2023-08-07 19:13:26 +00:00
|
|
|
// Copyright 2022 Woodpecker Authors
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2022-09-05 04:01:14 +00:00
|
|
|
package kubernetes
|
|
|
|
|
|
|
|
import (
|
2023-06-03 22:50:08 +00:00
|
|
|
"fmt"
|
2023-10-09 07:11:08 +00:00
|
|
|
"maps"
|
2022-09-05 04:01:14 +00:00
|
|
|
"strings"
|
|
|
|
|
2023-07-09 17:22:50 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
2022-09-05 04:01:14 +00:00
|
|
|
v1 "k8s.io/api/core/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/api/resource"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2023-10-09 07:11:08 +00:00
|
|
|
|
2023-12-08 07:15:08 +00:00
|
|
|
"go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/common"
|
|
|
|
"go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
|
2022-09-05 04:01:14 +00:00
|
|
|
)
|
|
|
|
|
2023-11-26 07:46:06 +00:00
|
|
|
func Pod(namespace string, step *types.Step, labels, annotations map[string]string, goos string, secCtxConf SecurityContextConfig) (*v1.Pod, error) {
|
2022-10-30 23:26:49 +00:00
|
|
|
var (
|
|
|
|
vols []v1.Volume
|
|
|
|
volMounts []v1.VolumeMount
|
|
|
|
entrypoint []string
|
|
|
|
args []string
|
|
|
|
)
|
|
|
|
|
2022-09-05 04:01:14 +00:00
|
|
|
if step.WorkingDir != "" {
|
|
|
|
for _, vol := range step.Volumes {
|
2023-03-21 19:00:45 +00:00
|
|
|
volumeName, err := dnsName(strings.Split(vol, ":")[0])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2022-09-05 04:01:14 +00:00
|
|
|
vols = append(vols, v1.Volume{
|
2023-03-21 19:00:45 +00:00
|
|
|
Name: volumeName,
|
2022-09-05 04:01:14 +00:00
|
|
|
VolumeSource: v1.VolumeSource{
|
|
|
|
PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
|
2023-03-21 19:00:45 +00:00
|
|
|
ClaimName: volumeName,
|
2022-09-05 04:01:14 +00:00
|
|
|
ReadOnly: false,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
|
|
|
|
volMounts = append(volMounts, v1.VolumeMount{
|
2023-03-21 19:00:45 +00:00
|
|
|
Name: volumeName,
|
2022-09-05 04:01:14 +00:00
|
|
|
MountPath: volumeMountPath(vol),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-07 18:02:13 +00:00
|
|
|
var pullPolicy v1.PullPolicy
|
2022-09-05 04:01:14 +00:00
|
|
|
if step.Pull {
|
|
|
|
pullPolicy = v1.PullAlways
|
|
|
|
}
|
|
|
|
|
2022-10-30 23:26:49 +00:00
|
|
|
if len(step.Commands) != 0 {
|
2023-11-01 14:38:37 +00:00
|
|
|
scriptEnv, entry, cmds := common.GenerateContainerConf(step.Commands, goos)
|
2022-10-30 23:26:49 +00:00
|
|
|
for k, v := range scriptEnv {
|
|
|
|
step.Environment[k] = v
|
|
|
|
}
|
|
|
|
entrypoint = entry
|
|
|
|
args = cmds
|
2022-09-05 04:01:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
hostAliases := []v1.HostAlias{}
|
|
|
|
for _, extraHost := range step.ExtraHosts {
|
|
|
|
host := strings.Split(extraHost, ":")
|
|
|
|
hostAliases = append(hostAliases, v1.HostAlias{IP: host[1], Hostnames: []string{host[0]}})
|
|
|
|
}
|
|
|
|
|
2023-06-03 22:50:08 +00:00
|
|
|
resourceRequirements := v1.ResourceRequirements{Requests: v1.ResourceList{}, Limits: v1.ResourceList{}}
|
|
|
|
var err error
|
|
|
|
for key, val := range step.BackendOptions.Kubernetes.Resources.Requests {
|
|
|
|
resourceKey := v1.ResourceName(key)
|
|
|
|
resourceRequirements.Requests[resourceKey], err = resource.ParseQuantity(val)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("resource request '%v' quantity '%v': %w", key, val, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for key, val := range step.BackendOptions.Kubernetes.Resources.Limits {
|
|
|
|
resourceKey := v1.ResourceName(key)
|
|
|
|
resourceRequirements.Limits[resourceKey], err = resource.ParseQuantity(val)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("resource limit '%v' quantity '%v': %w", key, val, err)
|
|
|
|
}
|
2022-09-05 04:01:14 +00:00
|
|
|
}
|
|
|
|
|
2023-07-07 05:46:48 +00:00
|
|
|
var serviceAccountName string
|
2023-06-12 14:00:59 +00:00
|
|
|
if step.BackendOptions.Kubernetes.ServiceAccountName != "" {
|
2023-07-07 05:46:48 +00:00
|
|
|
serviceAccountName = step.BackendOptions.Kubernetes.ServiceAccountName
|
2023-06-12 14:00:59 +00:00
|
|
|
}
|
|
|
|
|
2023-03-21 19:00:45 +00:00
|
|
|
podName, err := dnsName(step.Name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
labels["step"] = podName
|
2022-12-31 00:37:09 +00:00
|
|
|
|
2023-07-07 05:46:48 +00:00
|
|
|
var nodeSelector map[string]string
|
2023-07-28 12:58:20 +00:00
|
|
|
platform, exist := step.Environment["CI_SYSTEM_PLATFORM"]
|
2023-07-09 17:22:50 +00:00
|
|
|
if exist && platform != "" {
|
2023-07-07 05:46:48 +00:00
|
|
|
arch := strings.Split(platform, "/")[1]
|
|
|
|
nodeSelector = map[string]string{v1.LabelArchStable: arch}
|
2023-07-09 17:22:50 +00:00
|
|
|
log.Trace().Msgf("Using the node selector from the Agent's platform: %v", nodeSelector)
|
2023-05-18 09:21:20 +00:00
|
|
|
}
|
2023-07-07 05:46:48 +00:00
|
|
|
beOptNodeSelector := step.BackendOptions.Kubernetes.NodeSelector
|
|
|
|
if len(beOptNodeSelector) > 0 {
|
|
|
|
if len(nodeSelector) == 0 {
|
|
|
|
nodeSelector = beOptNodeSelector
|
|
|
|
} else {
|
2023-07-09 17:22:50 +00:00
|
|
|
log.Trace().Msgf("Appending labels to the node selector from the backend options: %v", beOptNodeSelector)
|
2023-07-07 05:46:48 +00:00
|
|
|
maps.Copy(nodeSelector, beOptNodeSelector)
|
|
|
|
}
|
2023-06-12 14:00:59 +00:00
|
|
|
}
|
|
|
|
|
2023-08-22 20:34:59 +00:00
|
|
|
var tolerations []v1.Toleration
|
|
|
|
beTolerations := step.BackendOptions.Kubernetes.Tolerations
|
|
|
|
if len(beTolerations) > 0 {
|
|
|
|
for _, t := range step.BackendOptions.Kubernetes.Tolerations {
|
|
|
|
toleration := v1.Toleration{
|
|
|
|
Key: t.Key,
|
|
|
|
Operator: v1.TolerationOperator(t.Operator),
|
|
|
|
Value: t.Value,
|
|
|
|
Effect: v1.TaintEffect(t.Effect),
|
|
|
|
TolerationSeconds: t.TolerationSeconds,
|
|
|
|
}
|
|
|
|
tolerations = append(tolerations, toleration)
|
|
|
|
}
|
|
|
|
log.Trace().Msgf("Tolerations that will be used in the backend options: %v", beTolerations)
|
|
|
|
}
|
|
|
|
|
2023-11-26 07:46:06 +00:00
|
|
|
beSecurityContext := step.BackendOptions.Kubernetes.SecurityContext
|
|
|
|
log.Trace().Interface("Security context", beSecurityContext).Msg("Security context that will be used for pods/containers")
|
|
|
|
podSecCtx := podSecurityContext(beSecurityContext, secCtxConf)
|
|
|
|
containerSecCtx := containerSecurityContext(beSecurityContext, step.Privileged)
|
|
|
|
|
2023-03-21 19:00:45 +00:00
|
|
|
pod := &v1.Pod{
|
2022-09-05 04:01:14 +00:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2023-03-21 19:00:45 +00:00
|
|
|
Name: podName,
|
2022-12-31 00:37:09 +00:00
|
|
|
Namespace: namespace,
|
|
|
|
Labels: labels,
|
|
|
|
Annotations: annotations,
|
2022-09-05 04:01:14 +00:00
|
|
|
},
|
|
|
|
Spec: v1.PodSpec{
|
2023-06-12 14:00:59 +00:00
|
|
|
RestartPolicy: v1.RestartPolicyNever,
|
|
|
|
HostAliases: hostAliases,
|
2023-07-07 05:46:48 +00:00
|
|
|
NodeSelector: nodeSelector,
|
2023-08-22 20:34:59 +00:00
|
|
|
Tolerations: tolerations,
|
2023-07-07 05:46:48 +00:00
|
|
|
ServiceAccountName: serviceAccountName,
|
2023-11-26 07:46:06 +00:00
|
|
|
SecurityContext: podSecCtx,
|
2022-09-05 04:01:14 +00:00
|
|
|
Containers: []v1.Container{{
|
2023-03-21 19:00:45 +00:00
|
|
|
Name: podName,
|
2022-09-05 04:01:14 +00:00
|
|
|
Image: step.Image,
|
|
|
|
ImagePullPolicy: pullPolicy,
|
2022-10-30 23:26:49 +00:00
|
|
|
Command: entrypoint,
|
2022-09-05 04:01:14 +00:00
|
|
|
Args: args,
|
|
|
|
WorkingDir: step.WorkingDir,
|
2022-10-30 23:26:49 +00:00
|
|
|
Env: mapToEnvVars(step.Environment),
|
2022-09-05 04:01:14 +00:00
|
|
|
VolumeMounts: volMounts,
|
2023-06-03 22:50:08 +00:00
|
|
|
Resources: resourceRequirements,
|
2023-11-26 07:46:06 +00:00
|
|
|
SecurityContext: containerSecCtx,
|
2022-09-05 04:01:14 +00:00
|
|
|
}},
|
|
|
|
ImagePullSecrets: []v1.LocalObjectReference{{Name: "regcred"}},
|
|
|
|
Volumes: vols,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2023-03-21 19:00:45 +00:00
|
|
|
return pod, nil
|
2022-09-05 04:01:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func mapToEnvVars(m map[string]string) []v1.EnvVar {
|
|
|
|
var ev []v1.EnvVar
|
|
|
|
for k, v := range m {
|
|
|
|
ev = append(ev, v1.EnvVar{
|
|
|
|
Name: k,
|
|
|
|
Value: v,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
return ev
|
|
|
|
}
|
|
|
|
|
|
|
|
func volumeMountPath(i string) string {
|
|
|
|
s := strings.Split(i, ":")
|
|
|
|
if len(s) > 1 {
|
|
|
|
return s[1]
|
|
|
|
}
|
|
|
|
return s[0]
|
|
|
|
}
|
2023-11-26 07:46:06 +00:00
|
|
|
|
|
|
|
func podSecurityContext(sc *types.SecurityContext, secCtxConf SecurityContextConfig) *v1.PodSecurityContext {
|
|
|
|
var (
|
|
|
|
nonRoot *bool
|
|
|
|
user *int64
|
|
|
|
group *int64
|
|
|
|
fsGroup *int64
|
|
|
|
)
|
|
|
|
|
|
|
|
if sc != nil && sc.RunAsNonRoot != nil {
|
|
|
|
if *sc.RunAsNonRoot {
|
|
|
|
nonRoot = sc.RunAsNonRoot // true
|
|
|
|
}
|
|
|
|
} else if secCtxConf.RunAsNonRoot {
|
|
|
|
nonRoot = &secCtxConf.RunAsNonRoot // true
|
|
|
|
}
|
|
|
|
|
|
|
|
if sc != nil {
|
|
|
|
user = sc.RunAsUser
|
|
|
|
group = sc.RunAsGroup
|
|
|
|
fsGroup = sc.FSGroup
|
|
|
|
}
|
|
|
|
|
|
|
|
if nonRoot == nil && user == nil && group == nil && fsGroup == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return &v1.PodSecurityContext{
|
|
|
|
RunAsNonRoot: nonRoot,
|
|
|
|
RunAsUser: user,
|
|
|
|
RunAsGroup: group,
|
|
|
|
FSGroup: fsGroup,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func containerSecurityContext(sc *types.SecurityContext, stepPrivileged bool) *v1.SecurityContext {
|
|
|
|
var privileged *bool
|
|
|
|
|
|
|
|
if sc != nil && sc.Privileged != nil && *sc.Privileged {
|
|
|
|
privileged = sc.Privileged // true
|
|
|
|
} else if stepPrivileged {
|
|
|
|
privileged = &stepPrivileged // true
|
|
|
|
}
|
|
|
|
|
|
|
|
if privileged == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return &v1.SecurityContext{
|
|
|
|
Privileged: privileged,
|
|
|
|
}
|
|
|
|
}
|