From 19206fe3fca92aa75f502a0ccfaa16ad6b0692e9 Mon Sep 17 00:00:00 2001 From: Bryce Lampe Date: Thu, 26 Sep 2024 11:18:55 -0700 Subject: [PATCH] [v2] Use official nonroot images for e2e tests --- .../workflows/v2-run-acceptance-tests.yaml | 3 - operator/Makefile | 6 +- operator/e2e/e2e_test.go | 2 - .../testdata/git-auth-nonroot/manifests.yaml | 2 +- .../random-yaml-nonroot/manifests.yaml | 2 +- operator/examples/random-yaml/stack.yaml | 3 +- operator/examples/random-yaml/workspace.yaml | 87 +++++++++---------- operator/hack/nonroot/Dockerfile | 9 -- operator/hack/nonroot/Makefile | 7 -- 9 files changed, 48 insertions(+), 73 deletions(-) delete mode 100644 operator/hack/nonroot/Dockerfile delete mode 100644 operator/hack/nonroot/Makefile diff --git a/.github/workflows/v2-run-acceptance-tests.yaml b/.github/workflows/v2-run-acceptance-tests.yaml index 721a6ec2..2caae4bd 100644 --- a/.github/workflows/v2-run-acceptance-tests.yaml +++ b/.github/workflows/v2-run-acceptance-tests.yaml @@ -62,9 +62,6 @@ jobs: runs-on: ubuntu-latest name: E2E tests steps: - # Building the rootless image currently eats up all of our free disk. - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - name: Setup cluster uses: helm/kind-action@v1 with: diff --git a/operator/Makefile b/operator/Makefile index 3f24ed2b..cb0aa099 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -151,13 +151,9 @@ run: manifests generate fmt vet ## Run a controller from your host. # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build -docker-build: docker-rootless ## Build docker image with the manager. +docker-build: ## Build docker image with the manager. $(CONTAINER_TOOL) build -t ${IMG}:${VERSION} --build-context agent=../agent --build-arg VERSION=${VERSION} . -.PHONY: docker-rootless -docker-rootless: - $(MAKE) -C hack/nonroot - .PHONY: docker-push docker-push: ## Push docker image with the manager. $(CONTAINER_TOOL) push ${IMG}:${VERSION} diff --git a/operator/e2e/e2e_test.go b/operator/e2e/e2e_test.go index ad08d100..2f8197ca 100644 --- a/operator/e2e/e2e_test.go +++ b/operator/e2e/e2e_test.go @@ -52,8 +52,6 @@ func TestE2E(t *testing.T) { err := loadImageToKindClusterWithName(projectimage) require.NoError(t, err, "failed to load image into kind") - err = loadImageToKindClusterWithName("pulumi/pulumi:3.130.0-nonroot") - require.NoError(t, err, "failed to load image into kind") cmd = exec.Command("make", "install") require.NoError(t, run(cmd), "failed to install CRDs") diff --git a/operator/e2e/testdata/git-auth-nonroot/manifests.yaml b/operator/e2e/testdata/git-auth-nonroot/manifests.yaml index ac6c89b3..8c49211d 100644 --- a/operator/e2e/testdata/git-auth-nonroot/manifests.yaml +++ b/operator/e2e/testdata/git-auth-nonroot/manifests.yaml @@ -54,7 +54,7 @@ spec: value: "test" workspaceTemplate: spec: - image: pulumi/pulumi:3.130.0-nonroot + image: pulumi/pulumi:3.134.1-nonroot podTemplate: spec: containers: diff --git a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml index 5fd1d1f7..fd9fa73b 100644 --- a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml +++ b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml @@ -59,7 +59,7 @@ spec: value: "test" workspaceTemplate: spec: - image: pulumi/pulumi:3.130.0-nonroot + image: pulumi/pulumi:3.134.1-nonroot podTemplate: spec: containers: diff --git a/operator/examples/random-yaml/stack.yaml b/operator/examples/random-yaml/stack.yaml index 01e8d12a..ee442b64 100644 --- a/operator/examples/random-yaml/stack.yaml +++ b/operator/examples/random-yaml/stack.yaml @@ -23,4 +23,5 @@ spec: secret: name: pulumi-api-secret key: accessToken - image: pulumi/pulumi:3.130.0-nonroot \ No newline at end of file + image: pulumi/pulumi:3.134.1-nonroot + diff --git a/operator/examples/random-yaml/workspace.yaml b/operator/examples/random-yaml/workspace.yaml index 68178fba..a54bdbdf 100644 --- a/operator/examples/random-yaml/workspace.yaml +++ b/operator/examples/random-yaml/workspace.yaml @@ -11,10 +11,10 @@ kind: Workspace metadata: name: random-yaml-1e2fc47 spec: - image: pulumi/pulumi:3.130.0-nonroot - securityProfile: restricted + image: pulumi/pulumi:3.134.1-nonroot + securityProfile: restricted serviceAccountName: default - + # git: # url: https://github.com/pulumi/examples.git # revision: 1e2fc471709448f3c9f7a250f28f1eafcde7017b @@ -24,11 +24,11 @@ spec: digest: sha256:6560311e95689086aa195a82c0310080adc31bea2457936ce528a014d811407a dir: random-yaml env: - - name: PULUMI_ACCESS_TOKEN - valueFrom: - secretKeyRef: - name: pulumi-api-secret - key: accessToken + - name: PULUMI_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: pulumi-api-secret + key: accessToken resources: requests: cpu: 1 @@ -53,27 +53,27 @@ spec: operator: "Exists" effect: "NoSchedule" initContainers: - - name: extra - image: busybox - command: ["sh", "-c", "echo 'Hello, extra init container!'"] - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - volumeMounts: - - name: share - mountPath: /share + - name: extra + image: busybox + command: ["sh", "-c", "echo 'Hello, extra init container!'"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + volumeMounts: + - name: share + mountPath: /share containers: - - name: pulumi - volumeMounts: - - name: secret-volume - mountPath: /etc/secret-volume - readOnly: true - - name: oidc-token - mountPath: /var/run/secrets/pulumi + - name: pulumi + volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume + readOnly: true + - name: oidc-token + mountPath: /var/run/secrets/pulumi volumes: - name: secret-volume secret: @@ -88,19 +88,18 @@ spec: stacks: - name: dev config: - - key: "pulumi:oidcToken" - valueFrom: - path: /var/run/secrets/pulumi/token - secret: true - - key: kubernetes:namespace - value: "default" - - key: data.active - path: true - value: "true" - - key: data.nums[0] - path: true - value: "1" - - key: data.nums[1] - path: true - value: "2" - + - key: "pulumi:oidcToken" + valueFrom: + path: /var/run/secrets/pulumi/token + secret: true + - key: kubernetes:namespace + value: "default" + - key: data.active + path: true + value: "true" + - key: data.nums[0] + path: true + value: "1" + - key: data.nums[1] + path: true + value: "2" diff --git a/operator/hack/nonroot/Dockerfile b/operator/hack/nonroot/Dockerfile deleted file mode 100644 index 57da7554..00000000 --- a/operator/hack/nonroot/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -ARG BASE_IMAGE=pulumi/pulumi:latest -FROM ${BASE_IMAGE} -ARG UID=1000 -ARG GID=1000 - -RUN addgroup --gid $GID pulumi && \ - adduser --uid $UID --gid $GID --disabled-password --gecos "" pulumi && \ - echo 'pulumi ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers -USER pulumi:pulumi \ No newline at end of file diff --git a/operator/hack/nonroot/Makefile b/operator/hack/nonroot/Makefile deleted file mode 100644 index 415ca660..00000000 --- a/operator/hack/nonroot/Makefile +++ /dev/null @@ -1,7 +0,0 @@ - -.PHONY=image - -IMG ?= pulumi/pulumi:3.130.0 - -image: - docker build -t $(IMG)-nonroot --build-arg "BASE_IMAGE=$(IMG)" . \ No newline at end of file