spec.Volumes {
+		if volume.ServiceAccount != nil {
+			var filesPath []string
+			filesPath, err := getFilesLayout(ServiceAccountSourceDir)
+			if err != nil {
+				return err
+			}
+
+			err = createIsoConfigImage(GetServiceAccountDiskPath(), filesPath)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/config/service-account_test.go b/pkg/config/service-account_test.go
@@ -0,0 +1,70 @@
+/*
+ * This file is part of the KubeVirt project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright 2018 Red Hat, Inc.
+ *
+ */
+
+package config
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"kubevirt.io/kubevirt/pkg/api/v1"
+)
+
+var _ = Describe("ServiceAccount", func() {
+
+	BeforeEach(func() {
+		var err error
+
+		ServiceAccountSourceDir, err = ioutil.TempDir("", "serviceaccount")
+		Expect(err).NotTo(HaveOccurred())
+		os.MkdirAll(ServiceAccountSourceDir, 0755)
+		os.OpenFile(filepath.Join(ServiceAccountSourceDir, "token"), os.O_RDONLY|os.O_CREATE, 0666)
+		os.OpenFile(filepath.Join(ServiceAccountSourceDir, "namespace"), os.O_RDONLY|os.O_CREATE, 0666)
+
+		ServiceAccountDiskDir, err = ioutil.TempDir("", "serviceaccount-disk")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		os.RemoveAll(ServiceAccountSourceDir)
+		os.RemoveAll(ServiceAccountDiskDir)
+	})
+
+	It("Should create a new service account iso disk", func() {
+		vmi := v1.NewMinimalVMI("fake-vmi")
+		vmi.Spec.Volumes = append(vmi.Spec.Volumes, v1.Volume{
+			Name: "serviceaccount-volume",
+			VolumeSource: v1.VolumeSource{
+				ServiceAccount: &v1.ServiceAccountVolumeSource{
+					ServiceAccountName: "testaccount",
+				},
+			},
+		})
+
+		err := CreateServiceAccountDisk(vmi)
+		Expect(err).NotTo(HaveOccurred())
+		_, err = os.Stat(filepath.Join(ServiceAccountDiskDir, ServiceAccountDiskName))
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+})