Adds readOnly flag to k8s volume mounts (#2013) [ci fast]

* Adds readOnly flag to k8s volume mounts Signed-off-by: Mike Smoot <msmoot@illumina.com>
nextflow-io · Apr 6, 2021 · 33bd24a · 33bd24a
1 parent cf2a9d7
commit 33bd24a
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 4 deletions.
diff --git a/docs/process.rst b/docs/process.rst
@@ -1971,7 +1971,7 @@ The ``pod`` directive allows the definition of the following options:
 ``env: <E>, secret: <S/K>``                       Defines an environment variable with name ``E`` and whose value is given by the entry associated to the key with name ``K`` in the `Secret <https://kubernetes.io/docs/concepts/configuration/secret/>`_ with name ``S``.
 ``config: <C/K>, mountPath: </absolute/path>``    The content of the `ConfigMap <https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/>`_ with name ``C`` with key ``K`` is made available to the path ``/absolute/path``. When the key component is omitted the path is interpreted as a directory and all the `ConfigMap` entries are exposed in that path.
 ``secret: <S/K>, mountPath: </absolute/path>``    The content of the `Secret <https://kubernetes.io/docs/concepts/configuration/secret/>`_ with name ``S`` with key ``K`` is made available to the path ``/absolute/path``. When the key component is omitted the path is interpreted as a directory and all the `Secret` entries are exposed in that path.
-``volumeClaim: <V>, mountPath: </absolute/path>`` Mounts a `Persistent volume claim <https://kubernetes.io/docs/concepts/storage/persistent-volumes/>`_ with name ``V`` to the specified path location. Use the optional `subPath` parameter to mount a directory inside the referenced volume instead of its root.
+``volumeClaim: <V>, mountPath: </absolute/path>`` Mounts a `Persistent volume claim <https://kubernetes.io/docs/concepts/storage/persistent-volumes/>`_ with name ``V`` to the specified path location. Use the optional `subPath` parameter to mount a directory inside the referenced volume instead of its root. The volume may be mounted with `readOnly: true`, but is read/write by default.
 ``imagePullPolicy: <V>``                          Specifies the strategy to be used to pull the container image e.g. ``imagePullPolicy: 'Always'``.
 ``imagePullSecret: <V>``                          Specifies the secret name to access a private container image registry. See `Kubernetes documentation <https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod>`_ for details.
 ``runAsUser: <UID>``                              Specifies the user ID to be used to run the container.

diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy
@@ -365,6 +365,8 @@ class PodSpecBuilder {
             final claim = [name: name, mountPath: entry.mountPath ]
             if( entry.subPath )
                 claim.subPath = entry.subPath
+            if( entry.readOnly )
+                claim.readOnly = entry.readOnly
             mounts << claim
         }
 

diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodVolumeClaim.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodVolumeClaim.groovy
@@ -39,12 +39,15 @@ class PodVolumeClaim {
 
     String subPath
 
-    PodVolumeClaim(String name, String mount, String subPath=null) {
+    boolean readOnly
+
+    PodVolumeClaim(String name, String mount, String subPath=null, boolean readOnly=false) {
         assert name
         assert mount
         this.claimName = name
         this.mountPath = sanitize(mount)
         this.subPath = subPath
+        this.readOnly = readOnly
         validate(mountPath)
     }
 
@@ -54,6 +57,7 @@ class PodVolumeClaim {
         this.claimName = entry.volumeClaim
         this.mountPath = sanitize(entry.mountPath)
         this.subPath = entry.subPath
+        this.readOnly = entry.readOnly ?: false
         validate(mountPath)
     }
 

diff --git a/modules/nextflow/src/test/groovy/nextflow/cli/CmdLogTest.groovy b/modules/nextflow/src/test/groovy/nextflow/cli/CmdLogTest.groovy
@@ -101,6 +101,7 @@ class CmdLogTest extends Specification {
                 .readLines()
                 // remove the log part
                 .findResults { line -> !line.contains('DEBUG') ? line : null }
+                .findResults { line -> !line.contains('INFO') ? line : null }
                 .join('\n')
         then:
         stdout.readLines().size() == 3

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy
@@ -205,6 +205,7 @@ class PodSpecBuilderTest extends Specification {
                     .withCommand(['echo'])
                     .withVolumeClaim(new PodVolumeClaim('first','/work'))
                     .withVolumeClaim(new PodVolumeClaim('second', '/data', '/foo'))
+                    .withVolumeClaim(new PodVolumeClaim('third', '/things', null, true))
                     .build()
         then:
         spec ==  [ apiVersion: 'v1',
@@ -219,11 +220,13 @@ class PodSpecBuilderTest extends Specification {
                                     workingDir:'/path',
                                     volumeMounts:[
                                             [name:'vol-1', mountPath:'/work'],
-                                            [name:'vol-2', mountPath:'/data', subPath: '/foo']] ]
+                                            [name:'vol-2', mountPath:'/data', subPath: '/foo'],
+                                            [name:'vol-3', mountPath:'/things', readOnly: true]] ]
                            ],
                            volumes:[
                                    [name:'vol-1', persistentVolumeClaim:[claimName:'first']],
-                                   [name:'vol-2', persistentVolumeClaim:[claimName:'second']] ]
+                                   [name:'vol-2', persistentVolumeClaim:[claimName:'second']],
+                                   [name:'vol-3', persistentVolumeClaim:[claimName:'third']] ]
                    ]
 
         ]

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodVolumeClaimTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodVolumeClaimTest.groovy
@@ -32,12 +32,30 @@ class PodVolumeClaimTest extends Specification {
         then:
         vol1.claimName == 'foo'
         vol1.mountPath == '/bar'
+        vol1.readOnly == false
 
         when:
         def vol2 = new PodVolumeClaim(volumeClaim: 'alpha', mountPath: '/gamma')
         then:
         vol2.claimName == 'alpha'
         vol2.mountPath == '/gamma'
+        vol2.readOnly == false
+
+        when:
+        def vol3 = new PodVolumeClaim('aaa', '/bbb', null, true)
+
+        then:
+        vol3.claimName == 'aaa'
+        vol3.mountPath == '/bbb'
+        vol3.readOnly == true
+
+        when:
+        def vol4 = new PodVolumeClaim(volumeClaim: 'ccc', mountPath: '/ddd', readOnly: true)
+
+        then:
+        vol4.claimName == 'ccc'
+        vol4.mountPath == '/ddd'
+        vol4.readOnly == true
 
     }