From af27be30cd078f570b2e3af8660ea6474066fbd9 Mon Sep 17 00:00:00 2001 From: Daniil Fedotov Date: Thu, 12 Dec 2024 19:03:22 -0500 Subject: [PATCH 1/3] fix: set default namespace and serviceaccount for MultiContainerRun pods (#3285) Signed-off-by: Daniil Fedotov Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- pkg/function/multi_container_run.go | 67 +++++++++++++++++------- pkg/function/multi_container_run_test.go | 66 +++++++++++++++++++++++ 2 files changed, 115 insertions(+), 18 deletions(-) diff --git a/pkg/function/multi_container_run.go b/pkg/function/multi_container_run.go index 7dffab95e0..071261743f 100644 --- a/pkg/function/multi_container_run.go +++ b/pkg/function/multi_container_run.go @@ -87,10 +87,12 @@ func (*multiContainerRunFunc) Name() string { return MultiContainerRunFuncName } -func (ktpf *multiContainerRunFunc) run( - ctx context.Context, - cli kubernetes.Interface, -) (map[string]interface{}, error) { +func (ktpf *multiContainerRunFunc) run(ctx context.Context) (map[string]interface{}, error) { + cli, err := kube.NewClient() + if err != nil { + return nil, errkit.Wrap(err, "Failed to create Kubernetes client") + } + volumeMounts := []corev1.VolumeMount{ { Name: ktpSharedVolumeName, @@ -141,7 +143,7 @@ func (ktpf *multiContainerRunFunc) run( }, } - podSpec, err := kube.PatchDefaultPodSpecs(podSpec, ktpf.podOverride) + podSpec, err = kube.PatchDefaultPodSpecs(podSpec, ktpf.podOverride) if err != nil { return nil, errkit.Wrap(err, "Unable to apply podOverride", "podSpec", podSpec, "podOverride", ktpf.podOverride) } @@ -162,6 +164,11 @@ func (ktpf *multiContainerRunFunc) run( // FIXME: this doesn't work with pod controller currently so we have to reorder containers ktpf.annotations[defaultContainerAnn] = ktpOutputContainer + err = setPodSpecServiceAccount(&podSpec, ktpf.namespace, cli) + if err != nil { + return nil, errkit.Wrap(err, "Failed to set serviceaccount for pod") + } + pod := &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ GenerateName: jobPrefix, @@ -194,6 +201,23 @@ func (ktpf *multiContainerRunFunc) run( return getPodOutput(ctx, pc) } +func setPodSpecServiceAccount(podSpec *corev1.PodSpec, ns string, cli kubernetes.Interface) error { + sa := podSpec.ServiceAccountName + controllerNamespace, err := kube.GetControllerNamespace() + if err != nil { + return errkit.Wrap(err, "Failed to get controller namespace") + } + + if sa == "" && ns == controllerNamespace { + sa, err = kube.GetControllerServiceAccount(cli) + if err != nil { + return errkit.Wrap(err, "Failed to get Controller Service Account") + } + } + podSpec.ServiceAccountName = sa + return nil +} + // This function is similar to kubeTaskPodFunc func getPodOutput(ctx context.Context, pc kube.PodController) (map[string]interface{}, error) { if err := pc.WaitForPodReady(ctx); err != nil { @@ -242,9 +266,19 @@ func (ktpf *multiContainerRunFunc) Exec(ctx context.Context, tp param.TemplatePa if err = OptArg(args, MultiContainerRunInitCommandArg, &ktpf.initCommand, nil); err != nil { return nil, err } + if err = OptArg(args, MultiContainerRunNamespaceArg, &ktpf.namespace, ""); err != nil { return nil, err } + + if ktpf.namespace == "" { + controllerNamespace, err := kube.GetControllerNamespace() + if err != nil { + return nil, errkit.Wrap(err, "Failed to get controller namespace") + } + ktpf.namespace = controllerNamespace + } + if err = OptArg(args, MultiContainerRunVolumeMediumArg, &ktpf.storageMedium, ""); err != nil { return nil, err } @@ -273,28 +307,25 @@ func (ktpf *multiContainerRunFunc) Exec(ctx context.Context, tp param.TemplatePa return nil, err } - ktpf.labels = bpLabels - ktpf.annotations = bpAnnotations + ktpf.setLabelsAndAnnotations(tp, bpLabels, bpAnnotations) + + return ktpf.run(ctx) +} + +func (ktpf *multiContainerRunFunc) setLabelsAndAnnotations(tp param.TemplateParams, labels, annotation map[string]string) { + ktpf.labels = labels + ktpf.annotations = annotation if tp.PodAnnotations != nil { // merge the actionset annotations with blueprint annotations var actionSetAnn ActionSetAnnotations = tp.PodAnnotations - ktpf.annotations = actionSetAnn.MergeBPAnnotations(bpAnnotations) + ktpf.annotations = actionSetAnn.MergeBPAnnotations(annotation) } if tp.PodLabels != nil { // merge the actionset labels with blueprint labels var actionSetLabels ActionSetLabels = tp.PodLabels - ktpf.labels = actionSetLabels.MergeBPLabels(bpLabels) - } - - cli, err := kube.NewClient() - if err != nil { - return nil, errkit.Wrap(err, "Failed to create Kubernetes client") + ktpf.labels = actionSetLabels.MergeBPLabels(labels) } - return ktpf.run( - ctx, - cli, - ) } func (*multiContainerRunFunc) RequiredArgs() []string { diff --git a/pkg/function/multi_container_run_test.go b/pkg/function/multi_container_run_test.go index 23237101c4..005323150d 100644 --- a/pkg/function/multi_container_run_test.go +++ b/pkg/function/multi_container_run_test.go @@ -202,3 +202,69 @@ func (s *MultiContainerRunSuite) TestMultiContainerRunWithInit(c *C) { } } } + +func multiContainerRunPhaseWithoutNamespace() crv1alpha1.BlueprintPhase { + return crv1alpha1.BlueprintPhase{ + Name: "testMultiContainerRun", + Func: MultiContainerRunFuncName, + Args: map[string]interface{}{ + MultiContainerRunBackgroundImageArg: consts.LatestKanisterToolsImage, + MultiContainerRunBackgroundCommandArg: []string{ + "sh", + "-c", + "echo foo > /tmp/file", + }, + MultiContainerRunOutputImageArg: consts.LatestKanisterToolsImage, + MultiContainerRunOutputCommandArg: []string{ + "sh", + "-c", + "while [ ! -e /tmp/file ]; do sleep 1; done; kando output value $(cat /tmp/file)", + }, + }, + } +} + +func (s *MultiContainerRunSuite) TestMultiContainerRunWithoutNamespace(c *C) { + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) + defer cancel() + tp := param.TemplateParams{ + StatefulSet: ¶m.StatefulSetParams{ + Namespace: s.namespace, + }, + PodOverride: crv1alpha1.JSONMap{ + "containers": []map[string]interface{}{ + { + "name": "background", + "imagePullPolicy": "Always", + }, + { + "name": "output", + "imagePullPolicy": "Always", + }, + }, + }, + } + action := "test" + for _, tc := range []struct { + bp *crv1alpha1.Blueprint + outs []map[string]interface{} + }{ + { + bp: newTaskBlueprint(multiContainerRunPhaseWithoutNamespace()), + outs: []map[string]interface{}{ + { + "value": "foo", + }, + }, + }, + } { + phases, err := kanister.GetPhases(*tc.bp, action, kanister.DefaultVersion, tp) + c.Assert(err, IsNil) + c.Assert(phases, HasLen, len(tc.outs)) + for i, p := range phases { + out, err := p.Exec(ctx, *tc.bp, action, tp) + c.Assert(err, IsNil, Commentf("Phase %s failed", p.Name())) + c.Assert(out, DeepEquals, tc.outs[i]) + } + } +} From 2e102a3ecd509a6bf8b0c75915384be7a0d4414d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Dec 2024 00:16:20 +0000 Subject: [PATCH 2/3] deps(go): bump golang.org/x/crypto from 0.29.0 to 0.31.0 (#3288) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 8c5028d34b..7d15493115 100644 --- a/go.mod +++ b/go.mod @@ -203,14 +203,14 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.starlark.net v0.0.0-20240314022150-ee8ed142361c // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.29.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.31.0 // indirect - golang.org/x/sync v0.9.0 // indirect - golang.org/x/sys v0.27.0 // indirect - golang.org/x/term v0.26.0 // indirect - golang.org/x/text v0.20.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.8.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 99b1fcf8e3..32b3258f87 100644 --- a/go.sum +++ b/go.sum @@ -606,8 +606,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -656,8 +656,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -686,13 +686,13 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= @@ -701,8 +701,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 68b8ccda6087a1ed4adbb16933615ffda3ac8721 Mon Sep 17 00:00:00 2001 From: Daniil Fedotov Date: Fri, 13 Dec 2024 14:01:50 -0500 Subject: [PATCH 3/3] build(docker): Use multi-stage FROM directive to support dependabot (#3279) Signed-off-by: Daniil Fedotov Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- Dockerfile.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile.in b/Dockerfile.in index a5f4822514..147cb2e0ae 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -1,4 +1,6 @@ -ARG base_image=registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542 +ARG base_image=default +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542 AS default + FROM ${base_image} ARG kanister_version