Add support for AWS EFS tagging (mtougeron#55)

* Feature/efs (mtougeron#1)

* update for efs support

Co-authored-by: Kabir Wadhwa <[email protected]>

* Main fixes (mtougeron#2)

Add EFS support

* fixes

* changes for efs volume id

* changes for return logic

* fix test cases

Co-authored-by: Kabir Wadhwa <[email protected]>

Author: wadhwakabir

README.md

@@ -6,42 +6,42 @@ A utility to tag PVC volumes based on the PVC's `k8s-pvc-tagger/tags` annotation
 
 ![Go](https://github.com/mtougeron/k8s-pvc-tagger/workflows/Go/badge.svg) ![Gosec](https://github.com/mtougeron/k8s-pvc-tagger/workflows/Gosec/badge.svg) ![ContainerScan](https://github.com/mtougeron/k8s-pvc-tagger/workflows/ContainerScan/badge.svg) [![GitHub tag](https://img.shields.io/github/v/tag/mtougeron/k8s-pvc-tagger)](https://github.com/mtougeron/k8s-pvc-tagger/tags/)
 
-The `k8s-pvc-tagger` watches for new PersistentVolumeClaims and when new AWS EBS volumes are created it adds tags based on the PVC's `k8s-pvc-tagger/tags` annotation to the created EBS volume. Other cloud provider and volume times are coming soon.
+The `k8s-pvc-tagger` watches for new PersistentVolumeClaims and when new AWS EBS/EFS volumes are created it adds tags based on the PVC's `k8s-pvc-tagger/tags` annotation to the created EBS/EFS volume. Other cloud provider and volume times are coming soon.
 
 ### How to set tags
 
 #### cmdline args
 
-`--default-tags` - A json or csv encoded key/value map of the tags to set by default on EBS Volumes. Values can be overwritten by the `k8s-pvc-tagger/tags` annotation.
+`--default-tags` - A json or csv encoded key/value map of the tags to set by default on EBS/EFS Volumes. Values can be overwritten by the `k8s-pvc-tagger/tags` annotation.
 
 `--tag-format` - Either `json` or `csv` for the format the `k8s-pvc-tagger/tags` and `--default-tags` are in.
 
-`--allow-all-tags` - Allow all tags to be set via the PVC; even those used by the EBS controllers. Use with caution!
+`--allow-all-tags` - Allow all tags to be set via the PVC; even those used by the EBS/EFS controllers. Use with caution!
 
 #### Annotations
 
 `k8s-pvc-tagger/ignore` - When this annotation is set (any value) it will ignore this PVC and not add any tags to it
 
-`k8s-pvc-tagger/tags` - A json encoded key/value map of the tags to set on the EBS Volume (in addition to the `--default-tags`). It can also be used to override the values set in the `--default-tags`
+`k8s-pvc-tagger/tags` - A json encoded key/value map of the tags to set on the EBS/EFS Volume (in addition to the `--default-tags`). It can also be used to override the values set in the `--default-tags`
 
 NOTE: Until version `v1.2.0` the legacy annotation prefix of `aws-ebs-tagger` will continue to be supported for aws-ebs volumes ONLY.
 
 #### Examples
 
 1. The cmdline arg `--default-tags={"me": "touge"}` and no annotation will set the tag `me=touge`
 
-2. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/tags: | {"me": "someone else", "another tag": "some value"}` will create the tags `me=someone else` and `another tag=some value` on the EBS Volume
+2. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/tags: | {"me": "someone else", "another tag": "some value"}` will create the tags `me=someone else` and `another tag=some value` on the EBS/EFS Volume
 
-3. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/ignore: ""` will not set any tags on the EBS Volume
+3. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/ignore: ""` will not set any tags on the EBS/EFS Volume
 
-4. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/tags: | {"cost-center": "abc", "environment": "prod"}` will create the tags `me=touge`, `cost-center=abc` and `environment=prod` on the EBS Volume
+4. The cmdline arg `--default-tags={"me": "touge"}` and the annotation `k8s-pvc-tagger/tags: | {"cost-center": "abc", "environment": "prod"}` will create the tags `me=touge`, `cost-center=abc` and `environment=prod` on the EBS/EFS Volume
 
 #### ignored tags
 
 The following tags are ignored by default
- - `kubernetes.io/*`
- - `KubernetesCluster`
- - `Name`
+- `kubernetes.io/*`
+- `KubernetesCluster`
+- `Name`
 
 #### Tag Templates
 

aws.go

@@ -28,23 +28,29 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
+	"github.com/aws/aws-sdk-go/service/efs"
+	"github.com/aws/aws-sdk-go/service/efs/efsiface"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 )
 
 var (
 	// awsSession the AWS Session
 	awsSession *session.Session
-	ec2Client  *Client
 )
 
 const (
 	// Matching strings for region
 	regexpAWSRegion = `^[\w]{2}[-][\w]{4,9}[-][\d]$`
 )
 
+// Client efs interface
+type EFSClient struct {
+	efsiface.EFSAPI
+}
+
 // Client EC2 client interface
-type Client struct {
+type EBSClient struct {
 	ec2iface.EC2API
 }
 
@@ -71,10 +77,16 @@ func createAWSSession(awsRegion string) *session.Session {
 	return session.Must(session.NewSession(awsConfig))
 }
 
+// newEFSClient initializes an EFS client
+func newEFSClient() (*EFSClient, error) {
+	svc := efs.New(awsSession)
+	return &EFSClient{svc}, nil
+}
+
 // newEC2Client initializes an EC2 client
-func newEC2Client() (*Client, error) {
+func newEC2Client() (*EBSClient, error) {
 	svc := ec2.New(awsSession)
-	return &Client{svc}, nil
+	return &EBSClient{svc}, nil
 }
 
 func getMetadataRegion() (string, error) {
@@ -90,7 +102,7 @@ func getMetadataRegion() (string, error) {
 	return doc.Region, nil
 }
 
-func (client *Client) addVolumeTags(volumeID string, tags map[string]string, storageclass string) {
+func (client *EBSClient) addEBSVolumeTags(volumeID string, tags map[string]string, storageclass string) {
 	var ec2Tags []*ec2.Tag
 	for k, v := range tags {
 		ec2Tags = append(ec2Tags, &ec2.Tag{Key: aws.String(k), Value: aws.String(v)})
@@ -112,7 +124,7 @@ func (client *Client) addVolumeTags(volumeID string, tags map[string]string, sto
 	promActionsLegacyTotal.With(prometheus.Labels{"status": "success"}).Inc()
 }
 
-func (client *Client) deleteVolumeTags(volumeID string, tags []string, storageclass string) {
+func (client *EBSClient) deleteEBSVolumeTags(volumeID string, tags []string, storageclass string) {
 	var ec2Tags []*ec2.Tag
 	for _, k := range tags {
 		ec2Tags = append(ec2Tags, &ec2.Tag{Key: aws.String(k)})
@@ -124,7 +136,51 @@ func (client *Client) deleteVolumeTags(volumeID string, tags []string, storagecl
 		Tags:      ec2Tags,
 	})
 	if err != nil {
-		log.Errorln("Could not delete tags for volumeID:", volumeID, err)
+		log.Errorln("Could not EBS delete tags for volumeID:", volumeID, err)
+		promActionsTotal.With(prometheus.Labels{"status": "error", "storageclass": storageclass}).Inc()
+		promActionsLegacyTotal.With(prometheus.Labels{"status": "error"}).Inc()
+		return
+	}
+
+	promActionsTotal.With(prometheus.Labels{"status": "success", "storageclass": storageclass}).Inc()
+	promActionsLegacyTotal.With(prometheus.Labels{"status": "success"}).Inc()
+}
+
+func (client *EFSClient) addEFSVolumeTags(volumeID string, tags map[string]string, storageclass string) {
+	var efsTags []*efs.Tag
+	for k, v := range tags {
+		efsTags = append(efsTags, &efs.Tag{Key: aws.String(k), Value: aws.String(v)})
+	}
+
+	// Add tags to the volume
+	_, err := client.TagResource(&efs.TagResourceInput{
+		ResourceId: aws.String(volumeID),
+		Tags:       efsTags,
+	})
+	if err != nil {
+		log.Errorln("Could not EFS create tags for volumeID:", volumeID, err)
+		promActionsTotal.With(prometheus.Labels{"status": "error", "storageclass": storageclass}).Inc()
+		promActionsLegacyTotal.With(prometheus.Labels{"status": "error"}).Inc()
+		return
+	}
+
+	promActionsTotal.With(prometheus.Labels{"status": "success", "storageclass": storageclass}).Inc()
+	promActionsLegacyTotal.With(prometheus.Labels{"status": "success"}).Inc()
+}
+
+func (client *EFSClient) deleteEFSVolumeTags(volumeID string, tags []string, storageclass string) {
+	var efsTags []*string
+	for _, k := range tags {
+		efsTags = append(efsTags, aws.String(k))
+	}
+
+	// Add tags to the volume
+	_, err := client.UntagResource(&efs.UntagResourceInput{
+		ResourceId: aws.String(volumeID),
+		TagKeys:    efsTags,
+	})
+	if err != nil {
+		log.Errorln("Could not EFS delete tags for volumeID:", volumeID, err)
 		promActionsTotal.With(prometheus.Labels{"status": "error", "storageclass": storageclass}).Inc()
 		promActionsLegacyTotal.With(prometheus.Labels{"status": "error"}).Inc()
 		return

examples/iam-role.json

@@ -11,6 +11,17 @@
             "Resource": [
                 "arn:aws:ec2:*:*:volume/*"
             ]
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "elasticfilesystem:TagResource",
+                "elasticfilesystem:UntagResource",
+            ],
+            "Resource": [
+                "arn:aws:elasticfilesystem:*:*:access-point/*"
+            ]
         }
     ]
-}
+}

kubernetes.go

@@ -51,6 +51,7 @@ var (
 const (
 	// Matching strings for volume operations.
 	regexpAWSVolumeID = `^aws:\/\/\w{2}-\w{4,9}-\d\w\/(vol-\w+)$`
+	regexpEFSVolumeID = `^fs-\w+::(fsap-\w+)$`
 )
 
 type TagTemplate struct {
@@ -99,12 +100,13 @@ func watchForPersistentVolumeClaims(ch chan struct{}, watchNamespace string) {
 
 	informer := factory.Core().V1().PersistentVolumeClaims().Informer()
 
+	efsClient, _ := newEFSClient()
 	ec2Client, _ := newEC2Client()
 
 	informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			pvc := obj.(*corev1.PersistentVolumeClaim)
-			if !provisionedByAwsEbs(pvc) {
+			if !provisionedByAwsEfs(pvc) && !provisionedByAwsEbs(pvc) {
 				return
 			}
 			log.WithFields(log.Fields{"namespace": pvc.GetNamespace(), "pvc": pvc.GetName()}).Infoln("New PVC Added to Store")
@@ -113,7 +115,12 @@ func watchForPersistentVolumeClaims(ch chan struct{}, watchNamespace string) {
 			if err != nil || len(tags) == 0 {
 				return
 			}
-			ec2Client.addVolumeTags(volumeID, tags, *pvc.Spec.StorageClassName)
+			if provisionedByAwsEfs(pvc) {
+				efsClient.addEFSVolumeTags(volumeID, tags, *pvc.Spec.StorageClassName)
+			}
+			if provisionedByAwsEbs(pvc) {
+				ec2Client.addEBSVolumeTags(volumeID, tags, *pvc.Spec.StorageClassName)
+			}
 		},
 		UpdateFunc: func(old, new interface{}) {
 
@@ -123,7 +130,7 @@ func watchForPersistentVolumeClaims(ch chan struct{}, watchNamespace string) {
 				log.WithFields(log.Fields{"namespace": newPVC.GetNamespace(), "pvc": newPVC.GetName()}).Debugln("ResourceVersion are the same")
 				return
 			}
-			if !provisionedByAwsEbs(newPVC) {
+			if !provisionedByAwsEfs(newPVC) && !provisionedByAwsEbs(newPVC) {
 				return
 			}
 			if newPVC.Spec.VolumeName == "" {
@@ -141,9 +148,13 @@ func watchForPersistentVolumeClaims(ch chan struct{}, watchNamespace string) {
 				return
 			}
 			if len(tags) > 0 {
-				ec2Client.addVolumeTags(volumeID, tags, *newPVC.Spec.StorageClassName)
+				if provisionedByAwsEfs(newPVC) {
+					efsClient.addEFSVolumeTags(volumeID, tags, *newPVC.Spec.StorageClassName)
+				}
+				if provisionedByAwsEbs(newPVC) {
+					ec2Client.addEBSVolumeTags(volumeID, tags, *newPVC.Spec.StorageClassName)
+				}
 			}
-
 			oldTags := buildTags(oldPVC)
 			var deletedTags []string
 			for k := range oldTags {
@@ -152,15 +163,20 @@ func watchForPersistentVolumeClaims(ch chan struct{}, watchNamespace string) {
 				}
 			}
 			if len(deletedTags) > 0 {
-				ec2Client.deleteVolumeTags(volumeID, deletedTags, *oldPVC.Spec.StorageClassName)
+				if provisionedByAwsEfs(newPVC) {
+					efsClient.deleteEFSVolumeTags(volumeID, deletedTags, *oldPVC.Spec.StorageClassName)
+				}
+				if provisionedByAwsEbs(newPVC) {
+					ec2Client.deleteEBSVolumeTags(volumeID, deletedTags, *oldPVC.Spec.StorageClassName)
+				}
 			}
 		},
 	})
 
 	informer.Run(ch)
 }
 
-func parseAWSVolumeID(k8sVolumeID string) string {
+func parseAWSEBSVolumeID(k8sVolumeID string) string {
 	re := regexp.MustCompile(regexpAWSVolumeID)
 	matches := re.FindSubmatch([]byte(k8sVolumeID))
 	if len(matches) <= 1 {
@@ -170,6 +186,16 @@ func parseAWSVolumeID(k8sVolumeID string) string {
 	return string(matches[1])
 }
 
+func parseAWSEFSVolumeID(k8sVolumeID string) string {
+	re := regexp.MustCompile(regexpEFSVolumeID)
+	matches := re.FindSubmatch([]byte(k8sVolumeID))
+	if len(matches) <= 1 {
+		log.Errorln("Can't parse valid AWS EFS volumeID:", k8sVolumeID)
+		return ""
+	}
+	return string(matches[1])
+}
+
 func buildTags(pvc *corev1.PersistentVolumeClaim) map[string]string {
 
 	tags := map[string]string{}
@@ -290,6 +316,18 @@ func isValidTagName(name string) bool {
 	return true
 }
 
+func provisionedByAwsEfs(pvc *corev1.PersistentVolumeClaim) bool {
+	annotations := pvc.GetAnnotations()
+	if provisionedBy, ok := annotations["volume.beta.kubernetes.io/storage-provisioner"]; !ok {
+		log.WithFields(log.Fields{"namespace": pvc.GetNamespace(), "pvc": pvc.GetName()}).Debugln("no volume.beta.kubernetes.io/storage-provisioner annotation")
+		return false
+	} else if provisionedBy == "efs.csi.aws.com" {
+		log.WithFields(log.Fields{"namespace": pvc.GetNamespace(), "pvc": pvc.GetName()}).Debugln("efs.csi.aws.com volume")
+		return true
+	}
+	return false
+}
+
 func provisionedByAwsEbs(pvc *corev1.PersistentVolumeClaim) bool {
 	annotations := pvc.GetAnnotations()
 	if provisionedBy, ok := annotations["volume.beta.kubernetes.io/storage-provisioner"]; !ok {
@@ -327,8 +365,10 @@ func processPersistentVolumeClaim(pvc *corev1.PersistentVolumeClaim) (string, ma
 		return "", nil, errors.New("cannot get volume.beta.kubernetes.io/storage-provisioner annotation")
 	} else if provisionedBy == "ebs.csi.aws.com" {
 		volumeID = pv.Spec.PersistentVolumeSource.CSI.VolumeHandle
+	} else if provisionedBy == "efs.csi.aws.com" {
+		volumeID = parseAWSEFSVolumeID(pv.Spec.PersistentVolumeSource.CSI.VolumeHandle)
 	} else if provisionedBy == "kubernetes.io/aws-ebs" {
-		volumeID = parseAWSVolumeID(pv.Spec.PersistentVolumeSource.AWSElasticBlockStore.VolumeID)
+		volumeID = parseAWSEBSVolumeID(pv.Spec.PersistentVolumeSource.AWSElasticBlockStore.VolumeID)
 	}
 	log.WithFields(log.Fields{"namespace": pvc.GetNamespace(), "pvc": pvc.GetName(), "volumeID": volumeID}).Debugln("parsed volumeID:", volumeID)
 	if len(volumeID) == 0 {