Add support for volume mounts #4673
Conversation
|
@anilkeshav27 As discussed, this is a prerequisite to make |
|
@c0d1ngm0nk3y , i have also forwarded this request to jenkins as a service to make sure that there is no restriction from their side if the pod template changes . i dont know their public github usernames so have forwarded the PR to them to also get a nod from their side |
| @NonCPS | ||
| def containerMountPathFromVolumeBind(dockerVolumeBind) { | ||
| if (dockerVolumeBind) { | ||
| return dockerVolumeBind[0].split(":")[1] |
There was a problem hiding this comment.
Are you sure all customers will use : as separator?
Docker also provides the option to specify mounts via source and target properties. For those use cases your function is not going to work.
Not sure if this is supported by Piper.
There was a problem hiding this comment.
Also why only the first volume get's translated?
There was a problem hiding this comment.
Also why only the first volume get's translated?
It is containerMountPath. The user cannot influence WHAT is mounted, only to what path.
There was a problem hiding this comment.
Are you sure all customers will use
:as separator? Docker also provides the option to specify mounts viasourceandtargetproperties. For those use cases your function is not going to work. Not sure if this is supported by Piper.
Do you mean this? This ist actually a mount command and not bind. So I do not think it is supported.
There was a problem hiding this comment.
As part of the JaaS setup within SAP, we do not permit the use of hostPath volumes. This practice aligns with security best practices, especially in a shared cluster environment. The proposed change would have an impact on our internal customers
There was a problem hiding this comment.
@basava12345 , @c0d1ngm0nk3y , the code only talks about the volume mounts in the main app container running in the pod and this functionality is unchanged, if i understand correctly the change can allow any path to be mounted in the side care container ?.
Since the environment is shared does that allow me to bring a path from any other project into my running pod with the side car container or is it a named volume that already exists which i want to mount at a specefic path in my container ?
if its an already existing volume who creates it ?
maybe i missing something here and so want to be sure,
There was a problem hiding this comment.
@basava12345 , @c0d1ngm0nk3y , the code only talks about the volume mounts in the main app container running in the pod and this functionality is unchanged,
if i understand correctly the change can allow any path to be mounted in the side care container ?.
Yes, the path in the container can be anything, but that is only the path within the container. WHAT to mount is hardcoded (here: "volume").
Since the environment is shared does that allow me to bring a path from any other project into my running pod with the side car container
I don't se how...
or is it a named volume that already exists which i want to mount at a specefic path in my container ?
Yes. In case of Kubernetes, it is a emptyDir, I do not know what the other orchestrators are doing tbh.
if its an already existing volume who creates it ?
Hopefully, the orchestrator specific code. Or docker when starting it with the correct arguments.
maybe i missing something here and so want to be sure,
I am not 100% sure that we are talking about the same thing, similar to this comment.
There was a problem hiding this comment.
I think, I now got your point. On Kubernetes, it is clear that an empty dir is mounted. But we will check what happens for ADO and GHA.
There was a problem hiding this comment.
i think it will confusing for users with the current paramter. if someone called dockerExecute with dockerVolumeBind then there is a implicit understanding in code that the target path is taken into account and an emptyDir is mounted into the target path . and this changes the understanding of a traditional volume bind hostPath:targetPath which is not allowed in shared k8s cluster environment but can work outside a shared k8s cluster
we have a clean parameter in dockerExecuteOnKubernetes, couldn't we reuse that as a new param for dockerExecute ? so the behavior remains the same ?
/**
* The path to which a volume should be mounted to. This volume will be available at the same
* mount path in each container of the provided containerMap. The volume is of type emptyDir
* and has the name 'volume'. With the additionalPodProperties parameter one can for example
* use this volume in an initContainer.
*/
'containerMountPath',
/**
There was a problem hiding this comment.
To summarise the meeting we had:
We will stick to volumeBind, but make sure that the Name is volume. With that, we would still be flexible to enhance in the future, but for the user there won't be surprises what ist actually mounted. We should document this restriction though.
| WorkingDir string `json:"workingDir"` | ||
| Conditions []Condition `json:"conditions,omitempty"` | ||
| Options []Option `json:"options,omitempty"` | ||
| VolumeMounts []VolumeMount `json:"volumeMounts,omitempty"` |
There was a problem hiding this comment.
Maybe we should not go for "VolumeMounts []VolumeMounts", but for "MountPath string". That is what we do for kubernetes anyway (ignoring the name and take the first one). So the docker arguments would be in synch. The user could configure the mountPath of an empty and shared volume. WDYT?
There was a problem hiding this comment.
Well, maybe it DOES make sense to keep the API generic to be able to easily extend the capabilities later.
| @@ -385,7 +385,7 @@ func (container *Container) commonConfiguration(keyPrefix string, config *map[st | |||
| } | |||
| putStringIfNotEmpty(*config, keyPrefix+"Workspace", container.WorkingDir) | |||
| putSliceIfNotEmpty(*config, keyPrefix+"Options", OptionsAsStringSlice(container.Options)) | |||
| //putSliceIfNotEmpty(*config, keyPrefix+"VolumeBind", volumeMountsAsStringSlice(container.VolumeMounts)) | |||
| putSliceIfNotEmpty(*config, keyPrefix+"VolumeBind", volumeMountsAsStringSlice(container.VolumeMounts)) | |||
There was a problem hiding this comment.
Can't we put it into the dockerOptions? Ecspecially if we limit it to one empty volume.
c0d1ngm0nk3y
force-pushed
the
k8s-volumes
branch
from
8175b2d to
cd31262
Compare
|
/it-go |
|
will merge in the morning , to be sure if anything breaks, we can rework if needed |
Co-authored-by: Ralf Pannemans <[email protected]>
|
/it-go |
|
@anilkeshav27 Anything missing? |
|
Kudos, SonarCloud Quality Gate passed!
|
|
/it-go |
1 similar comment
|
/it-go |
|
This change broke our pipeline, can you please have a look at #4705 ? Thanks. |
* Add support for volume mounts * Adatpt unit test to include VolumeMounts Co-authored-by: Ralf Pannemans <[email protected]> * Only accept volumeMounts with the name volume --------- Co-authored-by: Johannes Dillmann <[email protected]> Co-authored-by: Philipp Stehle <[email protected]> Co-authored-by: Anil Keshav <[email protected]>
containerMountPathdid not work and was partly commented out. For now, it only acceptsmountPathwith the name volume. If provided, themountPathwill be used ascontainerMountPath.Changes