Merge pull request #4456 from aledbf/psp-mount

Fix file permissions to support volumes
2019-08-16 06:24:32 -07:00 · 2019-08-16 06:24:32 -07:00 · 839076e3b0
commit 839076e3b0
parent f0383c6153 23ed3ba4c4
7 changed files with 148 additions and 18 deletions
--- a/internal/file/filesystem.go
+++ b/internal/file/filesystem.go
@ -17,4 +17,4 @@ limitations under the License.
 package file

 // ReadWriteByUser defines linux permission to read and write files for the owner user
-const ReadWriteByUser = 0660
+const ReadWriteByUser = 0700
--- a/internal/file/structure.go
+++ b/internal/file/structure.go
@ -16,6 +16,12 @@ limitations under the License.

 package file

+import (
+	"os"
+
+	"github.com/pkg/errors"
+)
+
 const (
 	// AuthDirectory default directory used to store files
 	// to authenticate request
@ -34,3 +40,25 @@ var (
 		AuthDirectory,
 	}
 )
+
+// CreateRequiredDirectories verifies if the required directories to
+// start the ingress controller exist and creates the missing ones.
+func CreateRequiredDirectories() error {
+	for _, directory := range directories {
+		_, err := os.Stat(directory)
+		if err != nil {
+			if os.IsNotExist(err) {
+				err = os.MkdirAll(directory, ReadWriteByUser)
+				if err != nil {
+					return errors.Wrapf(err, "creating directory '%v'", directory)
+				}
+
+				continue
+			}
+
+			return errors.Wrapf(err, "checking directory %v", directory)
+		}
+	}
+
+	return nil
+}
--- a/internal/ingress/controller/checker_test.go
+++ b/internal/ingress/controller/checker_test.go
@ -37,7 +37,7 @@ func TestNginxCheck(t *testing.T) {

 	listener, err := net.Listen("unix", nginx.StatusSocket)
 	if err != nil {
-		t.Errorf("crating unix listener: %s", err)
+		t.Fatalf("crating unix listener: %s", err)
 	}
 	defer listener.Close()
 	defer os.Remove(nginx.StatusSocket)
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@ -37,6 +37,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes/fake"

+	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
@ -154,6 +155,11 @@ func TestCheckIngress(t *testing.T) {
 		})
 	}()

+	err := file.CreateRequiredDirectories()
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	// Ensure no panic with wrong arguments
 	var nginx *NGINXController
 	nginx.CheckIngress(nil)
--- a/internal/net/ssl/ssl.go
+++ b/internal/net/ssl/ssl.go
@ -53,22 +53,6 @@ const (
 	fakeCertificateName = "default-fake-certificate"
 )

-func init() {
-	_, err := os.Stat(file.DefaultSSLDirectory)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = os.MkdirAll(file.DefaultSSLDirectory, file.ReadWriteByUser)
-			if err != nil {
-				klog.Fatalf("Unexpected error checking for default SSL directory: %v", err)
-			}
-
-			return
-		}
-
-		klog.Fatalf("Unexpected error checking for default SSL directory: %v", err)
-	}
-}
-
 // getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName
 func getPemFileName(fullSecretName string) (string, string) {
 	pemName := fmt.Sprintf("%v.pem", fullSecretName)