Skip to content

Feature: custom volumes (for secrets, etc) on st2actionrunner pods #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 30, 2021
Merged

Feature: custom volumes (for secrets, etc) on st2actionrunner pods #254

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dbcdafe
add extra_volumes to st2actinorunner, st2client, st2sensorcontainer
cognifloyd Jul 26, 2021
d1b6842
fix $sensor.extra_volumes
cognifloyd Jul 27, 2021
b829bb6
add extra_volumes for st2workflowengine
cognifloyd Jul 30, 2021
31e3c29
add changelog entry
cognifloyd Sep 30, 2021
818e1c8
Merge branch 'master' into actionrunner-custom-volumes
cognifloyd Sep 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
* Template the contents of st2.config and the values in st2chatops.env. This allows adding secrets defined elsewhere in values. (#249) (by @cognifloyd)
* Set default/sample RBAC config files to "" (empty string) to prevent adding them. This is needed because they cannot be removed by overriding the roles/mappings values. (#247) (by @cognifloyd)
* Make configuring `stackstorm/sensor-mode=all-sensors-in-one-pod` more obvious by using `st2.packs.sensors` only for `one-sensor-per-pod`. `all-sensors-in-one-pod` mode now only uses values from `st2sensorcontainer`. (#246) (by @cognifloyd)
* New feature: Add `extra_volumes` to `st2actionrunner`, `st2client`, `st2sensorcontainer`. This is useful for loading volumes to be used by actions or sensors. This might include secrets (like ssl certificates) and configuration (like system-wide ansible.cfg). (#254) (by @cognifloyd)

## v0.70.0
* New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd)
Expand Down
32 changes: 32 additions & 0 deletions templates/deployments.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,6 +764,10 @@ spec:
mountPath: /etc/st2/keys
readOnly: true
{{- end }}
{{- range .Values.st2workflowengine.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2workflowengine.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'mount' definition in st2workflowengine.extra_volumes" .mount | toYaml) $ | nindent 10 }}
{{- end }}
{{- if .Values.st2workflowengine.postStartScript }}
- name: st2-post-start-script-vol
mountPath: /post-start.sh
Expand All @@ -788,6 +792,10 @@ spec:
- key: datastore_crypto_key
path: datastore_key.json
{{- end }}
{{- range .Values.st2workflowengine.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2workflowengine.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'volume' definition in st2workflowengine.extra_volumes" .volume | toYaml) $ | nindent 10 }}
{{- end }}
{{- if .Values.st2workflowengine.postStartScript }}
- name: st2-post-start-script-vol
configMap:
Expand Down Expand Up @@ -1124,6 +1132,10 @@ spec:
mountPath: /etc/st2/keys
readOnly: true
{{- end }}
{{- range $sensor.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in $sensor.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'mount' definition in $sensor.extra_volumes" .mount | toYaml) $ | nindent 10 }}
{{- end }}
{{- if $.Values.st2sensorcontainer.postStartScript }}
- name: st2-post-start-script-vol
mountPath: /post-start.sh
Expand All @@ -1149,6 +1161,10 @@ spec:
{{- end }}
{{- include "st2-config-volume" $ | nindent 8 }}
{{- include "packs-volumes" $ | nindent 8 }}
{{- range $sensor.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in $sensor.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'volume' definition in $sensor.extra_volumes" .volume | toYaml) $ | nindent 10 }}
{{- end }}
{{- if $.Values.st2sensorcontainer.postStartScript }}
- name: st2-post-start-script-vol
configMap:
Expand Down Expand Up @@ -1255,6 +1271,10 @@ spec:
{{- if .Values.st2.packs.volumes.enabled }}
{{- include "pack-configs-volume-mount" . | nindent 8 }}
{{- end }}
{{- range .Values.st2actionrunner.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2actionrunner.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'mount' definition in st2actionrunner.extra_volumes" .mount | toYaml) $ | nindent 10 }}
{{- end }}
- name: st2-post-start-script-vol
mountPath: /post-start.sh
subPath: post-start.sh
Expand Down Expand Up @@ -1289,6 +1309,10 @@ spec:
{{- if .Values.st2.packs.volumes.enabled }}
{{- include "pack-configs-volume" . | nindent 8 }}
{{- end }}
{{- range .Values.st2actionrunner.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2actionrunner.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'volume' definition in st2actionrunner.extra_volumes" .volume | toYaml) $ | nindent 10 }}
{{- end }}
- name: st2-post-start-script-vol
configMap:
name: {{ .Release.Name }}-st2actionrunner-post-start-script
Expand Down Expand Up @@ -1520,6 +1544,10 @@ spec:
{{- end }}
{{- include "packs-volume-mounts" . | nindent 8 }}
{{- include "pack-configs-volume-mount" . | nindent 8 }}
{{- range .Values.st2client.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2client.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'mount' definition in st2client.extra_volumes" .mount | toYaml) $ | nindent 10 }}
{{- end }}
- name: st2-post-start-script-vol
mountPath: /post-start.sh
subPath: post-start.sh
Expand Down Expand Up @@ -1569,6 +1597,10 @@ spec:
mode: 256
{{- include "packs-volumes" . | nindent 8 }}
{{- include "pack-configs-volume" . | nindent 8 }}
{{- range .Values.st2client.extra_volumes }}
- name: {{ required "Each volume must have a 'name' in st2client.extra_volumes" .name }}
{{- tpl (required "Each volume must have a 'volume' definition in st2client.extra_volumes" .volume | toYaml) $ | nindent 10 }}
{{- end }}
- name: st2-post-start-script-vol
configMap:
name: {{ .Release.Name }}-st2client-post-start-script
Expand Down
38 changes: 38 additions & 0 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,10 @@ st2workflowengine:
# The pod will not be marked as "running" until this script completes successfully.
# see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
postStartScript: ""
# mount extra volumes on the st2workflowengine pod(s) (primarily useful for k8s-provisioned secrets)
## Note that Helm templating is supported in 'mount' and 'volume'
extra_volumes: []
# see examples under st2workflowengine.extra_volumes
# https://docs.stackstorm.com/reference/ha.html#st2scheduler
# TODO: Description TBD
st2scheduler:
Expand Down Expand Up @@ -549,6 +553,32 @@ st2actionrunner:
# The pod will not be marked as "running" until this script completes successfully.
# see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
postStartScript: ""
# mount extra volumes on the st2actionrunner pods (primarily useful for k8s-provisioned secrets)
## Note that Helm templating is supported in 'mount' and 'volume'
extra_volumes: []
# For example, if some actions in the fictional acme pack
# needed some file-based client-side certificates:
# - name: st2-encryption-key-vol
# mount:
# mountPath: "{{ .Values.acme.ssl_certs_dir }}"
# readOnly: true
# volume:
# secret:
# secretName: "{{ .Release.Name }}-st2-acme-pack-certs"
# items:
# - key: ssl_certificate
# path: acme.crt
# - key: ssl_certificate_key
# path: acme.key
#
# An example that adds a global ansible.cfg file for the ansible pack.
# - name: global-ansible-config
# mount:
# mountPath: /etc/ansible/ansible.cfg
# subPath: ansible.cfg
# volume:
# configMap:
# name: "{{ .Release.Name }}-st2-ansible-config"

# https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer
# It is possible to run st2sensorcontainer(s) in one of these modes:
Expand Down Expand Up @@ -581,6 +611,10 @@ st2sensorcontainer:
# The pod will not be marked as "running" until this script completes successfully.
# see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
postStartScript: ""
# mount extra volumes on the st2sensorcontainer pod(s) (primarily useful for k8s-provisioned secrets)
## Note that Helm templating is supported in 'mount' and 'volume'
extra_volumes: []
# see examples under st2actionrunner.extra_volumes

# The st2client deployment/pod simplifies ad-hoc administration.
# st2client is a special purpose actionrunner pod, but you can customize it separately
Expand All @@ -597,6 +631,10 @@ st2client:
# The pod will not be marked as "running" until this script completes successfully.
# see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
postStartScript: ""
# mount extra volumes on the st2client pod (primarily useful for k8s-provisioned secrets)
## Note that Helm templating is supported in 'mount' and 'volume'
extra_volumes: []
# see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2garbagecollector
# Optional service that cleans up old executions and other operations data based on setup configurations.
Expand Down