Add support for specifying subpaths in Kubernetes executor volume definitions
What does this MR do?
Adds a way to specify SubPath when defining Kubernetes volume mounts.
Why was this MR needed?
In some cases it's needed to mount only a subset of the defined volume. A simple example:
- There is a custom CA certificate that someone needs to have mounted in the job pod.
- The certificate is stored as a Kubernetes secret
custom-CA-certificatewhich contains one key/value pair: amy-custom-ca.pemkey with the content of the certificate stored as its value.
To mount this file, one would start with defining such volume mount in config.toml:
(...)
[runners.kubernetes.volumes.secret]
name = "custom-CA-certificate"
mount_path = "/etc/ssl/certs"
read_only = "true"Unfortunately, this configuration would wipe out all of the original /etc/ssl/certs content and mount only the my-custom-ca.pem file present in the custom-CA-certificate secret. This means that the containerized system looses information about all of the well known CAs that are normally trusted by default.
What really is needed, is to mount only the single file created from custom-CA-certificate inside of /etc/ssl/certs, among all existing files.
A solution for that would be to use the SubPath feature of volume mounts. With the change added with this MR it could be done as:
(...)
[runners.kubernetes.volumes.secret]
name = "custom-CA-certificate"
mount_path = "/etc/ssl/certs/my-custom-ca.pem"
sub_path = "my-custom-ca.pem"
read_only = "true"With that Kubernetes will mount only the my-custom-ca.pem path from the volume at the /etc/ssl/certs/my-custom-ca.pem path in the container. And because my-custom-ca.pem in the volume is a file, the mounted /etc/ssl/certs/my-custom-ca.pem will be also a file.
With that we have what we wanted - original /etc/ssl/certs directory with my-custom-ca.pem file mounted there additionally.