Skip to content

Commit

Permalink
CSI RPC Token (#8626)
Browse files Browse the repository at this point in the history
* client/allocrunner/csi_hook: use the Node SecretID
* client/allocrunner/csi_hook: include the namespace for Claim
  • Loading branch information
langmartin authored Aug 11, 2020
1 parent 8a095fc commit c0bf46d
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
11 changes: 9 additions & 2 deletions client/allocrunner/csi_hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,10 @@ func (c *csiHook) Postrun() error {
Mode: structs.CSIVolumeClaimRelease,
},
WriteRequest: structs.WriteRequest{
Region: c.alloc.Job.Region, Namespace: c.alloc.Job.Namespace},
Region: c.alloc.Job.Region,
Namespace: c.alloc.Job.Namespace,
AuthToken: c.ar.clientConfig.Node.SecretID,
},
}
err := c.rpcClient.RPC("CSIVolume.Unpublish",
req, &structs.CSIVolumeUnpublishResponse{})
Expand Down Expand Up @@ -156,8 +159,12 @@ func (c *csiHook) claimVolumesFromAlloc() (map[string]*volumeAndRequest, error)
AllocationID: c.alloc.ID,
NodeID: c.alloc.NodeID,
Claim: claimType,
WriteRequest: structs.WriteRequest{
Region: c.alloc.Job.Region,
Namespace: c.alloc.Job.Namespace,
AuthToken: c.ar.clientConfig.Node.SecretID,
},
}
req.Region = c.alloc.Job.Region

var resp structs.CSIVolumeClaimResponse
if err := c.rpcClient.RPC("CSIVolume.Claim", req, &resp); err != nil {
Expand Down
7 changes: 7 additions & 0 deletions nomad/csi_endpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,13 @@ func TestCSIVolumeEndpoint_ClaimWithController(t *testing.T) {
err = msgpackrpc.CallWithCodec(codec, "CSIVolume.Claim", claimReq, claimResp)
// Because the node is not registered
require.EqualError(t, err, "controller publish: attach volume: No path to node")

// The node SecretID is authorized for all policies
claimReq.AuthToken = node.SecretID
claimReq.Namespace = ""
claimResp = &structs.CSIVolumeClaimResponse{}
err = msgpackrpc.CallWithCodec(codec, "CSIVolume.Claim", claimReq, claimResp)
require.EqualError(t, err, "controller publish: attach volume: No path to node")
}

func TestCSIVolumeEndpoint_Unpublish(t *testing.T) {
Expand Down

0 comments on commit c0bf46d

Please sign in to comment.