Add support for specifying subpaths in Kubernetes executor volume definitions
What does this MR do?
Adds a way to specify SubPath
when defining Kubernetes volume mounts.
Why was this MR needed?
In some cases it's needed to mount only a subset of the defined volume. A simple example:
- There is a custom CA certificate that someone needs to have mounted in the job pod.
- The certificate is stored as a Kubernetes secret
custom-CA-certificate
which contains one key/value pair: amy-custom-ca.pem
key with the content of the certificate stored as its value.
To mount this file, one would start with defining such volume mount in config.toml
:
(...)
[runners.kubernetes.volumes.secret]
name = "custom-CA-certificate"
mount_path = "/etc/ssl/certs"
read_only = "true"
Unfortunately, this configuration would wipe out all of the original /etc/ssl/certs
content and mount only the my-custom-ca.pem
file present in the custom-CA-certificate
secret. This means that the containerized system looses information about all of the well known CAs that are normally trusted by default.
What really is needed, is to mount only the single file created from custom-CA-certificate
inside of /etc/ssl/certs
, among all existing files.
A solution for that would be to use the SubPath
feature of volume mounts. With the change added with this MR it could be done as:
(...)
[runners.kubernetes.volumes.secret]
name = "custom-CA-certificate"
mount_path = "/etc/ssl/certs/my-custom-ca.pem"
sub_path = "my-custom-ca.pem"
read_only = "true"
With that Kubernetes will mount only the my-custom-ca.pem
path from the volume at the /etc/ssl/certs/my-custom-ca.pem
path in the container. And because my-custom-ca.pem
in the volume is a file, the mounted /etc/ssl/certs/my-custom-ca.pem
will be also a file.
With that we have what we wanted - original /etc/ssl/certs
directory with my-custom-ca.pem
file mounted there additionally.