Merge remote-tracking branch 'origin/master'

drone-runners · May 7, 2020 · c834e1f2335dd75191f51c0e554b1275b81d9f0d · c834e1f
2 parents c4bfe0a + 0ea1296
commit c834e1f2335dd75191f51c0e554b1275b81d9f0d
Show file tree

Hide file tree

Showing 10 changed files with 140 additions and 5 deletions.
diff --git a/docker/Dockerfile.linux.amd64 b/docker/Dockerfile.linux.amd64
@@ -11,4 +11,4 @@ ENV DRONE_PLATFORM_ARCH amd64
 COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 ADD release/linux/amd64/drone-runner-kube /bin/
-ENTRYPOINT ["/bin/drone-runner-kube"]
+ENTRYPOINT ["/bin/drone-runner-kube"]
diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
@@ -505,6 +505,13 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti
 				Name: v.Name,
 				Path: v.HostPath.Path,
 			}
+		} else if v.Claim != nil {
+			src.Claim = &engine.VolumeClaim{
+				ID:        id,
+				Name:      v.Name,
+				ClaimName: v.Claim.ClaimName,
+				ReadOnly:  v.Claim.ReadOnly,
+			}
 		} else {
 			continue
 		}

diff --git a/engine/convert.go b/engine/convert.go
@@ -117,6 +117,19 @@ func toVolumes(spec *Spec) []v1.Volume {
 			volumes = append(volumes, volume)
 		}
 
+		if v.Claim != nil {
+			volume := v1.Volume{
+				Name: v.Claim.ID,
+				VolumeSource: v1.VolumeSource{
+					PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
+						ClaimName: v.Claim.ClaimName,
+						ReadOnly:  v.Claim.ReadOnly,
+					},
+				},
+			}
+			volumes = append(volumes, volume)
+		}
+
 		if v.DownwardAPI != nil {
 			var items []v1.DownwardAPIVolumeFile
 
@@ -300,10 +313,11 @@ func toResources(src Resources) v1.ResourceRequirements {
 
 // helper function returns a kubernetes namespace
 // for the given specification.
-func toNamespace(name string) *v1.Namespace {
+func toNamespace(name string, labels map[string]string) *v1.Namespace {
 	return &v1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
+			Name:   name,
+			Labels: labels,
 		},
 	}
 }
@@ -328,6 +342,10 @@ func lookupVolumeID(spec *Spec, name string) (string, bool) {
 			return v.HostPath.ID, true
 		}
 
+		if v.Claim != nil && v.Claim.Name == name {
+			return v.Claim.ID, true
+		}
+
 		if v.DownwardAPI != nil && v.DownwardAPI.Name == name {
 			return v.DownwardAPI.ID, true
 		}

diff --git a/engine/engine_impl.go b/engine/engine_impl.go
@@ -97,7 +97,7 @@ func (k *Kubernetes) Setup(ctx context.Context, specv runtime.Spec) error {
 	spec := specv.(*Spec)
 
 	if spec.Namespace != "" {
-		_, err := k.client.CoreV1().Namespaces().Create(toNamespace(spec.Namespace))
+		_, err := k.client.CoreV1().Namespaces().Create(toNamespace(spec.Namespace, spec.PodSpec.Labels))
 		if err != nil {
 			return err
 		}

diff --git a/engine/linter/linter.go b/engine/linter/linter.go
@@ -108,6 +108,12 @@ func checkVolumes(pipeline *resource.Pipeline, trusted bool) error {
 				return err
 			}
 		}
+		if volume.Claim != nil {
+			err := checkClaimVolume(volume.Claim, trusted)
+			if err != nil {
+				return err
+			}
+		}
 		switch volume.Name {
 		case "":
 			return fmt.Errorf("linter: missing volume name")
@@ -125,6 +131,13 @@ func checkHostPathVolume(volume *resource.VolumeHostPath, trusted bool) error {
 	return nil
 }
 
+func checkClaimVolume(volume *resource.VolumeClaim, trusted bool) error {
+	if trusted == false {
+		return errors.New("linter: untrusted repositories cannot mount PVC")
+	}
+	return nil
+}
+
 func checkEmptyDirVolume(volume *resource.VolumeEmptyDir, trusted bool) error {
 	if trusted == false && volume.Medium == "memory" {
 		return errors.New("linter: untrusted repositories cannot mount in-memory volumes")

diff --git a/engine/linter/linter_test.go b/engine/linter/linter_test.go
@@ -58,6 +58,19 @@ func TestLint(t *testing.T) {
 			trusted: true,
 			invalid: false,
 		},
+		// user should not be able to mount persistent volume claims
+		// volumes unless the repository is trusted.
+		{
+			path:    "testdata/volume_claim.yml",
+			trusted: false,
+			invalid: true,
+			message: "linter: untrusted repositories cannot mount PVC",
+		},
+		{
+			path:    "testdata/volume_claim.yml",
+			trusted: true,
+			invalid: false,
+		},
 		// user should be able to mount emptyDir volumes
 		// where no medium is specified.
 		{

diff --git a/engine/linter/testdata/volume_claim.yml b/engine/linter/testdata/volume_claim.yml
@@ -0,0 +1,34 @@
+kind: pipeline
+type: kubernetes
+name: default
+
+clone:
+  disable: true
+
+steps:
+- name: write
+  pull: if-not-exists
+  image: alpine
+  volumes:
+  - name: shared
+    path: /shared
+  commands:
+  - pwd
+  - echo "hello" > /shared/greetings.txt
+
+- name: read
+  pull: if-not-exists
+  image: alpine
+  volumes:
+  - name: shared
+    path: /shared
+  commands:
+  - pwd
+  - ls /shared
+  - cat /shared/greetings.txt
+
+volumes:
+- name: shared
+  claim:
+    name: received-data-claim
+    read_only: false
diff --git a/engine/resource/pipeline.go b/engine/resource/pipeline.go
@@ -90,7 +90,7 @@ func (p *Pipeline) GetStep(name string) *Step {
 }
 
 type (
-	// Metadata defines Kubernetes pod meteadata
+	// Metadata defines Kubernetes pod metadata
 	Metadata struct {
 		Namespace   string            `json:"namespace,omitempty"`
 		Annotations map[string]string `json:"annotations,omitempty"`
@@ -145,6 +145,7 @@ type (
 		Name     string          `json:"name,omitempty"`
 		EmptyDir *VolumeEmptyDir `json:"temp,omitempty" yaml:"temp"`
 		HostPath *VolumeHostPath `json:"host,omitempty" yaml:"host"`
+		Claim    *VolumeClaim    `json:"claim,omitempty" yaml:"claim"`
 	}
 
 	// VolumeMount describes a mounting of a Volume
@@ -168,6 +169,13 @@ type (
 		Path string `json:"path,omitempty"`
 	}
 
+	// VolumeClaim mounts an already existing
+	// persistentVolumeClaim.
+	VolumeClaim struct {
+		ClaimName string `json:"name,omitempty" yaml:"name"`
+		ReadOnly  bool   `json:"read_only,omitempty" yaml:"read_only"`
+	}
+
 	// Workspace represents the pipeline workspace configuration.
 	Workspace struct {
 		Path string `json:"path,omitempty"`

diff --git a/engine/spec.go b/engine/spec.go
@@ -94,6 +94,7 @@ type (
 		EmptyDir    *VolumeEmptyDir    `json:"temp,omitempty"`
 		HostPath    *VolumeHostPath    `json:"host,omitempty"`
 		DownwardAPI *VolumeDownwardAPI `json:"downward_api,omitempty"`
+		Claim       *VolumeClaim       `json:"claim,omitempty"`
 	}
 
 	// VolumeMount describes a mounting of a Volume
@@ -133,6 +134,14 @@ type (
 		FieldPath string `json:"field_path,omitempty"`
 	}
 
+	// VolumeClaim ...
+	VolumeClaim struct {
+		ID        string `json:"id,omitempty"`
+		Name      string `json:"name,omitempty"`
+		ClaimName string `json:"claim_name,omitempty"`
+		ReadOnly  bool   `json:"read_only,omitempty"`
+	}
+
 	// Resources describes the compute resource requirements.
 	Resources struct {
 		Limits   ResourceObject `json:"limits,omitempty"`

diff --git a/samples/volume_claim.yml b/samples/volume_claim.yml
@@ -0,0 +1,33 @@
+kind: pipeline
+type: kubernetes
+name: default
+
+clone:
+  disable: true
+
+steps:
+- name: write
+  pull: if-not-exists
+  image: alpine
+  volumes:
+  - name: shared
+    path: /shared
+  commands:
+  - pwd
+  - echo "hello" > /shared/greetings.txt
+
+- name: read
+  pull: if-not-exists
+  image: alpine
+  volumes:
+  - name: shared
+    path: /shared
+  commands:
+  - pwd
+  - ls /shared
+  - cat /shared/greetings.txt
+
+volumes:
+- name: shared
+  claim:
+    name: received-data-claim