in config/config.go [108:200]
func Parse(in *MountParams) (*MountConfig, error) {
out := &MountConfig{}
out.Permissions = in.Permissions
out.TargetPath = in.TargetPath
out.Secrets = make([]*Secret, 0)
var attrib, secret map[string]string
// Everything in the "parameters" section of the SecretProviderClass.
if err := json.Unmarshal([]byte(in.Attributes), &attrib); err != nil {
return nil, fmt.Errorf("failed to unmarshal attributes: %v", err)
}
out.PodInfo = &PodInfo{
Name: attrib[attributePodName],
Namespace: attrib[attributePodNamespace],
UID: types.UID(attrib[attributePodUID]),
ServiceAccount: attrib[attributeServiceAccountName],
ServiceAccountTokens: attrib[attributeServiceAccountTokens],
}
podInfo := klog.ObjectRef{Namespace: out.PodInfo.Namespace, Name: out.PodInfo.Name}
// The secrets here are the relevant CSI driver (k8s) secrets. See
// https://kubernetes-csi.github.io/docs/secrets-and-credentials-storage-class.html
allowSecretRef, err := vars.AllowNodepublishSeretRef.GetBooleanValue()
if err != nil {
klog.ErrorS(err, "failed to get ALLOW_NODE_PUBLISH_SECRET flag")
klog.Fatal("failed to get ALLOW_NODE_PUBLISH_SECRET flag")
}
if allowSecretRef {
if err := json.Unmarshal([]byte(in.KubeSecrets), &secret); err != nil {
return nil, fmt.Errorf("failed to unmarshal secrets: %v", err)
}
if _, ok := secret["key.json"]; ok {
out.AuthNodePublishSecret = true
out.AuthKubeSecret = []byte(secret["key.json"])
}
} else {
klog.Infoln("Authentication using nodepublishsecret ref is disabled")
}
switch attrib["auth"] {
case "provider-adc":
if out.AuthNodePublishSecret {
klog.InfoS("attempting to set both nodePublishSecretRef and provider-adc auth. For details consult https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/main/docs/authentication.md", "pod", podInfo)
return nil, fmt.Errorf("attempting to set both nodePublishSecretRef and provider-adc auth")
}
out.AuthProviderADC = true
case "pod-adc":
if out.AuthNodePublishSecret {
klog.InfoS("attempting to set both nodePublishSecretRef and pod-adc auth. For details consult https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/main/docs/authentication.md", "pod", podInfo)
return nil, fmt.Errorf("attempting to set both nodePublishSecretRef and pod-adc auth")
}
out.AuthPodADC = true
case "":
// default to pod auth unless nodePublishSecret is set
out.AuthPodADC = !out.AuthNodePublishSecret
default:
klog.InfoS("unknown auth configuration", "pod", podInfo)
return nil, fmt.Errorf("unknown auth configuration: %q", attrib["auth"])
}
if out.AuthNodePublishSecret {
klog.V(3).InfoS("parsed auth", "auth", "nodePublishSecretRef", "pod", podInfo)
}
if out.AuthPodADC {
klog.V(3).InfoS("parsed auth", "auth", "pod-adc", "pod", podInfo)
}
if out.AuthProviderADC {
klog.V(3).InfoS("parsed auth", "auth", "provider-adc", "pod", podInfo)
}
if os.Getenv("DEBUG") == "true" {
klog.V(5).InfoS(fmt.Sprintf("attributes: %v", attrib), "pod", podInfo)
klog.V(5).InfoS(fmt.Sprintf("secrets: %v", secret), "pod", podInfo)
} else {
klog.V(5).InfoS("attributes: REDACTED (envvar DEBUG=true to see values)", "pod", podInfo)
klog.V(5).InfoS("secrets: REDACTED (envvar DEBUG=true to see values)", "pod", podInfo)
}
klog.V(5).InfoS(fmt.Sprintf("filePermission: %v", in.Permissions), "pod", podInfo)
klog.V(5).InfoS(fmt.Sprintf("targetPath: %v", in.TargetPath), "pod", podInfo)
if _, ok := attrib["secrets"]; !ok {
return nil, errors.New("missing required 'secrets' attribute")
}
if err := yaml.Unmarshal([]byte(attrib["secrets"]), &out.Secrets); err != nil {
return nil, fmt.Errorf("failed to unmarshal secrets attribute: %v", err)
}
return out, nil
}