From 004c0cacfc75852bb109da048fc30437dafadaae Mon Sep 17 00:00:00 2001 From: Lalatendu Das Date: Thu, 27 Jun 2024 12:04:36 +0000 Subject: [PATCH] pb-7392: vendored stork master to kdmp master Signed-off-by: Lalatendu Das --- go.mod | 2 +- go.sum | 4 +- .../controllers/applicationbackup.go | 2 +- .../snapshot/controllers/snapshotschedule.go | 27 ++++++----- .../libopenstorage/stork/pkg/utils/utils.go | 48 ++++++++++++------- vendor/modules.txt | 2 +- 6 files changed, 52 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index 06144ec8..f7a316e0 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/hashicorp/go-version v1.6.0 github.com/kubernetes-csi/external-snapshotter/client/v4 v4.2.0 github.com/kubernetes-incubator/external-storage v0.20.4-openstorage-rc7 - github.com/libopenstorage/stork v1.4.1-0.20240617152950-2e3df62da9ae + github.com/libopenstorage/stork v1.4.1-0.20240627120023-8294d8315c46 github.com/portworx/pxc v0.33.0 github.com/portworx/sched-ops v1.20.4-rc1.0.20240514213912-ff0ae32b859a github.com/sirupsen/logrus v1.9.3 diff --git a/go.sum b/go.sum index 6f910917..9fe72b6a 100644 --- a/go.sum +++ b/go.sum @@ -3394,8 +3394,8 @@ github.com/libopenstorage/stork v1.4.1-0.20230502135851-9cacb19e1df5/go.mod h1:R github.com/libopenstorage/stork v1.4.1-0.20230519043154-cbc10dffaf19/go.mod h1:Xm4DHoViynFXMQKBXGj3IkA77LY2RBFkNtv6vbo3wNw= github.com/libopenstorage/stork v1.4.1-0.20230601053837-5dd68f026569/go.mod h1:+mKPMCPNhS/XOF2RPcNFijkr67CCCWp0o8OXVG6xxAk= github.com/libopenstorage/stork v1.4.1-0.20230610103146-72cf75320066/go.mod h1:Yst+fnOYjWk6SA5pXZBKm19wtiinjxQ/vgYTXI3k80Q= -github.com/libopenstorage/stork v1.4.1-0.20240617152950-2e3df62da9ae h1:6V1aphPC8/JDo7PKCS+Y0dShjMKx7Ky6OtKOAfj9Zww= -github.com/libopenstorage/stork v1.4.1-0.20240617152950-2e3df62da9ae/go.mod h1:4n6M9LolJA2u4uB8Cd3YvQFhe0jYEweHLW/EZvECCyE= +github.com/libopenstorage/stork v1.4.1-0.20240627120023-8294d8315c46 h1:1riZcFUNvv0xUeaQj39J8CYDeM7LvA1xqFZZuftjNTk= +github.com/libopenstorage/stork v1.4.1-0.20240627120023-8294d8315c46/go.mod h1:4n6M9LolJA2u4uB8Cd3YvQFhe0jYEweHLW/EZvECCyE= github.com/libopenstorage/systemutils v0.0.0-20160208220149-44ac83be3ce1/go.mod h1:xwNGC7xiz/BQ/wbMkvHujL8Gjgseg+x41xMek7sKRRQ= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= diff --git a/vendor/github.com/libopenstorage/stork/pkg/applicationmanager/controllers/applicationbackup.go b/vendor/github.com/libopenstorage/stork/pkg/applicationmanager/controllers/applicationbackup.go index 38cc8b10..3dc79fd7 100644 --- a/vendor/github.com/libopenstorage/stork/pkg/applicationmanager/controllers/applicationbackup.go +++ b/vendor/github.com/libopenstorage/stork/pkg/applicationmanager/controllers/applicationbackup.go @@ -2285,7 +2285,7 @@ func (a *ApplicationBackupController) deleteBackup(backup *stork_api.Application // Only delete the backup from the backupLocation if the ReclaimPolicy is // set to Delete or if it is not successful if backup.Spec.ReclaimPolicy != stork_api.ApplicationBackupReclaimPolicyDelete && - backup.Status.Status == stork_api.ApplicationBackupStatusSuccessful { + (backup.Status.Status == stork_api.ApplicationBackupStatusSuccessful || backup.Status.Status == stork_api.ApplicationBackupStatusPartialSuccess) { return true, nil } diff --git a/vendor/github.com/libopenstorage/stork/pkg/snapshot/controllers/snapshotschedule.go b/vendor/github.com/libopenstorage/stork/pkg/snapshot/controllers/snapshotschedule.go index 38e3bbcd..ffe3e8a3 100644 --- a/vendor/github.com/libopenstorage/stork/pkg/snapshot/controllers/snapshotschedule.go +++ b/vendor/github.com/libopenstorage/stork/pkg/snapshot/controllers/snapshotschedule.go @@ -134,7 +134,7 @@ func (s *SnapshotScheduleController) handle(ctx context.Context, snapshotSchedul // Start a snapshot for a policy if required if start { - err := s.startVolumeSnapshot(snapshotSchedule, policyType) + snapshotSchedule, err = s.startVolumeSnapshot(snapshotSchedule, policyType) if err != nil { msg := fmt.Sprintf("Error triggering snapshot for schedule(%v): %v", policyType, err) s.recorder.Event(snapshotSchedule, @@ -201,7 +201,7 @@ func (s *SnapshotScheduleController) updateVolumeSnapshotStatus(snapshotSchedule s.recorder.Event(snapshotSchedule, v1.EventTypeWarning, err.Error(), - fmt.Sprintf("Error updating snapshot (%s) status", snapshot.Name)) + fmt.Sprintf("Error getting snapshot (%s) status", snapshot.Name)) if errors.IsNotFound(err) { snapshot.Status = snapv1.VolumeSnapshotConditionError updated = true @@ -301,12 +301,16 @@ func (s *SnapshotScheduleController) formatVolumeSnapshotName(snapshotSchedule * return strings.Join([]string{scheduleName, snapSuffix}, "-") } -func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule *stork_api.VolumeSnapshotSchedule, policyType stork_api.SchedulePolicyType) error { +func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule *stork_api.VolumeSnapshotSchedule, policyType stork_api.SchedulePolicyType) (*stork_api.VolumeSnapshotSchedule, error) { + vssKind := inputSnapshotSchedule.GetObjectKind().GroupVersionKind().Kind + vssAPIVersion := inputSnapshotSchedule.GetObjectKind().GroupVersionKind().GroupVersion().String() + // Get the latest copy of snapshotschedule for updating snapshotSchedule, err := storkops.Instance().GetSnapshotSchedule(inputSnapshotSchedule.Name, inputSnapshotSchedule.Namespace) if err != nil { - return fmt.Errorf("failed to get volumesnapshot schedule %s", inputSnapshotSchedule.Name) + return inputSnapshotSchedule, fmt.Errorf("failed to get volumesnapshot schedule %s", inputSnapshotSchedule.Name) } + // Set the default reclaim policy. s.setDefaults(snapshotSchedule) @@ -325,7 +329,7 @@ func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule * }) err = s.client.Update(context.TODO(), snapshotSchedule) if err != nil { - return err + return snapshotSchedule, err } snapshot := &snapv1.VolumeSnapshot{ @@ -355,7 +359,7 @@ func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule * string(snapv1.VolumeSnapshotConditionError), msg) log.VolumeSnapshotScheduleLog(snapshotSchedule).Error(msg) - return err + return snapshotSchedule, err } } snapshot.Metadata.Annotations[preSnapRuleAnnotationKey] = snapshotSchedule.Spec.PreExecRule @@ -368,14 +372,14 @@ func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule * string(snapv1.VolumeSnapshotConditionError), msg) log.VolumeSnapshotScheduleLog(snapshotSchedule).Error(msg) - return err + return snapshotSchedule, err } } snapshot.Metadata.Annotations[postSnapRuleAnnotationKey] = snapshotSchedule.Spec.PostExecRule options, err := schedule.GetOptions(snapshotSchedule.Spec.SchedulePolicyName, snapshotSchedule.Namespace, policyType) if err != nil { - return err + return snapshotSchedule, err } for k, v := range options { snapshot.Metadata.Annotations[k] = v @@ -390,13 +394,14 @@ func (s *SnapshotScheduleController) startVolumeSnapshot(inputSnapshotSchedule * Name: snapshotSchedule.Name, UID: snapshotSchedule.UID, // TODO: Kind of the fetched volumesnapshotschedule is empty, hence using the input one - Kind: inputSnapshotSchedule.GetObjectKind().GroupVersionKind().Kind, - APIVersion: inputSnapshotSchedule.GetObjectKind().GroupVersionKind().GroupVersion().String(), + Kind: vssKind, + APIVersion: vssAPIVersion, }, } } + _, err = k8sextops.Instance().CreateSnapshot(snapshot) - return err + return snapshotSchedule, err } func (s *SnapshotScheduleController) pruneVolumeSnapshots(snapshotSchedule *stork_api.VolumeSnapshotSchedule) error { diff --git a/vendor/github.com/libopenstorage/stork/pkg/utils/utils.go b/vendor/github.com/libopenstorage/stork/pkg/utils/utils.go index a0b3f083..52ab0b53 100644 --- a/vendor/github.com/libopenstorage/stork/pkg/utils/utils.go +++ b/vendor/github.com/libopenstorage/stork/pkg/utils/utils.go @@ -488,6 +488,8 @@ func GetPodFromPVC(pvcName, namespace string) (*v1.Pod, error) { return podList[0], nil } +// This function will return the UID and GID from the security context of the pod or container +// If the security context is not defined in the pod or container, it will return UndefinedId func getIdFromSecurityContext(securityContext interface{}) (int64, int64) { uid := UndefinedId gid := UndefinedId @@ -527,39 +529,42 @@ func GetPodUserId(pod *v1.Pod) (int64, int64) { uid := UndefinedId gid := UndefinedId + // Let's get pod SecurityContext defined uid & gid if any + // These need to be overwritten if container defines any speific uid or gid, since container setting will take precedence + securityContext := pod.Spec.SecurityContext + uid, gid = getIdFromSecurityContext(securityContext) + //Get User ID or get Group-ID in the absence of User ID from container's security context + containerUid := UndefinedId + containerGid := UndefinedId if len(pod.Spec.Containers) > 1 { // Case-01: There can be more than one container present per application pod and each container could have // configured SecurityContext separately. On that case we need user intervention to pick the container, - // in the absence of that for this release, we will pick first found UID logic as an best-effort approach. + // in the absence of that for this release, we will pick the first-found UID logic as an best-effort approach. // Case 02: If more than one container exist per pod but only one container has defined securityContext then - // we can pick that though. + // we will pick that though. + // Case 03: If more than one pod's container have defined securityContext and some have defined uid and other's have + // defined gid, we will not support such a case for now. It is also a very rare & rogue case. for _, container := range pod.Spec.Containers { // No need to handle the case for the initContainers here // since it is a different list in pod spec i.e. pod.Spec.InitContainers securityContext := container.SecurityContext - uid, gid = getIdFromSecurityContext(securityContext) - if uid != UndefinedId || gid != UndefinedId { - return uid, gid + containerUid, containerGid = getIdFromSecurityContext(securityContext) + if containerUid != UndefinedId || containerGid != UndefinedId { + break } } } else { // Only one container for the pod is found, let's pick the UID or GID of it securityContext := pod.Spec.Containers[0].SecurityContext - uid, gid = getIdFromSecurityContext(securityContext) - if uid != UndefinedId || gid != UndefinedId { - return uid, gid - } + containerUid, containerGid = getIdFromSecurityContext(securityContext) } - // UID or GID is not found in any of the container spec, try Getting the UID/GID from the pod's security context - if uid == UndefinedId && gid == UndefinedId { - securityContext := pod.Spec.SecurityContext - uid, gid = getIdFromSecurityContext(securityContext) - if uid != UndefinedId || gid != UndefinedId { - return uid, gid - } + if containerUid != UndefinedId { + uid = containerUid + } + if containerGid != UndefinedId { + gid = containerGid } - // Neither pod nor container has the securityContext defined with User Id or group Id, return error with undefined uids return uid, gid } @@ -613,6 +618,15 @@ func GetAppUidGid(pvcName string, namespace string, backup *stork_api.Applicatio logrus.Errorf("%s: %v", fn, err) return uid, gid, err } + + } + if uid == 0 { + // Intentionally gid == 0 check is not there since a user can set GID as 0 exclusively and run the app in restricted security context. + // hence in that case we should return the GID as 0 and uid with whatever set. so that security conext will be imposed on kdmp job pod. + logrus.Infof("%s: UID/GID either set as root or not present due to backup taken with older version wherein no psa support present [%v/%v]", fn, namespace, pvcName) + // If UID/GID is not set in the backup CR or pod is exclusively mentioned uid as 0, then return undefined UID/GID + // No need to add a security context for Job Pod in this case let it run with root privilege. + return UndefinedId, UndefinedId, nil } return uid, gid, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 94d5bce5..72478c6b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -505,7 +505,7 @@ github.com/libopenstorage/openstorage-sdk-clients/sdk/golang github.com/libopenstorage/secrets github.com/libopenstorage/secrets/aws/credentials github.com/libopenstorage/secrets/k8s -# github.com/libopenstorage/stork v1.4.1-0.20240617152950-2e3df62da9ae +# github.com/libopenstorage/stork v1.4.1-0.20240627120023-8294d8315c46 ## explicit; go 1.21 github.com/libopenstorage/stork/drivers github.com/libopenstorage/stork/drivers/volume