Skip to content

Commit

Permalink
Merge pull request #746 from GunaKKIBM/Mount-secret
Browse files Browse the repository at this point in the history 
Mounting secret - reading credentials from file
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Sep 27, 2024
2 parents 90f8d4d + d57e884 commit 7838d84
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 19 deletions.
28 changes: 15 additions & 13 deletions deploy/kubernetes/base/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: IBMCLOUD_API_KEY
valueFrom:
secretKeyRef:
name: ibm-secret
key: IBMCLOUD_API_KEY
optional: true
- name: API_KEY_PATH
value: /etc/secrets/IBMCLOUD_API_KEY
volumeMounts:
- name: ibm-secret
mountPath: /etc/secrets
readOnly: true
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
ports:
Expand All @@ -65,6 +64,9 @@ spec:
- name: node-update-controller
image: registry.k8s.io/cloud-provider-ibm/ibm-powervs-block-csi-driver:main
command: ["/node-update-controller"]
env:
- name: API_KEY_PATH
value: /etc/secrets/IBMCLOUD_API_KEY
ports:
- name: metrics
containerPort: 8081
Expand All @@ -80,13 +82,10 @@ spec:
initialDelaySeconds: 5
timeoutSeconds: 10
periodSeconds: 30
env:
- name: IBMCLOUD_API_KEY
valueFrom:
secretKeyRef:
name: ibm-secret
key: IBMCLOUD_API_KEY
optional: true
volumeMounts:
- name: ibm-secret
mountPath: /etc/secrets
readOnly: true
- name: csi-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
args:
Expand Down Expand Up @@ -136,3 +135,6 @@ spec:
volumes:
- name: socket-dir
emptyDir: {}
- name: ibm-secret
secret:
secretName: ibm-secret
13 changes: 8 additions & 5 deletions deploy/kubernetes/base/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: IBMCLOUD_API_KEY
valueFrom:
secretKeyRef:
name: ibm-secret
key: IBMCLOUD_API_KEY
- name: API_KEY_PATH
value: /etc/secrets/IBMCLOUD_API_KEY
volumeMounts:
- name: ibm-secret
mountPath: /etc/secrets
readOnly: true
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
Expand Down Expand Up @@ -120,3 +120,6 @@ spec:
hostPath:
path: /sys
type: Directory
- name: ibm-secret
secret:
secretName: ibm-secret
38 changes: 37 additions & 1 deletion pkg/cloud/powervs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
"github.com/IBM/platform-services-go-sdk/resourcecontrollerv2"
"github.com/davecgh/go-spew/spew"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/klog/v2"
"k8s.io/utils/ptr"

"sigs.k8s.io/ibm-powervs-block-csi-driver/pkg/util"
Expand Down Expand Up @@ -60,7 +61,10 @@ func NewPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
}

func newPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
apikey := os.Getenv("IBMCLOUD_API_KEY")
apikey, err := readCredentials()
if err != nil {
return nil, err
}

authenticator := &core.IamAuthenticator{ApiKey: apikey, URL: os.Getenv("IBMCLOUD_IAM_API_ENDPOINT")}

Expand Down Expand Up @@ -252,3 +256,35 @@ func (p *powerVSCloud) GetDiskByID(volumeID string) (disk *Disk, err error) {
CapacityGiB: int64(*v.Size),
}, nil
}

func readCredentials() (string, error) {
apiKey, err := readCredentialsFromFile()
if err != nil {
return "", err
}
if apiKey != "" {
return apiKey, nil
}

klog.Info("Falling back to read IBMCLOUD_API_KEY environment variable for the key")
apiKey = os.Getenv("IBMCLOUD_API_KEY")
if apiKey == "" {
return "", fmt.Errorf("IBMCLOUD_API_KEY is not provided")
}

return apiKey, nil
}

func readCredentialsFromFile() (string, error) {
apiKeyPath := os.Getenv("API_KEY_PATH")
if apiKeyPath == "" {
klog.Warning("API_KEY_PATH is undefined")
return "", nil
}

byteData, err := os.ReadFile(apiKeyPath)
if err != nil {
return "", fmt.Errorf("error reading apikey: %v", err)
}
return string(byteData), nil
}

0 comments on commit 7838d84

Please sign in to comment.