Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Appended OS's environment variables to the ones configured in Credent… #103231

Merged
merged 1 commit into from Aug 5, 2021
Merged

Appended OS's environment variables to the ones configured in Credent… #103231

merged 1 commit into from Aug 5, 2021

Conversation

n4j
Copy link
Member

@n4j n4j commented Jun 26, 2021
edited

  1. Appended OS's environment variables with the ones provided in the Credential Provider Config file
  2. Wrote UnitTest cases to validate the above behaviour

What type of PR is this?

/kind bug

What this PR does / why we need it:

According to the behaviour described in the kubelete-credential-provider documentation, the environment variables provided in the config file should be appended with the OS env vars.

However, this seems to be a missed out case and credential providers may fail to execute if $PATH and $HOME are missing.

This bug was verified for ecr-credential-provider

Which issue(s) this PR fixes:

Fixes #102750

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fixed an issue which didn't append OS's environment variables with the one provided in Credential Provider Config file, which may lead to failed execution of external credential provider binary. 
See https://github.com/kubernetes/kubernetes/issues/102750

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 26, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @n4j. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 26, 2021
@MadhavJivrajani
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 26, 2021
@n4j
Copy link
Member Author

n4j commented Jun 26, 2021

/sig node

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 26, 2021
@n4j
Copy link
Member Author

n4j commented Jun 26, 2021

/test pull-kubernetes-integration

@n4j n4j requested a review from MorrisLaw June 26, 2021 12:20
@k8s-ci-robot
Copy link
Contributor

@n4j: The label triage/accepted cannot be applied. Only GitHub organization members can add the label.

In response to this:

/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@n4j
Copy link
Member Author

n4j commented Jun 28, 2021

@thockin @smarterclayton Can anyone of you guys review this PR?

@n4j
Copy link
Member Author

n4j commented Jun 28, 2021

@adisky Can you accept the triage on this PR?

@n4j
Copy link
Member Author

n4j commented Jun 28, 2021

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 28, 2021
@adisky
Copy link
Contributor

adisky commented Jun 28, 2021

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 28, 2021
@n4j
Copy link
Member Author

n4j commented Jul 23, 2021

/test pull-kubernetes-e2e-kind-ipv6

@liggitt
Copy link
Member

liggitt commented Jul 23, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 23, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, n4j

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 23, 2021
@n4j n4j moved this from Needs Reviewer to Done in SIG Node PR Triage Jul 23, 2021
@n4j
Copy link
Member Author

n4j commented Jul 23, 2021

I'd consider this a bug fix since the API docs say the kubelet env vars are appended, so I would like to see this land in v1.22, if not it should be cherry-picked anyways.

@liggitt How do I get this merged in v1.22 release?

@liggitt liggitt added this to the v1.23 milestone Jul 23, 2021
@liggitt
Copy link
Member

liggitt commented Jul 23, 2021

this can wait until master reopens for 1.23, and be picked to release-1.22 for 1.22.1 if needed

@n4j
Copy link
Member Author

n4j commented Jul 27, 2021

/test all

@n4j
Copy link
Member Author

n4j commented Jul 27, 2021

/meow caturday

@k8s-ci-robot
Copy link
Contributor

@n4j: cat image

In response to this:

/meow caturday

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@n4j
Copy link
Member Author

n4j commented Jul 27, 2021

/retest

@n4j
Copy link
Member Author

n4j commented Jul 31, 2021

/test all

@n4j
Copy link
Member Author

n4j commented Jul 31, 2021

/retest

@liggitt liggitt moved this from Needs Triage to In Review in SIG Auth Old Aug 2, 2021
@ehashman ehashman moved this from Done to Needs Approver in SIG Node PR Triage Aug 2, 2021
liggitt
liggitt reviewed Aug 4, 2021
View reviewed changes
pkg/credentialprovider/plugin/plugin.go
Comment on lines +473 to +477
mergedEnvVars := sysEnvVars
for _, credProviderVar := range credProviderVars {
mergedEnvVars = append(mergedEnvVars, credProviderVar)
}
return mergedEnvVars
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is effectively

return append(sysEnvVars, credProviderVars...)

I don't think we need a separate method to accomplish the same thing as the built-in append method.

pkg/credentialprovider/plugin/plugin.go
Comment on lines +390 to +399
var configEnvVars []string
for _, v := range e.envVars {
configEnvVars = append(configEnvVars, fmt.Sprintf("%s=%s", v.Name, v.Value))
}

// Append current system environment variables, to the ones configured in the
// credential provider file. Failing to do so may result in unsuccessful execution
// of the provider binary, see https://github.com/kubernetes/kubernetes/issues/102750
// also, this behaviour is inline with Credential Provider Config spec
cmd.Env = mergeEnvVars(e.environ(), configEnvVars)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unit test is only exercising mergeEnvVars, not the inputs to it given the environ() and e.envVars values.

Computing the env like this:

cmd.Env = e.computeEnv()

would let us put the entire implementation calling environ() call and appending e.envVars in a unit testable location.

@k8s-ci-robot k8s-ci-robot merged commit d1479ea into kubernetes:master Aug 5, 2021
SIG Node PR Triage automation moved this from Needs Approver to Done Aug 5, 2021
SIG Auth Old automation moved this from In Review to Closed / Done Aug 5, 2021
@n4j
Copy link
Member Author

n4j commented Aug 5, 2021

@liggitt Since this PR was approved and the branch for 1.23 opened up it was auto merged, I can open a separate PR to fix the comments.

Thoughts?

@liggitt
Copy link
Member

liggitt commented Aug 5, 2021

Sure, a follow up is fine

@brandond
Copy link

I'm having a hard time following the breadcrumbs here - did this ever get cleaned up and/or backported to 1.21 and 1.22?

@brandond
Copy link

brandond commented Sep 9, 2021

@liggitt @n4j this is still broken on the older release branches, correct?

@brandond brandond mentioned this pull request Sep 9, 2021
Closed
@liggitt
Copy link
Member

liggitt commented Sep 10, 2021

yeah, this is only resolved in 1.23

This was referenced Sep 14, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@dims dims Awaiting requested review from dims

@MorrisLaw MorrisLaw Awaiting requested review from MorrisLaw

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@adisky adisky Awaiting requested review from adisky

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Node PR Triage
Done
SIG Auth Old
Closed / Done
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

CredentialProvider fails to read environment variable passed into the CredentialProviderConfig file