def add_ecr_config(kube_manager, pod_spec, namespace):
if not kube_manager.secret_exists('ecr-config', namespace):
secret = client.V1Secret(
metadata = client.V1ObjectMeta(name='ecr-config'),
string_data={
'config.json': '{"credsStore": "ecr-login"}'
})
kube_manager.create_secret(namespace, secret)
volume_mount=client.V1VolumeMount(
name='ecr-config', mount_path='/kaniko/.docker/', read_only=True)
if pod_spec.containers[0].volume_mounts:
pod_spec.containers[0].volume_mounts.append(volume_mount)
else:
pod_spec.containers[0].volume_mounts = [volume_mount]
volume=client.V1Volume(
name='ecr-config',
secret=client.V1SecretVolumeSource(secret_name='ecr-config'))
if pod_spec.volumes:
pod_spec.volumes.append(volume)
else:
pod_spec.volumes = [volume]
def create_job_object():
# Configureate Pod template container
# volume inside of which you put your service account
# This is the secret name, basically
volume_name = "google-cloud-json"
google_app_credentials_path = os.environ.get(
'GOOGLE_APPLICATION_CREDENTIALS')
# create a volume mount
volume_mount = client.V1VolumeMount(mount_path='/etc/stuff',
name=volume_name)
# Create environment variables for container.
# In this case, grab the values from the execution environment
# perhaps using something like a .env file.
env = [
client.V1EnvVar(
name='GOOGLE_APPLICATION_CREDENTIALS',
# note this is a path + the filename of the app creds in the secret
value='/etc/stuff/key.json'), # google_app_credentials_path),
client.V1EnvVar(name='GCS_STAGING_URL',
value=os.environ.get('GCS_STAGING_URL')),
client.V1EnvVar(name='GCS_EXPORT_URL',
value=os.environ.get('GCS_EXPORT_URL')),
client.V1EnvVar(name='ES_HOST', value=os.environ.get('ES_HOST'))
]
# Create a volume.
# This will go into the spec section of the template
# Note that this specifies a secret volume
# The secret needs to be created separately.
volume = client.V1Volume(
name=volume_name,
secret=client.V1SecretVolumeSource(secret_name='google-cloud-json'))
# Create the container section that will
# go into the spec section
container = client.V1Container(
name="omicidx-builder",
image="seandavi/omicidx-builder",
volume_mounts=[volume_mount],
env=env,
command=['/bin/bash', '/code/biosample_pipeline.sh'])
# Create and configurate a spec section
template = client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(labels={"app": "omicidx-builder"}),
spec=client.V1PodSpec(restart_policy="Never",
volumes=[volume],
containers=[container]))
# Create the specification of deployment
spec = client.V1JobSpec(template=template, backoff_limit=4)
# Instantiate the job object
job = client.V1Job(api_version="batch/v1",
kind="Job",
metadata=client.V1ObjectMeta(name=JOB_NAME),
spec=spec)
return job
def update_index_op(app_dir: str, base_branch: str, base_git_repo: str,
bot_email: str, fork_git_repo: str, index_file: str,
lookup_file: str, workflow_id: str):
return (dsl.ContainerOp(
name='update_index',
image=
'gcr.io/kubeflow-examples/code-search/ks:v20181204-ee47a49-dirty-fa8aa3',
command=['/usr/local/src/update_index.sh'],
arguments=[
'--appDir=%s' % app_dir,
'--baseBranch=%s' % base_branch,
'--baseGitRepo=%s' % base_git_repo,
'--botEmail=%s' % bot_email,
'--forkGitRepo=%s' % fork_git_repo,
'--indexFile=%s' % index_file,
'--lookupFile=%s' % lookup_file,
'--workflowId=%s' % workflow_id,
],
).add_volume(
k8s_client.V1Volume(
name='github-access-token',
secret=k8s_client.V1SecretVolumeSource(
secret_name='github-access-token'))).add_env_variable(
k8s_client.V1EnvVar(
name='GITHUB_TOKEN',
value_from=k8s_client.V1EnvVarSource(
secret_key_ref=k8s_client.V1SecretKeySelector(
name='github-access-token',
key='token',
)))))
def resourceop_basic(username, password):
secret_resource = k8s_client.V1Secret(
api_version="v1",
kind="Secret",
metadata=k8s_client.V1ObjectMeta(generate_name="my-secret-"),
type="Opaque",
data={
"username": username,
"password": password
})
rop = dsl.ResourceOp(
name="create-my-secret",
k8s_resource=secret_resource,
attribute_outputs={"name": "{.metadata.name}"})
secret = k8s_client.V1Volume(
name="my-secret",
secret=k8s_client.V1SecretVolumeSource(secret_name=rop.output))
cop = dsl.ContainerOp(
name="cop",
image="library/bash:4.4.23",
command=["sh", "-c"],
arguments=["ls /etc/secret-volume"],
pvolumes={"/etc/secret-volume": secret})
def add_ecr_config(kube_manager, pod_spec, namespace):
"""add secret
:param kube_manager: kube manager for handles communication with Kubernetes' client
:param pod_spec: pod spec like volumes and security context
:param namespace: The custom resource
"""
if not kube_manager.secret_exists('ecr-config', namespace):
secret = client.V1Secret(metadata=client.V1ObjectMeta(name='ecr-config'),
string_data={
'config.json': '{"credsStore": "ecr-login"}'
})
kube_manager.create_secret(namespace, secret)
volume_mount = client.V1VolumeMount(name='ecr-config',
mount_path='/kaniko/.docker/', read_only=True)
if pod_spec.containers[0].volume_mounts:
pod_spec.containers[0].volume_mounts.append(volume_mount)
else:
pod_spec.containers[0].volume_mounts = [volume_mount]
volume = client.V1Volume(name='ecr-config',
secret=client.V1SecretVolumeSource(secret_name='ecr-config'))
if pod_spec.volumes:
pod_spec.volumes.append(volume)
else:
pod_spec.volumes = [volume]
def mount_secrets(spawner, pod, role_mapping):
groups = spawner.userdata.get("groups", [])
_loaded = set()
for group in groups:
print(f'Checking secrets for group: {group}')
try:
secrets = role_mapping['groups'].get(group, {}).get('secrets')
except KeyError:
continue
if secrets:
for secret_name in secrets:
secret_name = secret_name.lower()
if secret_name and secret_name not in _loaded:
pod.spec.volumes.append(
client.V1Volume(
name=(secret_name + "-volume"),
secret=client.V1SecretVolumeSource(secret_name=secret_name),
)
)
pod.spec.containers[0].volume_mounts.append(
client.V1VolumeMount(
mount_path="/opt/app-root/secrets/.aws/{}".format(
secret_name.lower()
),
name=(secret_name + "-volume"),
read_only=True
)
)
_loaded.add(secret_name)
return spawner, pod
def create_pod_template_with_pvc(args):
# Mount bootstrap config secret volume
config_mount = client.V1VolumeMount(mount_path="/tmp",
name="bootstrap-config-vol")
# PersistenVolume mount
pv_mount = client.V1VolumeMount(
mount_path="/home", # better name?
name="data")
# Configureate Pod template container
isTTY = args.image == "chainweb-base" # otherwise container will always "finish" and restart.
pull_policy = "Never" if args.local else "Always"
container = client.V1Container(
name="chainweb",
image=args.image,
image_pull_policy=pull_policy,
tty=isTTY,
ports=[client.V1ContainerPort(container_port=PORT_NUMBER)],
volume_mounts=[config_mount, pv_mount])
# Configure volume(s)
config_volume = client.V1Volume(
name="bootstrap-config-vol",
secret=client.V1SecretVolumeSource(secret_name="bootstrap-config"))
# Create and configurate a spec section
template = client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(labels={"app": "chainweb"}),
spec=client.V1PodSpec(containers=[container], volumes=[config_volume]))
return template
def create_job_object(self, job_name, container_image, args):
volume_name = "" # volume inside of which you put your service account
google_app_credentials_path = os.environ.get(
'GOOGLE_APPLICATION_CREDENTIALS')
volume_mount = client.V1VolumeMount(mount_path='/'.join(
google_app_credentials_path.split('/')[:-1]),
name=volume_name)
env = client.V1EnvVar(name='GOOGLE_APPLICATION_CREDENTIALS',
value=google_app_credentials_path)
container = client.V1Container(name=job_name,
image=container_image,
args=args,
volume_mounts=[volume_mount],
env=[env],
image_pull_policy="Always")
volume = client.V1Volume(
name=volume_name,
secret=client.V1SecretVolumeSource(
secret_name='<secret-where-you-put-the-service-account>'))
template = client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(labels={"app": "sample"}),
spec=client.V1PodSpec(restart_policy="Never",
containers=[container],
volumes=[volume]))
spec = client.V1JobSpec(template=template,
backoff_limit=3,
ttl_seconds_after_finished=60)
job = client.V1Job(api_version="batch/v1",
kind="Job",
metadata=client.V1ObjectMeta(name=job_name),
spec=spec)
return job
def _volume_mounts(kube_manager, pod_spec, namespace): #pylint:disable=unused-argument
volume_mount = client.V1VolumeMount(name=mount_name,
mount_path=mount_path,
sub_path=sub_path)
if pod_spec.containers[0].volume_mounts:
pod_spec.containers[0].volume_mounts.append(volume_mount)
else:
pod_spec.containers[0].volume_mounts = [volume_mount]
if volume_type == 'pvc':
volume = client.V1Volume(
name=mount_name,
persistent_volume_claim=client.
V1PersistentVolumeClaimVolumeSource(claim_name=volume_name))
elif volume_type == 'secret':
volume = client.V1Volume(
name=mount_name,
secret=client.V1SecretVolumeSource(secret_name=volume_name))
elif volume_type == 'config_map':
volume = client.V1Volume(
name=mount_name,
config_map=client.V1ConfigMapVolumeSource(name=volume_name))
else:
raise RuntimeError("Unsupport type %s" % volume_type)
if pod_spec.volumes:
pod_spec.volumes.append(volume)
else:
pod_spec.volumes = [volume]
def add_gcp_credentials(kube_manager, pod_spec, namespace):
if not kube_manager.secret_exists(constants.GCP_CREDS_SECRET_NAME,
namespace):
raise ValueError(
'Unable to mount credentials: ' +
'Secret user-gcp-sa not found in namespace {}'.format(namespace))
# Set appropriate secrets and volumes to enable kubeflow-user service
# account.
env_var = client.V1EnvVar(name='GOOGLE_APPLICATION_CREDENTIALS',
value='/etc/secrets/user-gcp-sa.json')
if pod_spec.containers[0].env:
pod_spec.containers[0].env.append(env_var)
else:
pod_spec.containers[0].env = [env_var]
volume_mount = client.V1VolumeMount(name='user-gcp-sa',
mount_path='/etc/secrets',
read_only=True)
if pod_spec.containers[0].volume_mounts:
pod_spec.containers[0].volume_mounts.append(volume_mount)
else:
pod_spec.containers[0].volume_mounts = [volume_mount]
volume = client.V1Volume(
name='user-gcp-sa',
secret=client.V1SecretVolumeSource(secret_name='user-gcp-sa'))
if pod_spec.volumes:
pod_spec.volumes.append(volume)
else:
pod_spec.volumes = [volume]
def add_azure_credentials(kube_manager, pod_spec, namespace):
if not kube_manager.secret_exists(constants.AZURE_CREDS_SECRET_NAME,
namespace):
raise ValueError(
"Unable to mount credentials: " +
f"Secret {constants.AZURE_CREDS_SECRET_NAME} found in namespace {namespace}"
)
# Set appropriate secrets and volumes to enable kubeflow-user service
# account.
logging.warn("Adding azure auth location")
env_var = client.V1EnvVar(name='AZURE_AUTH_LOCATION',
value='/etc/secrets/azure-credentials.json')
if pod_spec.containers[0].env:
pod_spec.containers[0].env.append(env_var)
else:
pod_spec.containers[0].env = [env_var]
volume_mount = client.V1VolumeMount(name='azure-credentials',
mount_path='/etc/secrets',
read_only=True)
if pod_spec.containers[0].volume_mounts:
pod_spec.containers[0].volume_mounts.append(volume_mount)
else:
pod_spec.containers[0].volume_mounts = [volume_mount]
volume = client.V1Volume(
name='azure-credentials',
secret=client.V1SecretVolumeSource(
secret_name=constants.AZURE_CREDS_SECRET_NAME))
if pod_spec.volumes:
pod_spec.volumes.append(volume)
else:
pod_spec.volumes = [volume]
def kaniko_op(image, context_path, secret_name='docker-secret'):
"""use kaniko to build Docker image."""
from kubernetes import client as k8s_client
cops = dsl.ContainerOp(
name='kaniko',
image='gcr.io/kaniko-project/executor:latest',
arguments=["--dockerfile", "/context/Dockerfile",
"--context", "/context",
"--destination", image],
)
cops.add_volume(
k8s_client.V1Volume(
name='registry-creds',
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name,
items=[{'key': '.dockerconfigjson', 'path': '.docker/config.json'}],
)
))
cops.container.add_volume_mount(
k8s_client.V1VolumeMount(
name='registry-creds',
mount_path='/root/',
)
)
return cops.apply(mount_v3io(remote=context_path, mount_path='/context'))
def mount_secret(self, name, path='/secret', items=None):
self.add_volume(client.V1Volume(name=name,
secret=client.V1SecretVolumeSource(
secret_name=name,
items=items,
)),
mount_path=path)
def submit(self):
"""Submit a image spec to openshift's s2i and wait for completion """
volume_mounts = [
client.V1VolumeMount(mount_path="/var/run/docker.sock",
name="docker-socket")
]
volumes = [
client.V1Volume(name="docker-socket",
host_path=client.V1HostPathVolumeSource(
path="/var/run/docker.sock"))
]
if self.push_secret:
volume_mounts.append(
client.V1VolumeMount(mount_path="/root/.docker",
name='docker-push-secret'))
volumes.append(
client.V1Volume(name='docker-push-secret',
secret=client.V1SecretVolumeSource(
secret_name=self.push_secret)))
self.pod = client.V1Pod(metadata=client.V1ObjectMeta(
name=self.name, labels={"name": self.name}),
spec=client.V1PodSpec(containers=[
client.V1Container(
image=self.builder_image,
name="builder",
args=self.get_cmd(),
image_pull_policy='Always',
volume_mounts=volume_mounts,
)
],
volumes=volumes,
restart_policy="Never"))
try:
ret = self.api.create_namespaced_pod(self.namespace, self.pod)
except client.rest.ApiException as e:
if e.status == 409:
# Someone else created it!
pass
else:
raise
w = watch.Watch()
try:
for f in w.stream(self.api.list_namespaced_pod,
self.namespace,
label_selector="name={}".format(self.name)):
if f['type'] == 'DELETED':
self.progress('pod.phasechange', 'Deleted')
return
self.pod = f['object']
self.progress('pod.phasechange', self.pod.status.phase)
if self.pod.status.phase == 'Succeeded':
self.cleanup()
elif self.pod.status.phase == 'Failed':
self.cleanup()
finally:
w.stop()
def _use_gcp_secret(task):
from kubernetes import client as k8s_client
return (
task
.add_volume(
k8s_client.V1Volume(
name=volume_name,
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name,
)
)
)
.add_volume_mount(
k8s_client.V1VolumeMount(
name=volume_name,
mount_path=secret_volume_mount_path,
)
)
.add_env_variable(
k8s_client.V1EnvVar(
name='GOOGLE_APPLICATION_CREDENTIALS',
value=secret_volume_mount_path + secret_file_path_in_volume,
)
)
)
def _create_k8s_job(self, yaml_spec):
""" _create_k8s_job creates a kubernetes job based on the yaml spec """
pod = k8s_client.V1Pod(metadata=k8s_client.V1ObjectMeta(generate_name=yaml_spec['metadata']['generateName']))
container = k8s_client.V1Container(name = yaml_spec['spec']['containers'][0]['name'],
image = yaml_spec['spec']['containers'][0]['image'],
args = yaml_spec['spec']['containers'][0]['args'],
volume_mounts = [k8s_client.V1VolumeMount(
name=yaml_spec['spec']['containers'][0]['volumeMounts'][0]['name'],
mount_path=yaml_spec['spec']['containers'][0]['volumeMounts'][0]['mountPath'],
)],
env = [k8s_client.V1EnvVar(
name=yaml_spec['spec']['containers'][0]['env'][0]['name'],
value=yaml_spec['spec']['containers'][0]['env'][0]['value'],
)])
pod.spec = k8s_client.V1PodSpec(restart_policy=yaml_spec['spec']['restartPolicy'],
containers = [container],
service_account_name=yaml_spec['spec']['serviceAccountName'],
volumes=[k8s_client.V1Volume(
name=yaml_spec['spec']['volumes'][0]['name'],
secret=k8s_client.V1SecretVolumeSource(
secret_name=yaml_spec['spec']['volumes'][0]['secret']['secretName'],
)
)])
try:
api_response = self._corev1.create_namespaced_pod(yaml_spec['metadata']['namespace'], pod)
return api_response.metadata.name, True
except k8s_client.rest.ApiException as e:
logging.exception("Exception when calling CoreV1Api->create_namespaced_pod: {}\n".format(str(e)))
return '', False
def _use_gcp_secret(task):
from kubernetes import client as k8s_client
task = task.add_volume(
k8s_client.V1Volume(name=volume_name,
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name, )))
task.container \
.add_volume_mount(
k8s_client.V1VolumeMount(
name=volume_name,
mount_path=secret_volume_mount_path,
)
) \
.add_env_variable(
k8s_client.V1EnvVar(
name='GOOGLE_APPLICATION_CREDENTIALS',
value=secret_volume_mount_path + secret_file_path_in_volume,
)
) \
.add_env_variable(
k8s_client.V1EnvVar(
name='CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE',
value=secret_volume_mount_path + secret_file_path_in_volume,
)
) # Set GCloud Credentials by using the env var override.
# TODO: Is there a better way for GCloud to pick up the credential?
return task
def pipeline_head(git_repo,
branch="master",
rev='HEAD',
git_secret="git-creds"):
src_vol_op = dsl.VolumeOp(name="Git_source_pvc",
resource_name="git-pvc",
size='60Mi',
modes=dsl.VOLUME_MODE_RWM)
gitsync_step = dsl.ContainerOp(name="Git-sync",
image="k8s.gcr.io/git-sync/git-sync:v3.3.0",
arguments=[
"--ssh", f"--repo={git_repo}",
"--root=/tmp/src",
"--dest=pipeline_source",
f"--rev={rev}", f"--branch={branch}",
"--one-time"
],
pvolumes={"/tmp/src": src_vol_op.volume})
gitsync_step.add_volume(
k8s_client.V1Volume(name='git-cred-volume',
secret=k8s_client.V1SecretVolumeSource(
secret_name=git_secret))).add_volume_mount(
k8s_client.V1VolumeMount(
mount_path="/etc/git-secret",
name="git-cred-volume"))
gitsync_step.execution_options.caching_strategy.max_cache_staleness = "P0D"
step1 = dsl.ContainerOp(
name="step1",
image="python:3.8",
command=["python"],
arguments=[
"/tmp/src/pipeline_source/step1.py", "--arg1", "input_arg1",
"--arg2", "input_arg2"
],
pvolumes={
"/tmp/src": src_vol_op.volume.after(gitsync_step)
}).add_env_variable(
k8s_client.V1EnvVar(name="PYTHONPATH",
value="/tmp/src/pipeline_source"))
step1.execution_options.caching_strategy.max_cache_staleness = "P0D"
step2 = dsl.ContainerOp(name="step2",
image="python:3.8",
command=["python"],
arguments=[
"/tmp/src/pipeline_source/step2.py", "--arg1",
"input_arg1", "--arg2", "input_arg2"
],
pvolumes={
"/tmp/src": src_vol_op.volume.after(step1)
}).add_env_variable(
k8s_client.V1EnvVar(
name="PYTHONPATH",
value="/tmp/src/pipeline_source"))
step2.execution_options.caching_strategy.max_cache_staleness = "P0D"
def get_volume_from_secret(volume_name, mount_path, secret_name, items=None):
secret = client.V1SecretVolumeSource(secret_name=secret_name, items=items)
volumes = [client.V1Volume(name=volume_name, secret=secret)]
volume_mounts = [
client.V1VolumeMount(name=volume_name,
mount_path=mount_path,
read_only=True)
]
return volumes, volume_mounts
def _mount_secret(task):
from kubernetes import client as k8s_client
vol = k8s_client.V1SecretVolumeSource(secret_name=secret_name,
items=items)
return task.add_volume(
k8s_client.V1Volume(
name=volume_name, secret=vol)).add_volume_mount(
k8s_client.V1VolumeMount(mount_path=mount_path,
name=volume_name))
def _use_secret(task):
return (task.add_volume(
k8s_client.V1Volume(
name=volume_name,
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name, ))).add_volume_mount(
k8s_client.V1VolumeMount(
name=volume_name,
mount_path=mount_path,
)))
def mount_secret(self, name, path="/secret", items=None, sub_path=None):
self.add_volume(
client.V1Volume(
name=name,
secret=client.V1SecretVolumeSource(
secret_name=name,
items=items,
),
),
mount_path=path,
sub_path=sub_path,
)
def _use_ai_pipeline_params(task):
from kubernetes import client as k8s_client
task = task.add_volume(
k8s_client.V1Volume(
name=secret_name, # secret_name as volume name
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name)))
task.container.add_volume_mount(
k8s_client.V1VolumeMount(mount_path=secret_volume_mount_path,
name=secret_name))
task.container.set_image_pull_policy(image_pull_policy)
return task
def default_gcp_op(name: str, image: str, command: str = None,
arguments: str = None, file_inputs: Dict[dsl.PipelineParam, str] = None,
file_outputs: Dict[str, str] = None, is_exit_handler=False):
"""An operator that mounts the default GCP service account to the container.
The user-gcp-sa secret is created as part of the kubeflow deployment that
stores the access token for kubeflow user service account.
With this service account, the container has a range of GCP APIs to
access to. This service account is automatically created as part of the
kubeflow deployment.
For the list of the GCP APIs this service account can access to, check
https://github.com/kubeflow/kubeflow/blob/7b0db0d92d65c0746ac52b000cbc290dac7c62b1/deployment/gke/deployment_manager_configs/iam_bindings_template.yaml#L18
If you want to call the GCP APIs in a different project, grant the kf-user
service account access permission.
"""
return (
dsl.ContainerOp(
name,
image,
command,
arguments,
file_inputs,
file_outputs,
is_exit_handler,
)
.add_volume(
k8s_client.V1Volume(
name='gcp-credentials',
secret=k8s_client.V1SecretVolumeSource(
secret_name='user-gcp-sa'
)
)
)
.add_volume_mount(
k8s_client.V1VolumeMount(
mount_path='/secret/gcp-credentials',
name='gcp-credentials',
)
)
.add_env_variable(
k8s_client.V1EnvVar(
name='GOOGLE_APPLICATION_CREDENTIALS',
value='/secret/gcp-credentials/user-gcp-sa.json'
)
)
)
def create_job_object(job_arguments, size, docker_image, docker_image_tag,
affinity):
user = os.environ['USER']
job = client.V1Job(
metadata=client.V1ObjectMeta(
name='kaml-remote-{}-{}'.format(user, uuid.uuid1())),
spec=client.V1JobSpec(template=client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(name='kaml-remote-{}-{}'.format(
user, uuid.uuid1()),
labels={'type': size}),
spec=client.V1PodSpec(containers=[
client.V1Container(
name='kaml-remote',
args=job_arguments,
image='{}:{}'.format(docker_image, docker_image_tag),
image_pull_policy='Always',
env=[client.V1EnvVar(name='KAML_HOME', value='/app')],
volume_mounts=[
client.V1VolumeMount(name='kaml-cfg-volume',
read_only=True,
mount_path='/app/kaml.cfg',
sub_path='kaml.cfg'),
client.V1VolumeMount(
name='gcp-service-account',
read_only=True,
mount_path='/app/service-key.json',
sub_path='service-key.json'),
])
],
affinity=affinity,
volumes=[
client.V1Volume(name='kaml-cfg-volume',
config_map=client.
V1ConfigMapVolumeSource(
name='kaml-cfg')),
client.V1Volume(
name='gcp-service-account',
secret=client.V1SecretVolumeSource(
secret_name='gcp-service-account',
items=[
client.V1KeyToPath(
key='service-key.json',
path='service-key.json')
]))
],
restart_policy='Never'))))
return (job)
def setup_secret_file(self, secret_name, file_path, filename):
"""Configure a file as a cluster namespaced secret
Args:
file_path (str): The source file path to be saved as a secret on the cluster.
secret_name (str): The secret name.
filename (str): The filename to be used in the secret volume.
Returns:
"""
with open(file_path, 'rb') as f:
secret_content = base64.b64encode(f.read()).decode()
secret = self.get_secret(secret_name)
if isinstance(secret, dict):
if secret.get("data", {}).get(filename) == secret_content:
logger.debug("%s already in namespace." % secret_name)
return client.V1SecretVolumeSource(secret_name=secret_name)
# Remove secret
logger.debug("Replacing existing %s..." % secret_name)
res = api_request(core_v1_api.delete_namespaced_secret,
name=secret_name,
namespace=self.namespace)
logger.debug(res)
# See https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/V1Secret.md
metadata = {'name': secret_name, 'namespace': self.namespace}
secret = client.V1Secret(data={filename: secret_content},
metadata=metadata)
logger.debug("Creating %s..." % secret_name)
res = api_request(core_v1_api.create_namespaced_secret, self.namespace,
secret)
if res.get("error"):
logger.debug("Failed to create %s" % secret_name)
return None
return client.V1SecretVolumeSource(secret_name=secret_name)
def create_volume(volume_data):
if "name" in volume_data:
volume = client.V1Volume(
name=volume_data["name"]
)
# persistent claim
if "persistentVolumeClaim" in volume_data:
volume_pvc = volume_data["persistentVolumeClaim"]
if "claimName" in volume_pvc:
pvc = client.V1PersistentVolumeClaimVolumeSource(
claim_name=volume_pvc["claimName"]
)
volume.persistent_volume_claim = pvc
# hostpath
if "hostPath" in volume_data and "path" in volume_data["hostPath"]:
host_path = client.V1HostPathVolumeSource(
path=volume_data["hostPath"]["path"]
)
if "hostPath" in volume_data and "type" in volume_data["hostPath"]:
host_path.type = volume_data["hostPath"]["type"]
volume.host_path = host_path
# nfs
if ("nfs" in volume_data and
"path" in volume_data["nfs"] and
"server" in volume_data["nfs"]):
volume.nfs = client.V1NFSVolumeSource(
path=volume_data["nfs"]["path"],
server=volume_data["nfs"]["server"]
)
# secret
if "secret" in volume_data:
volume.secret = client.V1SecretVolumeSource(
secret_name=volume_data["secret"]["secretName"]
)
# configMap
if "configMap" in volume_data:
volume.config_map = client.V1ConfigMapVolumeSource(
name=volume_data["configMap"]["name"]
)
return volume
return None
def replicate_data_cloud_sync(
# Define variables that the user can set in the pipelines UI; set default values
cloud_sync_relationship_id: str,
cloud_sync_refresh_token_k8s_secret: str = "cloud-sync-refresh-token"):
# Pipeline Steps:
# Trigger Cloud Sync update
replicate = NetappCloudSyncUpdateOp(cloud_sync_relationship_id)
# Mount k8s secret containing Cloud Sync refresh token
replicate.add_pvolumes({
'/mnt/secret':
k8s_client.V1Volume(
name='cloud-sync-refresh-token',
secret=k8s_client.V1SecretVolumeSource(
secret_name=cloud_sync_refresh_token_k8s_secret))
})
def with_secret(self, secret_name: str, mount_path: str) -> Optional["HmlContainerOp"]:
"""
Bind a secret given by `secret_name` to the local path defined in `mount_path`
Args:
secret_name (str): The name of the secret (in the same namespace)
mount_path (str): The path to mount the secret locally
Returns:
A reference to the current `HmlContainerOp` (self)
"""
volume_name = secret_name
self.op.add_volume(
k8s_client.V1Volume(name=volume_name, secret=k8s_client.V1SecretVolumeSource(secret_name=secret_name))
)
self.op.add_volume_mount(k8s_client.V1VolumeMount(name=volume_name, mount_path=mount_path))
return self
def _use_secret(task):
import os
from kubernetes import client as k8s_client
task = task.add_volume(
k8s_client.V1Volume(
name=volume_name,
secret=k8s_client.V1SecretVolumeSource(
secret_name=secret_name))).add_volume_mount(
k8s_client.V1VolumeMount(
name=volume_name,
mount_path=secret_volume_mount_path))
if env_variable:
task.container.add_env_variable(
k8s_client.V1EnvVar(
name=env_variable,
value=os.path.join(secret_volume_mount_path,
secret_file_path_in_volume),
))
return task
