Skip to content

Commit 8c68f2a

Browse files
grokspawngrokspawn
committed
handle optionality of spec.grpcPodConfig.extractContent.cacheDir
Signed-off-by: Jordan Keister <[email protected]>
1 parent dfd0b2b commit 8c68f2a

File tree

2 files changed

+258
-10
lines changed

2 files changed

+258
-10
lines changed

pkg/controller/registry/reconciler/reconciler.go

+17-10
Original file line numberDiff line numberDiff line change
@@ -275,6 +275,17 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
275275
Name: "catalog-content",
276276
MountPath: catalogPath,
277277
}
278+
// init container to copy catalog info.
279+
// ExtractContent.CatalogDir is mandatory when ExtractContent is provided
280+
// ExtractContent.CacheDir is optional, so we only add it if it is set
281+
var extractArgs []string = []string{
282+
"--catalog.from=" + grpcPodConfig.ExtractContent.CatalogDir,
283+
"--catalog.to=" + fmt.Sprintf("%s/catalog", catalogPath),
284+
}
285+
if grpcPodConfig.ExtractContent.CacheDir != "" {
286+
extractArgs = append(extractArgs, "--cache.from="+grpcPodConfig.ExtractContent.CacheDir)
287+
extractArgs = append(extractArgs, "--cache.to="+fmt.Sprintf("%s/cache", catalogPath))
288+
}
278289
pod.Spec.InitContainers = append(pod.Spec.InitContainers, corev1.Container{
279290
Name: "extract-utilities",
280291
Image: utilImage,
@@ -283,22 +294,18 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
283294
VolumeMounts: []corev1.VolumeMount{utilitiesVolumeMount},
284295
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
285296
}, corev1.Container{
286-
Name: "extract-content",
287-
Image: img,
288-
ImagePullPolicy: image.InferImagePullPolicy(img),
289-
Command: []string{utilitiesPath + "/copy-content"},
290-
Args: []string{
291-
"--catalog.from=" + grpcPodConfig.ExtractContent.CatalogDir,
292-
"--catalog.to=" + fmt.Sprintf("%s/catalog", catalogPath),
293-
"--cache.from=" + grpcPodConfig.ExtractContent.CacheDir,
294-
"--cache.to=" + fmt.Sprintf("%s/cache", catalogPath),
295-
},
297+
Name: "extract-content",
298+
Image: img,
299+
ImagePullPolicy: image.InferImagePullPolicy(img),
300+
Command: []string{utilitiesPath + "/copy-content"},
301+
Args: extractArgs,
296302
VolumeMounts: []corev1.VolumeMount{utilitiesVolumeMount, contentVolumeMount},
297303
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
298304
})
299305

300306
pod.Spec.Containers[0].Image = opmImg
301307
pod.Spec.Containers[0].Command = []string{"/bin/opm"}
308+
// set service cache dir unconditionally, since it should always have compatible permissions for generation, if not provided by grpcPodConfig
302309
pod.Spec.Containers[0].Args = []string{
303310
"serve",
304311
filepath.Join(catalogPath, "catalog"),

pkg/controller/registry/reconciler/reconciler_test.go

+241
Original file line numberDiff line numberDiff line change
@@ -380,6 +380,119 @@ func TestPodExtractContent(t *testing.T) {
380380
},
381381
},
382382
},
383+
{
384+
name: "content extraction expected - legacy security context config, no catalog cache dir",
385+
input: &v1alpha1.CatalogSource{
386+
ObjectMeta: metav1.ObjectMeta{
387+
Name: "test",
388+
Namespace: "testns",
389+
},
390+
Spec: v1alpha1.CatalogSourceSpec{
391+
GrpcPodConfig: &v1alpha1.GrpcPodConfig{
392+
ExtractContent: &v1alpha1.ExtractContentConfig{
393+
CatalogDir: "/catalog",
394+
},
395+
},
396+
},
397+
},
398+
securityContextConfig: v1alpha1.Legacy,
399+
expected: &corev1.Pod{
400+
ObjectMeta: metav1.ObjectMeta{
401+
GenerateName: "test-",
402+
Namespace: "testns",
403+
Labels: map[string]string{"olm.pod-spec-hash": "b0yrMl85J8bFjFWNl1O2XxsX698iPAjbpNhRIT", "olm.managed": "true"},
404+
Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"},
405+
},
406+
Spec: corev1.PodSpec{
407+
Volumes: []corev1.Volume{
408+
{
409+
Name: "utilities",
410+
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
411+
},
412+
{
413+
Name: "catalog-content",
414+
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
415+
},
416+
},
417+
InitContainers: []corev1.Container{
418+
{
419+
Name: "extract-utilities",
420+
Image: "utilImage",
421+
Command: []string{"cp"},
422+
Args: []string{"/bin/copy-content", "/utilities/copy-content"},
423+
VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}},
424+
TerminationMessagePolicy: "FallbackToLogsOnError",
425+
},
426+
{
427+
Name: "extract-content",
428+
Image: "image",
429+
ImagePullPolicy: image.InferImagePullPolicy("image"),
430+
Command: []string{"/utilities/copy-content"},
431+
Args: []string{
432+
"--catalog.from=/catalog",
433+
"--catalog.to=/extracted-catalog/catalog",
434+
},
435+
VolumeMounts: []corev1.VolumeMount{
436+
{Name: "utilities", MountPath: "/utilities"},
437+
{Name: "catalog-content", MountPath: "/extracted-catalog"},
438+
},
439+
TerminationMessagePolicy: "FallbackToLogsOnError",
440+
},
441+
},
442+
Containers: []corev1.Container{
443+
{
444+
Name: "name",
445+
Image: "opmImage",
446+
Command: []string{"/bin/opm"},
447+
Args: []string{"serve", "/extracted-catalog/catalog", "--cache-dir=/extracted-catalog/cache"},
448+
Ports: []corev1.ContainerPort{{Name: "grpc", ContainerPort: 50051}},
449+
ReadinessProbe: &corev1.Probe{
450+
ProbeHandler: corev1.ProbeHandler{
451+
Exec: &corev1.ExecAction{
452+
Command: []string{"grpc_health_probe", "-addr=:50051"},
453+
},
454+
},
455+
InitialDelaySeconds: 0,
456+
TimeoutSeconds: 5,
457+
},
458+
LivenessProbe: &corev1.Probe{
459+
ProbeHandler: corev1.ProbeHandler{
460+
Exec: &corev1.ExecAction{
461+
Command: []string{"grpc_health_probe", "-addr=:50051"},
462+
},
463+
},
464+
InitialDelaySeconds: 0,
465+
TimeoutSeconds: 5,
466+
},
467+
StartupProbe: &corev1.Probe{
468+
ProbeHandler: corev1.ProbeHandler{
469+
Exec: &corev1.ExecAction{
470+
Command: []string{"grpc_health_probe", "-addr=:50051"},
471+
},
472+
},
473+
FailureThreshold: 10,
474+
PeriodSeconds: 10,
475+
TimeoutSeconds: 5,
476+
},
477+
Resources: corev1.ResourceRequirements{
478+
Requests: corev1.ResourceList{
479+
corev1.ResourceCPU: resource.MustParse("10m"),
480+
corev1.ResourceMemory: resource.MustParse("50Mi"),
481+
},
482+
},
483+
SecurityContext: &corev1.SecurityContext{
484+
ReadOnlyRootFilesystem: ptr.To(false),
485+
},
486+
ImagePullPolicy: image.InferImagePullPolicy("image"),
487+
TerminationMessagePolicy: "FallbackToLogsOnError",
488+
VolumeMounts: []corev1.VolumeMount{{Name: "catalog-content", MountPath: "/extracted-catalog"}},
489+
},
490+
},
491+
NodeSelector: map[string]string{"kubernetes.io/os": "linux"},
492+
ServiceAccountName: "service-account",
493+
},
494+
},
495+
},
383496
{
384497
name: "content extraction not requested - restricted security context config",
385498
input: &v1alpha1.CatalogSource{
@@ -586,6 +699,134 @@ func TestPodExtractContent(t *testing.T) {
586699
},
587700
},
588701
},
702+
{
703+
name: "content extraction expected - restricted security context config, no catalog cache dir",
704+
input: &v1alpha1.CatalogSource{
705+
ObjectMeta: metav1.ObjectMeta{
706+
Name: "test",
707+
Namespace: "testns",
708+
},
709+
Spec: v1alpha1.CatalogSourceSpec{
710+
GrpcPodConfig: &v1alpha1.GrpcPodConfig{
711+
ExtractContent: &v1alpha1.ExtractContentConfig{
712+
CatalogDir: "/catalog",
713+
},
714+
},
715+
},
716+
},
717+
securityContextConfig: v1alpha1.Restricted,
718+
expected: &corev1.Pod{
719+
ObjectMeta: metav1.ObjectMeta{
720+
GenerateName: "test-",
721+
Namespace: "testns",
722+
Labels: map[string]string{"olm.pod-spec-hash": "3qxzUcTKDfq8QwZPoXteAv35FSwRho7vyYkv4d", "olm.managed": "true"},
723+
Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"},
724+
},
725+
Spec: corev1.PodSpec{
726+
Volumes: []corev1.Volume{
727+
{
728+
Name: "utilities",
729+
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
730+
},
731+
{
732+
Name: "catalog-content",
733+
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
734+
},
735+
},
736+
InitContainers: []corev1.Container{
737+
{
738+
Name: "extract-utilities",
739+
Image: "utilImage",
740+
Command: []string{"cp"},
741+
Args: []string{"/bin/copy-content", "/utilities/copy-content"},
742+
SecurityContext: &corev1.SecurityContext{
743+
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
744+
AllowPrivilegeEscalation: ptr.To(false),
745+
},
746+
VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}},
747+
TerminationMessagePolicy: "FallbackToLogsOnError",
748+
},
749+
{
750+
Name: "extract-content",
751+
Image: "image",
752+
ImagePullPolicy: image.InferImagePullPolicy("image"),
753+
Command: []string{"/utilities/copy-content"},
754+
Args: []string{
755+
"--catalog.from=/catalog",
756+
"--catalog.to=/extracted-catalog/catalog",
757+
},
758+
SecurityContext: &corev1.SecurityContext{
759+
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
760+
AllowPrivilegeEscalation: ptr.To(false),
761+
},
762+
VolumeMounts: []corev1.VolumeMount{
763+
{Name: "utilities", MountPath: "/utilities"},
764+
{Name: "catalog-content", MountPath: "/extracted-catalog"},
765+
},
766+
TerminationMessagePolicy: "FallbackToLogsOnError",
767+
},
768+
},
769+
Containers: []corev1.Container{
770+
{
771+
Name: "name",
772+
Image: "opmImage",
773+
Command: []string{"/bin/opm"},
774+
Args: []string{"serve", "/extracted-catalog/catalog", "--cache-dir=/extracted-catalog/cache"},
775+
Ports: []corev1.ContainerPort{{Name: "grpc", ContainerPort: 50051}},
776+
ReadinessProbe: &corev1.Probe{
777+
ProbeHandler: corev1.ProbeHandler{
778+
Exec: &corev1.ExecAction{
779+
Command: []string{"grpc_health_probe", "-addr=:50051"},
780+
},
781+
},
782+
InitialDelaySeconds: 0,
783+
TimeoutSeconds: 5,
784+
},
785+
LivenessProbe: &corev1.Probe{
786+
ProbeHandler: corev1.ProbeHandler{
787+
Exec: &corev1.ExecAction{
788+
Command: []string{"grpc_health_probe", "-addr=:50051"},
789+
},
790+
},
791+
InitialDelaySeconds: 0,
792+
TimeoutSeconds: 5,
793+
},
794+
StartupProbe: &corev1.Probe{
795+
ProbeHandler: corev1.ProbeHandler{
796+
Exec: &corev1.ExecAction{
797+
Command: []string{"grpc_health_probe", "-addr=:50051"},
798+
},
799+
},
800+
FailureThreshold: 10,
801+
PeriodSeconds: 10,
802+
TimeoutSeconds: 5,
803+
},
804+
Resources: corev1.ResourceRequirements{
805+
Requests: corev1.ResourceList{
806+
corev1.ResourceCPU: resource.MustParse("10m"),
807+
corev1.ResourceMemory: resource.MustParse("50Mi"),
808+
},
809+
},
810+
ImagePullPolicy: image.InferImagePullPolicy("image"),
811+
SecurityContext: &corev1.SecurityContext{
812+
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
813+
AllowPrivilegeEscalation: ptr.To(false),
814+
ReadOnlyRootFilesystem: ptr.To(false),
815+
},
816+
TerminationMessagePolicy: "FallbackToLogsOnError",
817+
VolumeMounts: []corev1.VolumeMount{{Name: "catalog-content", MountPath: "/extracted-catalog"}},
818+
},
819+
},
820+
NodeSelector: map[string]string{"kubernetes.io/os": "linux"},
821+
SecurityContext: &corev1.PodSecurityContext{
822+
RunAsUser: ptr.To(int64(workloadUserID)),
823+
RunAsNonRoot: ptr.To(true),
824+
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
825+
},
826+
ServiceAccountName: "service-account",
827+
},
828+
},
829+
},
589830
}
590831

591832
for _, testCase := range testCases {

0 commit comments

Comments
 (0)