dind-volume-utils rootless (#338)

* wip

* wip

* support rootless dind for localvolumes

* bump chart

* fix readme

Author: roi-codefresh

.deploy/cf-runtime/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 1.0.2
+version: 1.0.3
 home: https://github.com/codefresh-io/venona
 kubeVersion: '>=1.19.0-0'
 keywords:

.deploy/cf-runtime/README.md

@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square)
 
 ## Prerequisites
 
@@ -85,15 +85,14 @@ Kubernetes: `>=1.19.0-0`
 | re.dindDaemon.hosts[1] | string | `"tcp://0.0.0.0:1300"` |  |
 | re.dindDaemon.insecure-registries[0] | string | `"192.168.99.100:5000"` |  |
 | re.dindDaemon.metrics-addr | string | `"0.0.0.0:9323"` |  |
-| re.dindDaemon.storage-driver | string | `"overlay2"` |  |
 | re.dindDaemon.tls | bool | `true` |  |
 | re.dindDaemon.tlscacert | string | `"/etc/ssl/cf-client/ca.pem"` |  |
 | re.dindDaemon.tlscert | string | `"/etc/ssl/cf/server-cert.pem"` |  |
 | re.dindDaemon.tlskey | string | `"/etc/ssl/cf/server-key.pem"` |  |
 | re.dindDaemon.tlsverify | bool | `true` |  |
 | re.serviceAccount | object | `{"annotations":{}}` | Set annotation on engine Service Account Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster |
 | runner.env | object | `{}` | Add additional env vars |
-| runner.image | string | `"codefresh/venona:1.9.12"` | Set runner image |
+| runner.image | string | `"codefresh/venona:1.9.13"` | Set runner image |
 | runner.nodeSelector | object | `{}` | Set runner node selector |
 | runner.resources | object | `{}` | Set runner requests and limits |
 | runner.tolerations | list | `[]` | Set runner tolerations |
@@ -112,13 +111,13 @@ Kubernetes: `>=1.19.0-0`
 | storage.gcedisk.volumeType | string | `"pd-ssd"` | Set GCP volume backend type (`pd-ssd`/`pd-standard`) |
 | storage.local.volumeParentDir | string | `"/var/lib/codefresh/dind-volumes"` | Set volume path on the host filesystem |
 | storage.localVolumeMonitor.env | object | `{}` |  |
-| storage.localVolumeMonitor.image | string | `"codefresh/dind-volume-utils:1.29.2"` | Set `dind-lv-monitor` image |
+| storage.localVolumeMonitor.image | string | `"codefresh/dind-volume-utils:1.29.3"` | Set `dind-lv-monitor` image |
 | storage.localVolumeMonitor.nodeSelector | object | `{}` |  |
 | storage.localVolumeMonitor.resources | object | `{}` |  |
 | storage.localVolumeMonitor.tolerations | list | `[]` |  |
 | volumeProvisioner.annotations | object | `{}` |  |
 | volumeProvisioner.env | object | `{}` | Add additional env vars |
-| volumeProvisioner.image | string | `"codefresh/dind-volume-provisioner:1.33.1"` | Set volume-provisioner image |
+| volumeProvisioner.image | string | `"codefresh/dind-volume-provisioner:1.33.2"` | Set volume-provisioner image |
 | volumeProvisioner.nodeSelector | object | `{}` | Set volume-provisioner node selector |
 | volumeProvisioner.resources | object | `{}` | Set volume-provisioner requests and limits |
 | volumeProvisioner.securityContext | object | `{"enabled":true}` | Enable volume-provisioner pod's security context (running as non root user) |

.deploy/cf-runtime/templates/volume-provisioner/daemonset.dind-lv-monitor.vp.yaml

@@ -27,13 +27,28 @@ spec:
       {{- if .Values.storage.localVolumeMonitor.tolerations }}
 {{ toYaml .Values.storage.localVolumeMonitor.tolerations | indent 8 }}
       {{- end }}
+      initContainers:
+      - command:
+        - chown
+        - -R
+        - 1000:1000
+        - /var/lib/codefresh/dind-volumes
+        image: alpine
+        imagePullPolicy: Always
+        name: fs-change-owner
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/lib/codefresh/dind-volumes
+          name: dind-volume-dir
       containers:
         - image: {{ include "cf-vp.docker-image-volume-utils" . }}
           name: lv-cleaner
           imagePullPolicy: Always
           resources: {{ toYaml .Values.storage.localVolumeMonitor.resources | nindent 12 }}
           command:
-            - /bin/local-volumes-agent
+            - /home/dind-volume-utils/bin/local-volumes-agent
           env:
             {{- if .Values.storage.localVolumeMonitor.env }}
             {{- range $key, $value := .Values.storage.localVolumeMonitor.env }}
@@ -51,6 +66,8 @@ spec:
             - mountPath: {{ $localVolumeParentDir }}
               readOnly: false
               name: dind-volume-dir
+      securityContext:
+        fsGroup: 1000
       volumes:
         - name: dind-volume-dir
           hostPath:

.deploy/cf-runtime/values.yaml

@@ -27,7 +27,7 @@ dockerRegistry: "quay.io"
 # @default -- See below
 runner:
   # -- Set runner image
-  image: "codefresh/venona:1.9.12"
+  image: "codefresh/venona:1.9.13"
   # -- Add additional env vars
   env: {}
   # E.g
@@ -66,7 +66,7 @@ runner:
 # @default -- See below
 volumeProvisioner:
   # -- Set volume-provisioner image
-  image: "codefresh/dind-volume-provisioner:1.33.1"
+  image: "codefresh/dind-volume-provisioner:1.33.2"
   # -- Set annotation on volume-provisioner Service Account
   serviceAccount: {}
   # E.g
@@ -119,7 +119,7 @@ storage:
   # @default -- See below
   localVolumeMonitor:
     # -- Set `dind-lv-monitor` image
-    image: codefresh/dind-volume-utils:1.29.2
+    image: codefresh/dind-volume-utils:1.29.3
     nodeSelector: {}
     resources: {}
     tolerations: []
@@ -224,7 +224,6 @@ re:
     hosts:
       - unix:///var/run/docker.sock
       - tcp://0.0.0.0:1300
-    storage-driver: overlay2
     tlsverify: true
     tls: true
     tlscacert: /etc/ssl/cf-client/ca.pem

venona/VERSION

@@ -1 +1 @@
-1.9.12
+1.9.13

venonactl/VERSION

@@ -1 +1 @@
-1.9.12
+1.9.13

venonactl/pkg/store/store.go

@@ -174,12 +174,18 @@ func (s *Values) BuildValues() map[string]interface{} {
 			"AwsAccessKeyId":       "",
 			"AwsSecretAccessKey":   "",
 			"VolumeProvisioner": map[string]interface{}{
-				"Image":          "codefresh/dind-volume-provisioner:1.33.1",
+				"Image":          "codefresh/dind-volume-provisioner:1.33.2",
 				"NodeSelector":   s.KubernetesAPI.NodeSelector,
 				"Resources":      s.VolumeProvisioner.Resources,
 				"MountAzureJson": false,
 			},
-			"LocalVolumeMonitor": s.LocalVolumeMonitor.Resources,
+			"LocalVolumeMonitor": map[string]interface{}{
+				"Resources": s.LocalVolumeMonitor.Resources,
+				"Image": map[string]string{
+					"Name": "codefresh/dind-volume-utils",
+					"Tag":  "1.29.3",
+				},
+			},
 			"VolumeCleaner": map[string]interface{}{
 				"Image": map[string]string{
 					"Name": "codefresh/dind-volume-cleanup",

venonactl/pkg/templates/kubernetes/daemonset.dind-lv-monitor.vp.yaml

@@ -20,26 +20,38 @@ spec:
         prometheus_scrape: "true"
     spec:
       serviceAccountName: volume-provisioner-{{ .AppName }}
-      # Debug:
-      # hostNetwork: true
-      # nodeSelector:
-      #   kubernetes.io/role: "node"
       tolerations:
         - key: 'codefresh/dind'
           operator: 'Exists'
           effect: 'NoSchedule'
+      securityContext:
+        fsGroup: 1000
 
 {{ toYaml .Tolerations | indent 8 | unescape}}
 
-
+      initContainers:
+      - command:
+        - chown
+        - -R
+        - 1000:1000
+        - /var/lib/codefresh/dind-volumes
+        image: alpine
+        imagePullPolicy: Always
+        name: fs-change-owner
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/lib/codefresh/dind-volumes
+          name: dind-volume-dir
       containers:
-        - image: {{ if ne .DockerRegistry ""}} {{- .DockerRegistry }}/codefresh/dind-volume-utils:1.29.2 {{- else }}codefresh/dind-volume-utils:1.29.2{{- end}}
+        - image: {{ if ne .DockerRegistry ""}} {{- .DockerRegistry }}/{{ .Storage.LocalVolumeMonitor.Image.Name }}:{{ .Storage.LocalVolumeMonitor.Image.Tag }} {{- else }}{{- .Storage.LocalVolumeMonitor.Image.Name }}:{{ .Storage.LocalVolumeMonitor.Image.Tag }} {{- end}}
           name: lv-cleaner
           resources:
-{{ toYaml .Storage.LocalVolumeMonitor | indent 10 }}
+{{ toYaml .Storage.LocalVolumeMonitor.Resources | indent 10 }}
           imagePullPolicy: Always
           command:
-          - /bin/local-volumes-agent
+          - /home/dind-volume-utils/bin/local-volumes-agent
           env:
             {{- if $.EnvVars }}
             {{- range $key, $value := $.EnvVars }}

venonactl/pkg/templates/kubernetes/dind-daemon-conf.re.yaml

@@ -9,7 +9,6 @@ data:
     {
       "hosts": [ "unix:///var/run/docker.sock",
                  "tcp://0.0.0.0:1300"],
-      "storage-driver": "overlay2",
       "tlsverify": true,  
       "tls": true,
       "tlscacert": "/etc/ssl/cf-client/ca.pem",