Add automountServiceAccountToken option for k8s executor (#2562) [ci …

…fast] Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz> Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com>
nextflow-io · Jan 21, 2022 · 1b5908e · 1b5908e
1 parent d512597
commit 1b5908e
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 0 deletions.
diff --git a/docs/process.rst b/docs/process.rst
@@ -1981,6 +1981,7 @@ The ``pod`` directive allows the definition of the following options:
 ``runAsUser: <UID>``                              Specifies the user ID to be used to run the container.
 ``nodeSelector: <V>``                             Specifies which node the process will run on. See `Kubernetes nodeSelector <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector>`_ for details.
 ``affinity: <V>``                                 Specifies affinity for which nodes the process should run on. See `Kubernetes affinity <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity>`_ for details.
+``automountServiceAccountToken: <B>``             Specifies whether to automount service account token into process pods. If ``B`` is true, service account token is automounted into task pods (default).
 ================================================= =================================================
 
 When defined in the Nextflow configuration file, a pod setting can be defined using the canonical

diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodOptions.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodOptions.groovy
@@ -55,12 +55,15 @@ class PodOptions {
 
     private PodSecurityContext securityContext
 
+    private boolean automountServiceAccountToken
+
     PodOptions( List<Map> options=null ) {
         int size = options ? options.size() : 0
         envVars = new HashSet<>(size)
         mountSecrets = new HashSet<>(size)
         mountConfigMaps = new HashSet<>(size)
         mountClaims = new HashSet<>(size)
+        automountServiceAccountToken = true
         init(options)
     }
 
@@ -117,6 +120,9 @@ class PodOptions {
         else if( entry.annotation && entry.value ) {
             this.annotations.put(entry.annotation as String, entry.value as String)
         }
+        else if( entry.automountServiceAccountToken instanceof Boolean ) {
+            this.automountServiceAccountToken = entry.automountServiceAccountToken as Boolean
+        }
         else 
             throw new IllegalArgumentException("Unknown pod options: $entry")
     }
@@ -164,6 +170,13 @@ class PodOptions {
         return this
     }
 
+    boolean getAutomountServiceAccountToken() { automountServiceAccountToken }
+
+    PodOptions setAutomountServiceAccountToken( boolean mount ) {
+        this.automountServiceAccountToken = mount
+        return this
+    }
+
     PodOptions plus( PodOptions other ) {
         def result = new PodOptions()
 
@@ -215,6 +228,8 @@ class PodOptions {
         result.annotations.putAll(annotations)
         result.annotations.putAll(other.annotations)
 
+        result.automountServiceAccountToken = other.automountServiceAccountToken & this.automountServiceAccountToken
+
         return result
     }
 }
diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy
@@ -66,6 +66,8 @@ class PodSpecBuilder {
 
     String serviceAccount
 
+    boolean automountServiceAccountToken = true
+
     AcceleratorResource accelerator
 
     Collection<PodMountSecret> secrets = []
@@ -261,6 +263,9 @@ class PodSpecBuilder {
         if( opts.affinity )
             affinity = opts.affinity
 
+        // -- automountserviceaccounttoken
+        automountServiceAccountToken = opts.getAutomountServiceAccountToken()
+
         return this
     }
 
@@ -321,6 +326,9 @@ class PodSpecBuilder {
         if( this.serviceAccount )
             spec.serviceAccountName = this.serviceAccount
 
+        if( ! this.automountServiceAccountToken )
+            spec.automountServiceAccountToken = false
+
         if( securityContext )
             spec.securityContext = securityContext.toSpec()
 

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/K8sDriverLauncherTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/K8sDriverLauncherTest.groovy
@@ -139,6 +139,7 @@ class K8sDriverLauncherTest extends Specification {
         def pod = Mock(PodOptions)
         pod.getVolumeClaims() >> [ new PodVolumeClaim('pvc-1', '/mnt/path/data') ]
         pod.getMountConfigMaps() >> [ new PodMountConfig('cfg-2', '/mnt/path/cfg') ]
+        pod.automountServiceAccountToken >> true
 
         def k8s = Mock(K8sConfig)
         k8s.getNextflowImageName() >> 'the-image'
@@ -188,6 +189,7 @@ class K8sDriverLauncherTest extends Specification {
         def pod = Mock(PodOptions)
         pod.getVolumeClaims() >> [ new PodVolumeClaim('pvc-1', '/mnt/path/data') ]
         pod.getMountConfigMaps() >> [ new PodMountConfig('cfg-2', '/mnt/path/cfg') ]
+        pod.automountServiceAccountToken >> true
 
         def k8s = Mock(K8sConfig)
         k8s.getLaunchDir() >> '/the/user/dir'

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/K8sTaskHandlerTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/K8sTaskHandlerTest.groovy
@@ -219,6 +219,8 @@ class K8sTaskHandlerTest extends Specification {
         handler.client = client
         Map result
 
+        podOptions.automountServiceAccountToken >> true
+
         when:
         result = handler.newSubmitRequest(task)
         then:
@@ -274,6 +276,7 @@ class K8sTaskHandlerTest extends Specification {
 
         def podOptions = Mock(PodOptions)
         def CLAIMS = [ new PodVolumeClaim('first','/work'), new PodVolumeClaim('second','/data') ]
+        podOptions.automountServiceAccountToken >> true
 
         when:
         result = handler.newSubmitRequest(task)

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodOptionsTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodOptionsTest.groovy
@@ -34,6 +34,7 @@ class PodOptionsTest extends Specification {
         options.getEnvVars() == [] as Set
         options.getMountSecrets() == [] as Set
         options.getMountConfigMaps() == [] as Set
+        options.automountServiceAccountToken == true
     }
 
     def 'should set pullPolicy' () {
@@ -433,4 +434,23 @@ class PodOptionsTest extends Specification {
         opts.nodeSelector.toSpec() == [foo: '1', bar: 'true', baz: 'Z']
 
     }
+
+    def 'should set pod automountServiceToken' () {
+        when:
+        def opts = new PodOptions([[automountServiceAccountToken: false]])
+        then:
+        opts.automountServiceAccountToken == false
+    }
+
+    def 'should merge pod automountServiceToken' () {
+        when:
+        def opts = new PodOptions() + new PodOptions([[automountServiceAccountToken: false]])
+        then:
+        opts.automountServiceAccountToken == false
+
+        when:
+        opts = new PodOptions([[automountServiceAccountToken: false]]) + new PodOptions()
+        then:
+        opts.automountServiceAccountToken == false
+    }
 }
diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy
@@ -544,6 +544,8 @@ class PodSpecBuilderTest extends Specification {
             ]
         ]
 
+        opts.getAutomountServiceAccountToken() >> true
+
         when:
         def spec = builder.withPodOptions(opts).build()
         then: