Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

external-snapshotter should not allow annotation in template for snapshotter-secret-name #155

Closed
saad-ali opened this issue Aug 8, 2019 · 6 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@saad-ali
Copy link
Member

saad-ali commented Aug 8, 2019

external-snapshotter supports ${volumesnapshot.annotations['ANNOTATION_KEY']} as a template for csi.storage.k8s.io/snapshotter-secret-name. It should not. It is ok for all other secrets (e.g. ListSnapshot secret) but not for the CreateSnapshot secret.

// supported tokens for name resolution:
// - ${volumesnapshotcontent.name}
// - ${volumesnapshot.namespace}
// - ${volumesnapshot.name}
// - ${volumesnapshot.annotations['ANNOTATION_KEY']} (e.g. ${pvc.annotations['example.com/snapshot-create-secret-name']})

CC @msau42 @jingxu97 @xing-yang

@xing-yang
Copy link
Collaborator

Hi @saad-ali, the secret handling logic in external-snapshotter is modeled after the code in external-provisioner. We do strip prefixed parameters before calling create snapshot. See here:

https://github.com/kubernetes-csi/external-snapshotter/blob/master/pkg/controller/csi_handler.go#L70

I'll add comments to clarify that. Is that okay? Thanks.

@msau42
Copy link
Collaborator

msau42 commented Aug 9, 2019

@saad-ali's comment is not about stripping the k8s csi prefix. It's about allowing volumesnapshot.annotations as a template value. For Volume Create/Delete, we do not allow PVC annotations to be used in the StorageClass secret template. Very long discussion here: kubernetes-csi/external-provisioner#86

@xing-yang
Copy link
Collaborator

Thanks @msau42! I'll take a look of the discussion.

@msau42
Copy link
Collaborator

msau42 commented Aug 9, 2019

Some more discussion: kubernetes-csi/external-provisioner#170

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 7, 2019
@xing-yang
Copy link
Collaborator

This is fixed.

xing-yang added a commit to xing-yang/external-snapshotter that referenced this issue Jul 20, 2021
c0a4fb1 Merge pull request kubernetes-csi#164 from anubha-v-ardhan/patch-1
9c6a6c0 Master to main cleanup
682c686 Merge pull request kubernetes-csi#162 from pohly/pod-name-via-shell-command
36a29f5 Merge pull request kubernetes-csi#163 from pohly/remove-bazel
68e43ca prow.sh: remove Bazel build support
c5f59c5 prow.sh: allow shell commands in CSI_PROW_SANITY_POD
71c810a Merge pull request kubernetes-csi#161 from pohly/mock-test-fixes
9e438f8 prow.sh: fix mock testing
d7146c7 Merge pull request kubernetes-csi#160 from pohly/kind-update
4b6aa60 prow.sh: update to KinD v0.11.0
7cdc76f Merge pull request kubernetes-csi#159 from pohly/fix-deployment-selection
ef8bd33 prow.sh: more flexible CSI_PROW_DEPLOYMENT, part II
204bc89 Merge pull request kubernetes-csi#158 from pohly/fix-deployment-selection
61538bb prow.sh: more flexible CSI_PROW_DEPLOYMENT
2b0e6db Merge pull request kubernetes-csi#157 from humblec/csi-release
a2fcd6d Adding myself to csi reviewers group
f325590 Merge pull request kubernetes-csi#149 from pohly/cluster-logs
4b03b30 Merge pull request kubernetes-csi#155 from pohly/owners
a6453c8 owners: introduce aliases
ad83def Merge pull request kubernetes-csi#153 from pohly/fix-image-builds
5561780 build.make: fix image publishng
29bd39b Merge pull request kubernetes-csi#152 from pohly/bump-csi-test
bc42793 prow.sh: use csi-test v4.2.0
b546baa Merge pull request kubernetes-csi#150 from mauriciopoppe/windows-multiarch-args
bfbb6f3 add parameter base_image and addon_image to BUILD_PARAMETERS
2d61d3b Merge pull request kubernetes-csi#151 from humblec/cm
48e71f0 Replace `which` command ( non standard)  with `command -v` builtin
feb20e2 prow.sh: collect cluster logs
7b96bea Merge pull request kubernetes-csi#148 from dobsonj/add-checkpathcmd-to-prow
2d2e03b prow.sh: enable -csi.checkpathcmd option in csi-sanity
09d4151 Merge pull request kubernetes-csi#147 from pohly/mock-testing
74cfbc9 prow.sh: support mock tests
4a3f110 prow.sh: remove obsolete test suppression
6616a6b Merge pull request kubernetes-csi#146 from pohly/kubernetes-1.21
510fb0f prow.sh: support Kubernetes 1.21
c63c61b prow.sh: add CSI_PROW_DEPLOYMENT_SUFFIX
51ac11c Merge pull request kubernetes-csi#144 from pohly/pull-jobs
dd54c92 pull-test.sh: test importing csi-release-tools into other repo
7d2643a Merge pull request kubernetes-csi#143 from pohly/path-setup
6880b0c prow.sh: avoid creating paths unless really running tests

git-subtree-dir: release-tools
git-subtree-split: c0a4fb1
xing-yang pushed a commit to xing-yang/external-snapshotter that referenced this issue Jul 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

5 participants