flux-framework · vsoch · Jul 27, 2023 · Jul 26, 2023 · Jul 26, 2023 · Jul 26, 2023
diff --git a/api/v1alpha1/minicluster_types.go b/api/v1alpha1/minicluster_types.go
@@ -68,6 +68,10 @@ type MiniClusterSpec struct {
 	// +optional
 	Archive MiniClusterArchive `json:"archive"`
 
+	// Share process namespace?
+	// +optional
+	ShareProcessNamespace bool `json:"shareProcessNamespace"`
+
 	// Customization to Flux Restful API
 	// There should only be one container to run flux with runFlux
 	// +optional
@@ -548,13 +552,6 @@ type MiniClusterContainer struct {
 	// +optional
 	ExistingVolumes map[string]MiniClusterExistingVolume `json:"existingVolumes"`
 
-	// Special command to run at beginning of script, directly after asFlux
-	// is defined as sudo -u flux -E (so you can change that if desired.)
-	// This is only valid if FluxRunner is set (that writes a wait.sh script)
-	// This is for the indexed job pods and the certificate generation container.
-	// +optional
-	PreCommand string `json:"preCommand"`
-
 	// Lifecycle can handle post start commands, etc.
 	// +optional
 	LifeCycle LifeCycle `json:"lifeCycle"`
@@ -578,6 +575,10 @@ type SecurityContext struct {
 	// Privileged container
 	// +optional
 	Privileged bool `json:"privileged,omitempty"`
+
+	// Capabilities to add
+	// +optional
+	AddCapabilities []string `json:"addCapabilities,omitempty"`
 }
 
 type LifeCycle struct {
@@ -680,6 +681,17 @@ func (f *MiniCluster) MultiUser() bool {
 	return len(f.Spec.Users) > 0
 }
 
+// Determine if a MiniCluster container has custom commands
+// if we have custom commands and a command entrypoint we can support additional custom logic
+func (c *MiniClusterContainer) HasCommands() bool {
+	return c.Commands.Pre != "" || c.Commands.BrokerPre != "" || c.Commands.WorkerPre != "" || c.Commands.Init != "" || c.Commands.Post != ""
+}
+
+// Determine if we should generate a start.sh entrypoint for a sidecar
+func (c *MiniClusterContainer) GenerateEntrypoint() bool {
+	return c.HasCommands() && !c.RunFlux && c.Command != ""
+}
+
 // Return a lookup of all container existing volumes (for the higher level Pod)
 // Volumes are unique by name.
 func (f *MiniCluster) ExistingContainerVolumes() map[string]MiniClusterExistingVolume {
@@ -766,7 +778,7 @@ func (f *MiniCluster) Validate() bool {
 			fmt.Printf("😥️ Service containers always require a name.\n")
 			return false
 		}
-		if service.PreCommand != "" || service.Commands.Pre != "" ||
+		if service.Commands.Pre != "" ||
 			service.Commands.BrokerPre != "" || service.Commands.WorkerPre != "" {
 			fmt.Printf("😥️ Services do not support Commands.\n")
 			return false
@@ -829,6 +841,12 @@ func (f *MiniCluster) Validate() bool {
 		fmt.Printf("🤓 %s.Command %s\n", name, container.Command)
 		fmt.Printf("🤓 %s.FluxRunner %t\n", name, container.RunFlux)
 
+		// A non-flux runner container with any commands also needs a command
+		// Don't allow the user to specify commands without a main command!
+		if !container.RunFlux && container.HasCommands() && container.Command == "" {
+			fmt.Printf("😥️ %s has commands, but not a main entrypoint command. Both are required to customize entrypoint logic..\n", name)
+			return false
+		}
 		// Launcher mode does not work with batch
 		if container.Launcher && container.Batch {
 			fmt.Printf("😥️ %s is indicated for batch and launcher, choose one.\n", name)

diff --git a/api/v1alpha1/swagger.json b/api/v1alpha1/swagger.json
@@ -436,11 +436,6 @@
           },
           "x-kubernetes-list-type": "atomic"
         },
-        "preCommand": {
-          "description": "Special command to run at beginning of script, directly after asFlux is defined as sudo -u flux -E (so you can change that if desired.) This is only valid if FluxRunner is set (that writes a wait.sh script) This is for the indexed job pods and the certificate generation container.",
-          "type": "string",
-          "default": ""
-        },
         "pullAlways": {
           "description": "Allow the user to dictate pulling By default we pull if not present. Setting this to true will indicate to pull always",
           "type": "boolean",
@@ -630,6 +625,11 @@
           },
           "x-kubernetes-list-type": "atomic"
         },
+        "shareProcessNamespace": {
+          "description": "Share process namespace?",
+          "type": "boolean",
+          "default": false
+        },
         "size": {
           "description": "Size (number of job pods to run, size of minicluster in pods) This is also the minimum number required to start Flux",
           "type": "integer",
@@ -873,6 +873,14 @@
     "SecurityContext": {
       "type": "object",
       "properties": {
+        "addCapabilities": {
+          "description": "Capabilities to add",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          }
+        },
         "privileged": {
           "description": "Privileged container",
           "type": "boolean"

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/v1alpha1/zz_generated.openapi.go b/api/v1alpha1/zz_generated.openapi.go
diff --git a/chart/templates/minicluster-crd.yaml b/chart/templates/minicluster-crd.yaml
@@ -187,13 +187,6 @@ spec:
                         type: integer
                       type: array
                       x-kubernetes-list-type: atomic
-                    preCommand:
-                      description: Special command to run at beginning of script, directly
-                        after asFlux is defined as sudo -u flux -E (so you can change
-                        that if desired.) This is only valid if FluxRunner is set (that
-                        writes a wait.sh script) This is for the indexed job pods and
-                        the certificate generation container.
-                      type: string
                     pullAlways:
                       default: false
                       description: Allow the user to dictate pulling By default we pull
@@ -242,6 +235,11 @@ spec:
                     securityContext:
                       description: Security Context https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
                       properties:
+                        addCapabilities:
+                          description: Capabilities to add
+                          items:
+                            type: string
+                          type: array
                         privileged:
                           description: Privileged container
                           type: boolean
@@ -617,13 +615,6 @@ spec:
                         type: integer
                       type: array
                       x-kubernetes-list-type: atomic
-                    preCommand:
-                      description: Special command to run at beginning of script, directly
-                        after asFlux is defined as sudo -u flux -E (so you can change
-                        that if desired.) This is only valid if FluxRunner is set (that
-                        writes a wait.sh script) This is for the indexed job pods and
-                        the certificate generation container.
-                      type: string
                     pullAlways:
                       default: false
                       description: Allow the user to dictate pulling By default we pull
@@ -672,6 +663,11 @@ spec:
                     securityContext:
                       description: Security Context https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
                       properties:
+                        addCapabilities:
+                          description: Capabilities to add
+                          items:
+                            type: string
+                          type: array
                         privileged:
                           description: Privileged container
                           type: boolean
@@ -697,6 +693,9 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
+              shareProcessNamespace:
+                description: Share process namespace?
+                type: boolean
               size:
                 default: 1
                 description: Size (number of job pods to run, size of minicluster in

diff --git a/config/crd/bases/flux-framework.org_miniclusters.yaml b/config/crd/bases/flux-framework.org_miniclusters.yaml
@@ -187,13 +187,6 @@ spec:
                         type: integer
                       type: array
                       x-kubernetes-list-type: atomic
-                    preCommand:
-                      description: Special command to run at beginning of script,
-                        directly after asFlux is defined as sudo -u flux -E (so you
-                        can change that if desired.) This is only valid if FluxRunner
-                        is set (that writes a wait.sh script) This is for the indexed
-                        job pods and the certificate generation container.
-                      type: string
                     pullAlways:
                       default: false
                       description: Allow the user to dictate pulling By default we
@@ -243,6 +236,11 @@ spec:
                     securityContext:
                       description: Security Context https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
                       properties:
+                        addCapabilities:
+                          description: Capabilities to add
+                          items:
+                            type: string
+                          type: array
                         privileged:
                           description: Privileged container
                           type: boolean
@@ -622,13 +620,6 @@ spec:
                         type: integer
                       type: array
                       x-kubernetes-list-type: atomic
-                    preCommand:
-                      description: Special command to run at beginning of script,
-                        directly after asFlux is defined as sudo -u flux -E (so you
-                        can change that if desired.) This is only valid if FluxRunner
-                        is set (that writes a wait.sh script) This is for the indexed
-                        job pods and the certificate generation container.
-                      type: string
                     pullAlways:
                       default: false
                       description: Allow the user to dictate pulling By default we
@@ -678,6 +669,11 @@ spec:
                     securityContext:
                       description: Security Context https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
                       properties:
+                        addCapabilities:
+                          description: Capabilities to add
+                          items:
+                            type: string
+                          type: array
                         privileged:
                           description: Privileged container
                           type: boolean
@@ -704,6 +700,9 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
+              shareProcessNamespace:
+                description: Share process namespace?
+                type: boolean
               size:
                 default: 1
                 description: Size (number of job pods to run, size of minicluster

diff --git a/controllers/flux/containers.go b/controllers/flux/containers.go
@@ -51,6 +51,13 @@ func (r *MiniClusterReconciler) getContainers(
 			containerName = defaultName
 		}
 
+		// A container not running flux can only have pre/post sections
+		// in a custom script if we know the entrypoint.
+		if container.GenerateEntrypoint() {
+			startScript := fmt.Sprintf("/flux_operator/start-%d.sh", i)
+			command = []string{"/bin/bash", startScript, container.Command}
+		}
+
 		// Prepare lifescycle commands for the container
 		lifecycle := r.createContainerLifecycle(container)
 
@@ -81,8 +88,17 @@ func (r *MiniClusterReconciler) getContainers(
 		if err != nil {
 			return containers, err
 		}
+
+		addCaps := []corev1.Capability{}
+		for _, cap := range container.SecurityContext.AddCapabilities {
+			addCaps = append(addCaps, corev1.Capability(cap))
+		}
+
 		securityContext := corev1.SecurityContext{
 			Privileged: &container.SecurityContext.Privileged,
+			Capabilities: &corev1.Capabilities{
+				Add: addCaps,
+			},
 		}
 		newContainer := corev1.Container{
 

diff --git a/controllers/flux/job.go b/controllers/flux/job.go
@@ -61,13 +61,14 @@ func (r *MiniClusterReconciler) newMiniClusterJob(
 				},
 				Spec: corev1.PodSpec{
 					// matches the service
-					Subdomain:          cluster.Spec.Network.HeadlessName,
-					SetHostnameAsFQDN:  &setAsFQDN,
-					Volumes:            getVolumes(cluster),
-					RestartPolicy:      corev1.RestartPolicyOnFailure,
-					ImagePullSecrets:   getImagePullSecrets(cluster),
-					ServiceAccountName: cluster.Spec.Pod.ServiceAccountName,
-					NodeSelector:       cluster.Spec.Pod.NodeSelector,
+					Subdomain:             cluster.Spec.Network.HeadlessName,
+					ShareProcessNamespace: &cluster.Spec.ShareProcessNamespace,
+					SetHostnameAsFQDN:     &setAsFQDN,
+					Volumes:               getVolumes(cluster),
+					RestartPolicy:         corev1.RestartPolicyOnFailure,
+					ImagePullSecrets:      getImagePullSecrets(cluster),
+					ServiceAccountName:    cluster.Spec.Pod.ServiceAccountName,
+					NodeSelector:          cluster.Spec.Pod.NodeSelector,
 				}},
 		},
 	}