feat: add support for logs permissions (#362)

Author: cloud-j-luna

_run/common-commands.mk

@@ -94,7 +94,7 @@ get-manifest:
 
 .PHONY: deployment-create
 deployment-create:
-	$(AKASH) tx deployment create "$(SDL_PATH)" \
+	$(PROVIDER_SERVICES) tx deployment create "$(SDL_PATH)" \
 		--dseq "$(DSEQ)" \
 		--from "$(KEY_NAME)"
 

cluster/kube/apply.go

@@ -10,6 +10,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8stypes "k8s.io/apimachinery/pkg/types"
@@ -265,3 +266,82 @@ func applyService(ctx context.Context, kc kubernetes.Interface, b builder.Servic
 
 	return nobj, uobj, oobj, err
 }
+
+func applyServiceAccount(ctx context.Context, kc kubernetes.Interface, b builder.ServiceAccount) (*corev1.ServiceAccount, *corev1.ServiceAccount, *corev1.ServiceAccount, error) {
+	oobj, err := kc.CoreV1().ServiceAccounts(b.NS()).Get(ctx, b.Name(), metav1.GetOptions{})
+	metricsutils.IncCounterVecWithLabelValuesFiltered(kubeCallsCounter, "serviceaccounts-get", err, errors.IsNotFound)
+
+	var nobj *corev1.ServiceAccount
+	var uobj *corev1.ServiceAccount
+
+	switch {
+	case err == nil:
+		uobj, err = b.Update(oobj)
+		if err == nil && (!b.IsObjectRevisionLatest(uobj.Labels) ||
+			!reflect.DeepEqual(uobj.Labels, oobj.Labels)) {
+			uobj, err = kc.CoreV1().ServiceAccounts(b.NS()).Update(ctx, uobj, metav1.UpdateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "serviceaccounts-update", err)
+		}
+	case errors.IsNotFound(err):
+		nobj, err = b.Create()
+		if err == nil {
+			nobj, err = kc.CoreV1().ServiceAccounts(b.NS()).Create(ctx, nobj, metav1.CreateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "serviceaccounts-create", err)
+		}
+	}
+
+	return nobj, uobj, oobj, err
+}
+
+func applyRole(ctx context.Context, kc kubernetes.Interface, b builder.Role) (*rbacv1.Role, *rbacv1.Role, *rbacv1.Role, error) {
+	oobj, err := kc.RbacV1().Roles(b.NS()).Get(ctx, b.Name(), metav1.GetOptions{})
+	metricsutils.IncCounterVecWithLabelValuesFiltered(kubeCallsCounter, "roles-get", err, errors.IsNotFound)
+
+	var nobj *rbacv1.Role
+	var uobj *rbacv1.Role
+
+	switch {
+	case err == nil:
+		uobj, err = b.Update(oobj)
+		if err == nil && (!b.IsObjectRevisionLatest(uobj.Labels) ||
+			!reflect.DeepEqual(&uobj.Rules, &oobj.Rules) ||
+			!reflect.DeepEqual(uobj.Labels, oobj.Labels)) {
+			uobj, err = kc.RbacV1().Roles(b.NS()).Update(ctx, uobj, metav1.UpdateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "roles-update", err)
+		}
+	case errors.IsNotFound(err):
+		nobj, err = b.Create()
+		if err == nil {
+			nobj, err = kc.RbacV1().Roles(b.NS()).Create(ctx, nobj, metav1.CreateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "roles-create", err)
+		}
+	}
+
+	return nobj, uobj, oobj, err
+}
+
+func applyRoleBinding(ctx context.Context, kc kubernetes.Interface, b builder.RoleBinding) (*rbacv1.RoleBinding, *rbacv1.RoleBinding, *rbacv1.RoleBinding, error) {
+	oobj, err := kc.RbacV1().RoleBindings(b.NS()).Get(ctx, b.Name(), metav1.GetOptions{})
+	metricsutils.IncCounterVecWithLabelValuesFiltered(kubeCallsCounter, "rolebindings-get", err, errors.IsNotFound)
+
+	var nobj *rbacv1.RoleBinding
+	var uobj *rbacv1.RoleBinding
+
+	switch {
+	case err == nil:
+		uobj, err = b.Update(oobj)
+		if err == nil && (!b.IsObjectRevisionLatest(uobj.Labels) ||
+			!reflect.DeepEqual(uobj.Labels, oobj.Labels)) {
+			uobj, err = kc.RbacV1().RoleBindings(b.NS()).Update(ctx, uobj, metav1.UpdateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "rolebindings-update", err)
+		}
+	case errors.IsNotFound(err):
+		nobj, err = b.Create()
+		if err == nil {
+			nobj, err = kc.RbacV1().RoleBindings(b.NS()).Create(ctx, nobj, metav1.CreateOptions{})
+			metricsutils.IncCounterVecWithLabelValues(kubeCallsCounter, "rolebindings-create", err)
+		}
+	}
+
+	return nobj, uobj, oobj, err
+}

cluster/kube/builder/builder.go

@@ -51,12 +51,15 @@ const (
 )
 
 const (
-	envVarAkashGroupSequence         = "AKASH_GROUP_SEQUENCE"
-	envVarAkashDeploymentSequence    = "AKASH_DEPLOYMENT_SEQUENCE"
-	envVarAkashOrderSequence         = "AKASH_ORDER_SEQUENCE"
-	envVarAkashOwner                 = "AKASH_OWNER"
-	envVarAkashProvider              = "AKASH_PROVIDER"
-	envVarAkashClusterPublicHostname = "AKASH_CLUSTER_PUBLIC_HOSTNAME"
+	envVarAkashGroupSequence          = "AKASH_GROUP_SEQUENCE"
+	envVarAkashDeploymentSequence     = "AKASH_DEPLOYMENT_SEQUENCE"
+	envVarAkashOrderSequence          = "AKASH_ORDER_SEQUENCE"
+	envVarAkashOwner                  = "AKASH_OWNER"
+	envVarAkashProvider               = "AKASH_PROVIDER"
+	envVarAkashClusterPublicHostname  = "AKASH_CLUSTER_PUBLIC_HOSTNAME"
+	envVarKubernetesNamespaceOverride = "KUBERNETES_NAMESPACE_OVERRIDE"
+	envVarKubernetesServiceHost       = "KUBERNETES_SERVICE_HOST"
+	envVarKubernetesServicePort       = "KUBERNETES_SERVICE_PORT"
 )
 
 var (

cluster/kube/builder/deployment.go

@@ -65,7 +65,8 @@ func (b *deployment) Create() (*appsv1.Deployment, error) { // nolint:unparam
 					SecurityContext: &corev1.PodSecurityContext{
 						RunAsNonRoot: &falseValue,
 					},
-					AutomountServiceAccountToken: &falseValue,
+					AutomountServiceAccountToken: b.automountServiceAccountToken(),
+					ServiceAccountName:           b.serviceAccountName(),
 					Containers:                   []corev1.Container{b.container()},
 					ImagePullSecrets:             b.secretsRefs,
 					Volumes:                      b.volumesObjs,
@@ -86,6 +87,8 @@ func (b *deployment) Update(obj *appsv1.Deployment) (*appsv1.Deployment, error)
 	uobj.Spec.Template.Labels = b.labels()
 	uobj.Spec.Template.Spec.Affinity = b.affinity()
 	uobj.Spec.Template.Spec.RuntimeClassName = b.runtimeClass()
+	uobj.Spec.Template.Spec.AutomountServiceAccountToken = b.automountServiceAccountToken()
+	uobj.Spec.Template.Spec.ServiceAccountName = b.serviceAccountName()
 	uobj.Spec.Template.Spec.Containers = []corev1.Container{b.container()}
 	uobj.Spec.Template.Spec.ImagePullSecrets = b.secretsRefs
 	uobj.Spec.Template.Spec.Volumes = b.volumesObjs

cluster/kube/builder/deployment_test.go

@@ -10,19 +10,23 @@ import (
 	"pkg.akt.dev/go/testutil"
 
 	crd "github.com/akash-network/provider/pkg/apis/akash.network/v2beta2"
+	mtypes "pkg.akt.dev/go/node/market/v1"
 )
 
-func TestDeploySetsEnvironmentVariables(t *testing.T) {
+const fakeHostname = "ahostname.dev"
+
+func testSetup(t *testing.T, sdlFile string, serviceIdx int, lid mtypes.LeaseID) (*crd.Manifest, *Workload) {
+	t.Helper()
+
 	log := testutil.Logger(t)
-	const fakeHostname = "ahostname.dev"
 	settings := Settings{
 		ClusterPublicHostname: fakeHostname,
 	}
-	lid := testutil.LeaseID(t)
-	sdl, err := sdl.ReadFile("../../../testdata/deployment/deployment.yaml")
+
+	sdlData, err := sdl.ReadFile(sdlFile)
 	require.NoError(t, err)
 
-	mani, err := sdl.Manifest()
+	mani, err := sdlData.Manifest()
 	require.NoError(t, err)
 
 	sparams := make([]*crd.SchedulerParams, len(mani.GetGroups()[0].Services))
@@ -39,9 +43,16 @@ func TestDeploySetsEnvironmentVariables(t *testing.T) {
 		Sparams: crd.ClusterSettings{SchedulerParams: sparams},
 	}
 
-	workload, err := NewWorkloadBuilder(log, settings, cdep, cmani, 0)
+	workload, err := NewWorkloadBuilder(log, settings, cdep, cmani, serviceIdx)
 	require.NoError(t, err)
 
+	return cmani, workload
+}
+
+func TestDeploySetsEnvironmentVariables(t *testing.T) {
+	lid := testutil.LeaseID(t)
+	_, workload := testSetup(t, "../../../testdata/deployment/deployment.yaml", 0, lid)
+
 	deploymentBuilder := NewDeployment(workload)
 
 	require.NotNil(t, deploymentBuilder)
@@ -80,3 +91,46 @@ func TestDeploySetsEnvironmentVariables(t *testing.T) {
 	require.True(t, ok)
 	require.Equal(t, lid.Provider, value)
 }
+
+func TestDeploymentPermissions(t *testing.T) {
+	tests := []struct {
+		name          string
+		sdlFile       string
+		serviceIdx    int
+		expectedToken bool
+	}{
+		{
+			name:          "defaults to false when no permissions specified",
+			sdlFile:       "../../../testdata/deployment/deployment.yaml",
+			serviceIdx:    0,
+			expectedToken: false,
+		},
+		{
+			name:          "enables automount when permissions are defined",
+			sdlFile:       "../../../testdata/sdl/permissions.yaml",
+			serviceIdx:    0,
+			expectedToken: true,
+		},
+		{
+			name:          "disables automount when no permissions defined",
+			sdlFile:       "../../../testdata/sdl/permissions.yaml",
+			serviceIdx:    1,
+			expectedToken: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			lid := testutil.LeaseID(t)
+			_, workload := testSetup(t, tt.sdlFile, tt.serviceIdx, lid)
+
+			deploymentBuilder := NewDeployment(workload)
+			deployment, err := deploymentBuilder.Create()
+			require.NoError(t, err)
+			require.NotNil(t, deployment)
+
+			require.NotNil(t, deployment.Spec.Template.Spec.AutomountServiceAccountToken)
+			require.Equal(t, tt.expectedToken, *deployment.Spec.Template.Spec.AutomountServiceAccountToken)
+		})
+	}
+}