crossplane icon indicating copy to clipboard operation
crossplane copied to clipboard

Volume support in ControllerConfig

Open zonybob opened this issue 3 years ago • 6 comments

What problem are you facing?

I need to use provider-aws and I need to override the AWS client's CA bundle (this can be done in aws-sdk-go-v2 via AWS_CA_BUNDLE=/path/to/pem ... https://github.com/aws/aws-sdk-go-v2/blob/f5b68d198dbefe144696aa0051ed854571b5d614/config/env_config.go#L146-L162) My issue is that there does not seem to be a way (without using mutating webhooks on the provider pod or something similar) to get a pem file mounted on the AWS provider (I looked in ControllerConfig but did not see anything for volume mounts).

How could Crossplane help solve your problem?

If ControllerConfig supported adding volume mounts from ConfigMap or Secret I could configure the CA bundle reference and the AWS_CA_BUNDLE env all from the ControllerConfig definition.

Additional reference: https://crossplane.slack.com/archives/C01718T2476/p1630066636007500

zonybob avatar Aug 27 '21 15:08 zonybob

@zonybob thanks for raising this! I would be in support of this feature, though I do want to mention that the functionality provided by ControllerConfig is being discussed in a broader sense in #2468 -- I don't think it needs to block implementation of volume support though :)

hasheddan avatar Aug 28 '21 11:08 hasheddan

@hasheddan thanks for that reference. FWIW (and maybe to assist anyone else stumbling upon this) I have been able to work around this issue using a Kyverno mutating policy shown below... Still I look forward to Crossplane handling this without dependencies.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: policy-aws-ca-bundle
spec:
  rules:
    - name: "Add CA Bundle to AWS Provider"
      match:
        resources:
          namespaces:
            - crossplane-system
          kinds:
            - Pod
          names:
            - "crossplane-provider-aws-*"
      mutate:
        overlay:
          spec:
            containers:
              - (name): "*"
                env:
                  - name: AWS_CA_BUNDLE
                    value: /certs/ca.crt
                volumeMounts:
                  - name: ca-certs
                    mountPath: /certs
            volumes:
              - name: ca-certs
                configMap:
                  name: aws-ca-bundle
                  items:
                    - key: ca.crt
                      path: ca.crt

zonybob avatar Aug 28 '21 14:08 zonybob

We are also interested in this feature.

We want to provision provider secrets using kubernetes-sigs/secrets-store-csi-driver which currently requires a volume mount to trigger the secret creation (https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/298).

MisterMX avatar Oct 28 '21 10:10 MisterMX

We are also interested in this feature. cc @haarchri

maltejk avatar Mar 02 '22 14:03 maltejk

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 14 '22 07:08 stale[bot]

/reopen

haarchri avatar Aug 21 '22 08:08 haarchri

Another use case for this functionality: https://github.com/crossplane-contrib/provider-terraform/pull/112#discussion_r988458764

hasheddan avatar Oct 06 '22 00:10 hasheddan

Another use case for this functionality: https://github.com/crossplane-contrib/provider-terraform/pull/112#discussion_r988458764

I think in this scenario we would want the default configuration of the provider to have a volume mounted - adding it in the ControllerConfig would also be useful, but we don't want to require every user to set up a ControllerConfig for this scenario.

If we just want to clean up the Dockerfile we could move the /tf content to /var/tmp/tf or something similar, since the content is volatile wherever we put it without a volume mount behind it.

bobh66 avatar Oct 06 '22 00:10 bobh66

This would be nice, we need to mount volumes in order solve the security warning in azure: "Immutable (read-only) root filesystem should be enforced for containers" Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.

jribmartins avatar Nov 04 '22 08:11 jribmartins

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 7 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

github-actions[bot] avatar Feb 03 '23 01:02 github-actions[bot]

/fresh

ron1 avatar Feb 03 '23 05:02 ron1

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

github-actions[bot] avatar May 05 '23 01:05 github-actions[bot]

/fresh an implementation/solution is actively being discussed in #4037

jbw976 avatar May 08 '23 16:05 jbw976