Make volume mount names RFC1123 DNS label strict

In our production environment, we ran into the issue that a Kubernetes secret name contained dots. Based on the Object Names and IDs docs, the object name has to follow RFC1123 DNS Subdomain rules, which allow dots. The volume mount names only support RFC1123 DNS label standard: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ Remove forbidden characters in name by replacing them with a dash. Introduce test sample with secret name containing dots.
tektoncd · Feb 4, 2021 · 8c5a751 · 8c5a751
1 parent fbceaae
commit 8c5a751
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/pkg/pod/creds_init.go b/pkg/pod/creds_init.go
@@ -19,6 +19,7 @@ package pod
 import (
 	"context"
 	"fmt"
+	"regexp"
 
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
@@ -36,6 +37,8 @@ const (
 	sshKnownHosts            = "known_hosts"
 )
 
+var dnsLabel1123Forbidden = regexp.MustCompile("[^a-zA-Z0-9-]+")
+
 // credsInit reads secrets available to the given service account and
 // searches for annotations matching a specific format (documented in
 // docs/auth.md). Matching secrets are turned into Volumes for the Pod
@@ -88,7 +91,10 @@ func credsInit(ctx context.Context, serviceAccountName, namespace string, kubecl
 		}
 
 		if matched {
-			name := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("tekton-internal-secret-volume-%s", secret.Name))
+			// While secret names can use RFC1123 DNS subdomain name rules, the volume mount
+			// name required the stricter DNS label standard, for example no dots anymore.
+			sanitizedName := dnsLabel1123Forbidden.ReplaceAllString(secret.Name, "-")
+			name := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("tekton-internal-secret-volume-%s", sanitizedName))
 			volumeMounts = append(volumeMounts, corev1.VolumeMount{
 				Name:      name,
 				MountPath: credentials.VolumeName(secret.Name),

diff --git a/pkg/pod/creds_init_test.go b/pkg/pod/creds_init_test.go
@@ -193,6 +193,35 @@ func TestCredsInit(t *testing.T) {
 				DisableCredsInit: true,
 			},
 		}),
+	}, {
+		desc: "secret name contains characters that are not allowed in volume mount context",
+		objs: []runtime.Object{
+			&corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{Name: serviceAccountName, Namespace: namespace},
+				Secrets: []corev1.ObjectReference{{
+					Name: "foo.bar.com",
+				}},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "foo.bar.com",
+					Namespace:   namespace,
+					Annotations: map[string]string{"tekton.dev/docker-0": "https://docker.io"},
+				},
+				Type: "kubernetes.io/basic-auth",
+				Data: map[string][]byte{
+					"username": []byte("foo"),
+					"password": []byte("bar"),
+				},
+			},
+		},
+		envVars:  []corev1.EnvVar{},
+		wantArgs: []string{"-basic-docker=foo.bar.com=https://docker.io"},
+		wantVolumeMounts: []corev1.VolumeMount{{
+			Name:      "tekton-internal-secret-volume-foo-bar-com-9l9zj",
+			MountPath: "/tekton/creds-secrets/foo.bar.com",
+		}},
+		ctx: context.Background(),
 	}} {
 		t.Run(c.desc, func(t *testing.T) {
 			names.TestingSeed()