Merge pull request #861 from skriss/v0.9.6-cherrypicks

v0.9.6 cherrypicks
2026-04-28 11:27:00 +00:00 · 2018-09-21 09:07:22 -07:00
parent 908900e9dd e353beb6c4
commit ad61989beb
7 changed files with 34 additions and 21 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog

+#### [v0.9.6](https://github.com/heptio/ark/releases/tag/v0.9.6) - 2018-09-21
+
+#### Bug Fixes
+  * Discard service account tokens from non-default service accounts on restore (#843, @james-powis)
+  * Update Docker images to use `alpine:3.8` (#852, @nrb)
+
 #### [v0.9.5](https://github.com/heptio/ark/releases/tag/v0.9.5) - 2018-09-17

 #### Bug Fixes
--- a/Dockerfile-ark-restic-restore-helper.alpine
+++ b/Dockerfile-ark-restic-restore-helper.alpine
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM alpine:3.7
+FROM alpine:3.8

 MAINTAINER Steve Kriss <steve@heptio.com>

@@ -20,4 +20,4 @@ ADD /bin/linux/amd64/ark-restic-restore-helper .

 USER nobody:nobody

-ENTRYPOINT [ "/ark-restic-restore-helper" ]
+ENTRYPOINT [ "/ark-restic-restore-helper" ]
--- a/Dockerfile-ark.alpine
+++ b/Dockerfile-ark.alpine
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM alpine:3.7
+FROM alpine:3.8

 MAINTAINER Andy Goldstein <andy@heptio.com>

--- a/hack/build-image/Dockerfile
+++ b/hack/build-image/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM golang:1.10-alpine3.7
+FROM golang:1.10-alpine3.8

 RUN apk add --update --no-cache git bash && \
    mkdir -p /go/src/k8s.io && \
--- a/pkg/restore/merge_service_account.go
+++ b/pkg/restore/merge_service_account.go
@@ -47,8 +47,8 @@ func mergeServiceAccounts(fromCluster, fromBackup *unstructured.Unstructured) (*

 	for i := len(backupSA.Secrets) - 1; i >= 0; i-- {
 		secret := &backupSA.Secrets[i]
-		if strings.HasPrefix(secret.Name, "default-token-") {
-			// Copy all secrets *except* default-token
+		if strings.HasPrefix(secret.Name, backupSA.Name+"-token-") {
+			// Copy all secrets *except* -token-
 			backupSA.Secrets = append(backupSA.Secrets[:i], backupSA.Secrets[i+1:]...)
 			break
 		}
--- a/pkg/restore/pod_action.go
+++ b/pkg/restore/pod_action.go
@@ -17,7 +17,7 @@ limitations under the License.
 package restore

 import (
-	"regexp"
+	"strings"

 	"github.com/sirupsen/logrus"

@@ -43,10 +43,6 @@ func (a *podAction) AppliesTo() (ResourceSelector, error) {
 	}, nil
 }

-var (
-	defaultTokenRegex = regexp.MustCompile("default-token-.*")
-)
-
 func (a *podAction) Execute(obj runtime.Unstructured, restore *api.Restore) (runtime.Unstructured, error, error) {
 	a.logger.Debug("getting spec")
 	spec, err := collections.GetMap(obj.UnstructuredContent(), "spec")
@@ -57,6 +53,11 @@ func (a *podAction) Execute(obj runtime.Unstructured, restore *api.Restore) (run
 	a.logger.Debug("deleting spec.NodeName")
 	delete(spec, "nodeName")

+	serviceAccountName, err := collections.GetString(spec, "serviceAccountName")
+	if err != nil {
+		return nil, nil, err
+	}
+
 	newVolumes := make([]interface{}, 0)
 	a.logger.Debug("iterating over volumes")
 	err = collections.ForEach(spec, "volumes", func(volume map[string]interface{}) error {
@@ -66,11 +67,11 @@ func (a *podAction) Execute(obj runtime.Unstructured, restore *api.Restore) (run
 		}

 		a.logger.WithField("volumeName", name).Debug("Checking volume")
-		if !defaultTokenRegex.MatchString(name) {
+		if strings.HasPrefix(name, serviceAccountName+"-token-") {
+			a.logger.WithField("volumeName", name).Debug("Excluding volume")
+		} else {
 			a.logger.WithField("volumeName", name).Debug("Preserving volume")
 			newVolumes = append(newVolumes, volume)
-		} else {
-			a.logger.WithField("volumeName", name).Debug("Excluding volume")
 		}

 		return nil
@@ -92,11 +93,11 @@ func (a *podAction) Execute(obj runtime.Unstructured, restore *api.Restore) (run
 			}

 			a.logger.WithField("volumeMount", name).Debug("Checking volumeMount")
-			if !defaultTokenRegex.MatchString(name) {
+			if strings.HasPrefix(name, serviceAccountName+"-token-") {
+				a.logger.WithField("volumeMount", name).Debug("Excluding volumeMount")
+			} else {
 				a.logger.WithField("volumeMount", name).Debug("Preserving volumeMount")
 				newVolumeMounts = append(newVolumeMounts, volumeMount)
-			} else {
-				a.logger.WithField("volumeMount", name).Debug("Excluding volumeMount")
 			}

 			return nil
--- a/pkg/restore/pod_action_test.go
+++ b/pkg/restore/pod_action_test.go
@@ -40,31 +40,36 @@ func TestPodActionExecute(t *testing.T) {
 		{
 			name: "nodeName (only) should be deleted from spec",
 			obj: NewTestUnstructured().WithName("pod-1").WithSpec("nodeName", "foo").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{}).
 				WithSpecField("containers", []interface{}{}).
 				Unstructured,
 			expectedErr: false,
 			expectedRes: NewTestUnstructured().WithName("pod-1").WithSpec("foo").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{}).
 				WithSpecField("containers", []interface{}{}).
 				Unstructured,
 		},
 		{
-			name: "volumes matching default-token regex should be deleted",
+			name: "volumes matching prefix ServiceAccount-token- should be deleted",
 			obj: NewTestUnstructured().WithName("pod-1").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{
 					map[string]interface{}{"name": "foo"},
-					map[string]interface{}{"name": "default-token-foo"},
+					map[string]interface{}{"name": "foo-token-foo"},
 				}).WithSpecField("containers", []interface{}{}).Unstructured,
 			expectedErr: false,
 			expectedRes: NewTestUnstructured().WithName("pod-1").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{
 					map[string]interface{}{"name": "foo"},
 				}).WithSpecField("containers", []interface{}{}).Unstructured,
 		},
 		{
-			name: "container volumeMounts matching default-token regex should be deleted",
+			name: "container volumeMounts matching prefix ServiceAccount-token- should be deleted",
 			obj: NewTestUnstructured().WithName("svc-1").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{}).
 				WithSpecField("containers", []interface{}{
 					map[string]interface{}{
@@ -73,7 +78,7 @@ func TestPodActionExecute(t *testing.T) {
 								"name": "foo",
 							},
 							map[string]interface{}{
-								"name": "default-token-foo",
+								"name": "foo-token-foo",
 							},
 						},
 					},
@@ -81,6 +86,7 @@ func TestPodActionExecute(t *testing.T) {
 				Unstructured,
 			expectedErr: false,
 			expectedRes: NewTestUnstructured().WithName("svc-1").
+				WithSpec("serviceAccountName", "foo").
 				WithSpecField("volumes", []interface{}{}).
 				WithSpecField("containers", []interface{}{
 					map[string]interface{}{