Skip to content
This repository has been archived by the owner on Dec 3, 2024. It is now read-only.

Add RevokeAccessContext to DriverRevokeBucketAccess API #147

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

narayviv
Copy link

Problem:
The current API 'DriverRevokeBucketAccess' for revoking a bucket's access, when invoked from the sidecar just passes the values for 'BucketId' & 'AccountId' alone.
Whereas the steps for revoking a bucket's access, might as well require the input passed with the 'Parameters' field, in the BucketAccessClass( linked to the Bucket Access CR).
https://github.com/kubernetes-sigs/container-object-storage-interface-api/blob/8f3e219335924b998c49c03056d61674361bd132/crds/objectstorage.k8s.io_bucketaccessclasses.yaml#L43

Implementation/Fix:
The latest available version of 'container-object-storage-interface-spec' supports passing a map<string,string> along with 'BucketId' & 'AccountId' in the API 'DriverRevokeBucketAccess'.
https://github.com/kubernetes-sigs/container-object-storage-interface-spec/blob/af070610a0e16b5713c5e248eb84fa7526626953/cosi.proto#L239
We can leverage this in sidecar code, by fetching the parameters provided in the BucketAccessClass & pass it to the 'DriverRevokeBucketAccess' API along with parameters 'BucketId' & 'AccountId'

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: narayviv
Once this PR has been reviewed and has the lgtm label, please assign saad-ali for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link

linux-foundation-easycla bot commented Sep 30, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: narayviv / name: Vivek Vishnu (db1d186)

@k8s-ci-robot
Copy link
Contributor

Welcome @narayviv!

It looks like this is your first PR to kubernetes-sigs/container-object-storage-interface-provisioner-sidecar 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/container-object-storage-interface-provisioner-sidecar has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 30, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @narayviv. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Sep 30, 2024
Comment on lines +355 to +362
bucketAccessClassName := bucketAccess.Spec.BucketAccessClassName
bucketAccessClass, err := bal.bucketAccessClasses().Get(ctx, bucketAccessClassName, metav1.GetOptions{})
if kubeerrors.IsNotFound(err) {
return bal.recordError(bucketAccess, v1.EventTypeWarning, events.FailedGrantAccess, err)
} else if err != nil {
klog.V(3).ErrorS(err, "Failed to fetch bucketAccessClass", "bucketAccessClass", bucketAccessClassName)
return fmt.Errorf("failed to fetch BucketAccessClass: %w", err)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have seen issues with this approach in CSI drivers. This leads to drivers implementing code that looks to the StorageClass (approx equivalent to BucketAccessClass), which is mutable and can change over time (or be deleted). This then results in a situation where the driver is unable to proceed with the latest operation.

Instead, the best pattern I have seen is to have the StorageClass data (including opaque params) copied to the PV so that the PV can be managed regardless of whether the StorageClass has been mutated.

I would suggest that the resolution follow the suggested pattern rather than adding the class name, which in my experience encourages inconsistent expectations.

@xing-yang or @shanduur do you have other thoughts?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @BlaineEXE ,

Thanks for your suggestion.

Certainly agree with your point here.
As per your suggestion, there's 2 ways (which I can think of), through which Parameters can be made available to the 'DriverRevokeBucketAccess' API.

I am more in-favor of 'Approach-2', but kindly do guide me if there's another way to retrieve 'Parameters' before 'DriverRevokeBucketAccess' API is invoked.

Will wait for your, suggestion & incorporate changes accordingly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think approach 2 is also the more correct one. That means a change to the API in addition to the sidecar.

The next question I have is a matter of SIG/KEP process. With a CRD change, we may need to change the KEP. @xing-yang is it okay to make this change (what I consider a minor change) to the repos, or should we update the KEP first?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @BlaineEXE , @xing-yang,
Any update on this..?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I can add my 5-cents, I am also in favor of the approach 2. Unfortunately, I think those changes will be required to be added to the KEP for v1alpha2, as this is pretty major breaking change in the controller behavior.

Comment on lines +16 to +17
// Copyright 2024 Hewlett Packard Enterprise Development LP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xing-yang do you know if there is a K8s/SIG policy about adding copyright attributions like this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will wait for @xing-yang response as well & address this.

@BlaineEXE
Copy link
Contributor

In addition to EasyCLA (required), we are working to consolidate controller and sidecar code into one repo for easier management and testing. That would be this repo and branch: https://github.com/kubernetes-sigs/container-object-storage-interface-api/tree/monorepo

Copy link
Contributor

@BlaineEXE BlaineEXE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes while discussions are still needed.

@@ -3,6 +3,7 @@ module sigs.k8s.io/container-object-storage-interface-provisioner-sidecar
go 1.18

require (
github.com/agiledragon/gomonkey/v2 v2.12.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reservations about using a monkey patch library. I realize that monkey patching is a common trend in python and ruby development (and other similar scripting languages), but my understanding is that the Golang devs specifically didn't allow for similar functionality.

When I have investigated monkey patching for unit tests in Go, the advice I have seen is to instead use interfaces (even defining custom ones for unit tests if needed) and mocking using Go's builtin language tools.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, will incorporate this in my next commit.

@narayviv
Copy link
Author

narayviv commented Oct 1, 2024

In addition to EasyCLA (required), we are working to consolidate controller and sidecar code into one repo for easier management and testing. That would be this repo and branch: https://github.com/kubernetes-sigs/container-object-storage-interface-api/tree/monorepo

For the EasyCLA -> Iam waiting for a response from my OSRB team.
For the monorepo -> Could I merge my changes in this repo( if all the changes are reviewed & approved) this time alone & if your team could cherry-pick my changes to the monorepo. Please do guide me here & I will make the changes accordingly.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Oct 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants