feat(cdi): remove init container with root privileges

Signed-off-by: Isteb4k <[email protected]>
deckhouse · Dec 13, 2024 · b478192 · b478192
1 parent af350ba
commit b478192
Showing 1 changed file with 16 additions and 77 deletions.
diff --git a/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch b/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch
@@ -1,25 +1,8 @@
 diff --git a/pkg/controller/upload-controller.go b/pkg/controller/upload-controller.go
-index f251cae5d..99f5494dc 100644
+index f251cae5d..a925aa2c1 100644
 --- a/pkg/controller/upload-controller.go
 +++ b/pkg/controller/upload-controller.go
-@@ -45,6 +45,8 @@ import (
- 	"sigs.k8s.io/controller-runtime/pkg/source"
-
- 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
-+	sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api"
-+
- 	"kubevirt.io/containerized-data-importer/pkg/common"
- 	cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
- 	featuregates "kubevirt.io/containerized-data-importer/pkg/feature-gates"
-@@ -54,7 +56,6 @@ import (
- 	"kubevirt.io/containerized-data-importer/pkg/util/cert/generator"
- 	"kubevirt.io/containerized-data-importer/pkg/util/naming"
- 	cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch"
--	sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api"
- )
-
- const (
-@@ -430,7 +431,7 @@ func (r *UploadReconciler) createUploadPodForPvc(pvc *corev1.PersistentVolumeCla
+@@ -430,7 +430,7 @@ func (r *UploadReconciler) createUploadPodForPvc(pvc *corev1.PersistentVolumeCla
  	args := UploadPodArgs{
  		Name:               podName,
  		PVC:                pvc,
@@ -28,7 +11,7 @@ index f251cae5d..99f5494dc 100644
  		ClientName:         clientName,
  		FilesystemOverhead: string(fsOverhead),
  		ServerCert:         serverCert,
-@@ -723,11 +724,7 @@ func addUploadControllerWatches(mgr manager.Manager, uploadController controller
+@@ -723,11 +723,7 @@ func addUploadControllerWatches(mgr manager.Manager, uploadController controller
  	return nil
  }
 
@@ -41,51 +24,8 @@ index f251cae5d..99f5494dc 100644
  	return naming.GetResourceName(pvc.Name, common.ScratchNameSuffix)
  }
 
-@@ -801,6 +798,8 @@ func (r *UploadReconciler) makeUploadPodSpec(args UploadPodArgs, resourceRequire
- 	cc.SetNodeNameIfPopulator(args.PVC, &pod.Spec)
- 	cc.SetRestrictedSecurityContext(&pod.Spec)
-
-+	pod.Spec.InitContainers = r.makeUploadPodInitContainers(args)
-+
- 	return pod
- }
-
-@@ -904,6 +903,33 @@ func (r *UploadReconciler) makeUploadPodContainers(args UploadPodArgs, resourceR
- 	return containers
- }
-
-+func (r *UploadReconciler) makeUploadPodInitContainers(args UploadPodArgs) []corev1.Container {
-+	if args.PVC == nil || len(args.PVC.Spec.AccessModes) == 0 || args.PVC.Spec.AccessModes[0] != corev1.ReadWriteMany {
-+		return nil
-+	}
-+
-+	if cc.GetVolumeMode(args.PVC) == corev1.PersistentVolumeBlock {
-+		return nil
-+	}
-+
-+	containers := []corev1.Container{
-+		{
-+			Name:            "chmod-" + common.UploadServerPodname,
-+			Image:           r.image,
-+			ImagePullPolicy: corev1.PullPolicy(r.pullPolicy),
-+			Command:         []string{"sh", "-c", "chmod 775 " + common.UploadServerDataDir},
-+			VolumeMounts: []corev1.VolumeMount{
-+				{
-+					Name:      cc.DataVolName,
-+					MountPath: common.UploadServerDataDir,
-+				},
-+			},
-+		},
-+	}
-+
-+	return containers
-+}
-+
- func (r *UploadReconciler) makeUploadPodVolumes(args UploadPodArgs) []corev1.Volume {
- 	volumes := []corev1.Volume{
- 		{
 diff --git a/pkg/uploadserver/uploadserver.go b/pkg/uploadserver/uploadserver.go
-index aa9e5ab68..845981a1a 100644
+index aa9e5ab68..02c4cb467 100644
 --- a/pkg/uploadserver/uploadserver.go
 +++ b/pkg/uploadserver/uploadserver.go
 @@ -29,6 +29,7 @@ import (
@@ -96,7 +36,7 @@ index aa9e5ab68..845981a1a 100644
  	"os"
  	"strings"
  	"sync"
-@@ -36,11 +37,14 @@ import (
+@@ -36,11 +37,13 @@ import (
 
  	"github.com/golang/snappy"
  	"github.com/pkg/errors"
@@ -105,13 +45,12 @@ index aa9e5ab68..845981a1a 100644
  	"k8s.io/klog/v2"
 
  	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
-+
  	"kubevirt.io/containerized-data-importer/pkg/common"
 +	"kubevirt.io/containerized-data-importer/pkg/image"
  	"kubevirt.io/containerized-data-importer/pkg/importer"
  	"kubevirt.io/containerized-data-importer/pkg/util"
  	cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch"
-@@ -491,7 +495,7 @@ func newAsyncUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string,
+@@ -491,7 +494,7 @@ func newAsyncUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string,
  func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, filesystemOverhead float64, preallocation bool, sourceContentType string, dvContentType cdiv1.DataVolumeContentType) (bool, error) {
  	stream = newContentReader(stream, sourceContentType)
  	if isCloneTarget(sourceContentType) {
@@ -120,7 +59,7 @@ index aa9e5ab68..845981a1a 100644
  	}
 
  	// Clone block device to block device or file system
-@@ -501,7 +505,7 @@ func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, file
+@@ -501,7 +504,7 @@ func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, file
  	return processor.PreallocationApplied(), err
  }
 
@@ -129,7 +68,7 @@ index aa9e5ab68..845981a1a 100644
  	if contentType == common.FilesystemCloneContentType {
  		if dest != common.WriteBlockPath {
  			return fileToFileCloneProcessor(stream)
-@@ -516,16 +520,79 @@ func cloneProcessor(stream io.ReadCloser, contentType, dest string, preallocate
+@@ -516,16 +519,79 @@ func cloneProcessor(stream io.ReadCloser, contentType, dest string, preallocate
  	}
 
  	defer stream.Close()
@@ -153,22 +92,22 @@ index aa9e5ab68..845981a1a 100644
 +	}
 +
 +	err = importer.CleanAll(dest)
- 	if err != nil {
--		return false, err
++	if err != nil {
 +		return false, fmt.Errorf("failed to clean all: %w", err)
- 	}
-
--	klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWrittenn, dest)
++	}
++
 +	format, err := util.GetFormat(dest)
 +	if err != nil {
 +		return false, fmt.Errorf("failed to get format: %w", err)
 +	}
 +
 +	err = image.NewQEMUOperations().ConvertToFormatStream(parsedScratchPath, format, dest, false)
-+	if err != nil {
+ 	if err != nil {
+-		return false, err
 +		return false, fmt.Errorf("failed to convert: %w", err)
-+	}
-+
+ 	}
+
+-	klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWrittenn, dest)
 +	klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWritten, dest)
 
  	return false, nil