Browse Source

add default permissions for secrets volume mount

tags/0.0.6
Vladimir Smagin 2 months ago
parent
commit
18e6ed6c1e
2 changed files with 25 additions and 10 deletions
  1. +10
    -8
      pkg/apis/blindage/v1alpha1/cronop_types.go
  2. +15
    -2
      pkg/controller/cronop/cronjob.go

+ 10
- 8
pkg/apis/blindage/v1alpha1/cronop_types.go View File

@@ -21,10 +21,11 @@ type CronTask struct {
PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"` // default empty, overrides global context

// Use it if you want provide some secrets or config files
MountConfigmap string `json:"mountConfigmap,omitempty"` // Mount configmap as files, default empty
MountConfigmapPath string `json:"mountConfigmapPath,omitempty"` // by default mounts to /configmap-local
MountSecret string `json:"mountSecret,omitempty"` // Mount secret as files, default empty
MountSecretPath string `json:"mountSecretPath,omitempty"` // by default mounts to /secret-local
MountConfigmap string `json:"mountConfigmap,omitempty"` // Mount configmap as files, default empty
MountConfigmapPath string `json:"mountConfigmapPath,omitempty"` // by default mounts to /configmap-local
MountSecret string `json:"mountSecret,omitempty"` // Mount secret as files, default empty
MountSecretPath string `json:"mountSecretPath,omitempty"` // by default mounts to /secret-local
MountSecretPermissions int32 `json:"mountSecretPermissions,omitempty"` // use decimal notation, default 256

}

@@ -40,10 +41,11 @@ type CronOpSpec struct {
EnvConfigmap string `json:"envConfigmap,omitempty"` // default empty, global

// Use it if you want provide some secrets or config files
MountConfigmap string `json:"mountConfigmap,omitempty"` // Mount configmap as files, default empty
MountConfigmapPath string `json:"mountConfigmapPath,omitempty"` // by default mounts to /configmap-global
MountSecret string `json:"mountSecret,omitempty"` // Mount secret as files, default empty
MountSecretPath string `json:"mountSecretPath,omitempty"` // by default mounts to /secret-global
MountConfigmap string `json:"mountConfigmap,omitempty"` // Mount configmap as files, default empty
MountConfigmapPath string `json:"mountConfigmapPath,omitempty"` // by default mounts to /configmap-global
MountSecret string `json:"mountSecret,omitempty"` // Mount secret as files, default empty
MountSecretPath string `json:"mountSecretPath,omitempty"` // by default mounts to /secret-global
MountSecretPermissions int32 `json:"mountSecretPermissions,omitempty"` // use decimal notation, default 256

PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`



+ 15
- 2
pkg/controller/cronop/cronjob.go View File

@@ -270,13 +270,19 @@ func generateCronjob(reqLogger logr.Logger, cr *blindagev1alpha1.CronOp, jobSpec
MountPath: mountPath,
}
jobContainer.VolumeMounts = append(jobContainer.VolumeMounts, volumeMount)
// Set permissions, default 000 for all secrets, use decimal notation
mountPermissions := int32(256)
if cr.Spec.MountSecretPermissions > 0 {
mountPermissions = cr.Spec.MountSecretPermissions
}
// Add to Volumes
cronjob.Spec.JobTemplate.Spec.Template.Spec.Volumes = append(cronjob.Spec.JobTemplate.Spec.Template.Spec.Volumes,
corev1.Volume{
Name: "secret-global",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: cr.Spec.MountSecret,
SecretName: cr.Spec.MountSecret,
DefaultMode: &mountPermissions,
},
},
},
@@ -294,13 +300,20 @@ func generateCronjob(reqLogger logr.Logger, cr *blindagev1alpha1.CronOp, jobSpec
MountPath: mountPath,
}
jobContainer.VolumeMounts = append(jobContainer.VolumeMounts, volumeMount)
// Set permissions, default 000 for all secrets, use decimal notation
mountPermissions := int32(256)
if jobSpec.MountSecretPermissions > 0 {
mountPermissions = jobSpec.MountSecretPermissions
}

// Add to Volumes
cronjob.Spec.JobTemplate.Spec.Template.Spec.Volumes = append(cronjob.Spec.JobTemplate.Spec.Template.Spec.Volumes,
corev1.Volume{
Name: "secret-local",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: jobSpec.MountSecret,
SecretName: jobSpec.MountSecret,
DefaultMode: &mountPermissions,
},
},
},


Loading…
Cancel
Save