Use read only fs for Ouath and Job API component (#1095)

* Use read only fs for Ouath and Job API component

* simplify bash sleep resource requirements

* Run bash sleep with readonly root

* Always set default memory and cpu

* revert tests

* cleanup resourcesmap

* tests cleanup

* Add context to BatchJob, KubeJob and Deployment

* replace context.TODO() with deploy.ctx

* remove commented out helper function

* revert test description

* move setup logger to test util, move kube tests to kube_test

* move setup logger to test util, move kube tests to kube_test

* remove test import if not needed

* return error instead of taking context

* use context logger instead of struct logger

* remove context from batch.NewSyncer()

* move log setup to init

* Add Resources util tests

* rename resourcesv1 to kuberesources

* rename resourcesv1 to resource

* move utils Resource builder to its own test package/file

* Bump patch version

Makefile

@@ -82,8 +82,8 @@ CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
 .PHONY: test
-test:	
-	go test -cover `go list ./... | grep -v 'pkg/client'`
+test:
+	LOG_LEVEL=warn go test -cover `go list ./... | grep -v 'pkg/client'`
 
 .PHONY: mocks
 mocks:
@@ -129,7 +129,7 @@ CUSTOM_RESOURCE_NAME=radix
 CUSTOM_RESOURCE_VERSION=v1
 
 .PHONY: code-gen
-code-gen: 
+code-gen:
 	$(GOPATH)/pkg/mod/k8s.io/[email protected]/generate-groups.sh all $(ROOT_PACKAGE)/pkg/client $(ROOT_PACKAGE)/pkg/apis $(CUSTOM_RESOURCE_NAME):$(CUSTOM_RESOURCE_VERSION) --go-header-file $(GOPATH)/pkg/mod/k8s.io/[email protected]/hack/boilerplate.go.txt
 
 .PHONY: crds

charts/radix-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: radix-operator
-version: 1.32.0
-appVersion: 1.52.0
+version: 1.32.1
+appVersion: 1.52.1
 kubeVersion: ">=1.24.0"
 description: Radix Operator
 keywords:

pipeline-runner/internal/watcher/radix_deployment_watcher_test.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
+	_ "github.com/equinor/radix-operator/pkg/apis/test"
 	radix "github.com/equinor/radix-operator/pkg/client/clientset/versioned/fake"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

pipeline-runner/steps/build_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
+	_ "github.com/equinor/radix-operator/pkg/apis/test"
 	"github.com/equinor/radix-operator/pkg/apis/utils"
 	"github.com/equinor/radix-operator/pkg/apis/utils/annotations"
 	"github.com/equinor/radix-operator/pkg/apis/utils/git"

pkg/apis/batch/kubejob.go

@@ -27,7 +27,7 @@ const (
 	jobPayloadVolumeName = "job-payload"
 )
 
-func (s *syncer) reconcileKubeJob(batchJob *radixv1.RadixBatchJob, rd *radixv1.RadixDeployment, jobComponent *radixv1.RadixDeployJobComponent, existingJobs []*batchv1.Job) error {
+func (s *syncer) reconcileKubeJob(ctx context.Context, batchJob *radixv1.RadixBatchJob, rd *radixv1.RadixDeployment, jobComponent *radixv1.RadixDeployJobComponent, existingJobs []*batchv1.Job) error {
 	if isBatchJobStopRequested(batchJob) {
 		// Delete existing k8s job if stop is requested for batch job
 		batchJobKubeJobs := slice.FindAll(existingJobs, func(job *batchv1.Job) bool { return isResourceLabeledWithBatchJobName(batchJob.Name, job) })
@@ -46,7 +46,7 @@ func (s *syncer) reconcileKubeJob(batchJob *radixv1.RadixBatchJob, rd *radixv1.R
 	if err != nil {
 		return err
 	}
-	job, err := s.buildJob(batchJob, jobComponent, rd)
+	job, err := s.buildJob(ctx, batchJob, jobComponent, rd)
 	if err != nil {
 		return err
 	}
@@ -122,7 +122,7 @@ func (s *syncer) deleteJobs(jobsToDelete []*batchv1.Job) error {
 	return nil
 }
 
-func (s *syncer) buildJob(batchJob *radixv1.RadixBatchJob, jobComponent *radixv1.RadixDeployJobComponent, rd *radixv1.RadixDeployment) (*batchv1.Job, error) {
+func (s *syncer) buildJob(ctx context.Context, batchJob *radixv1.RadixBatchJob, jobComponent *radixv1.RadixDeployJobComponent, rd *radixv1.RadixDeployment) (*batchv1.Job, error) {
 	jobLabels := s.batchJobIdentifierLabel(batchJob.Name, rd.Spec.AppName)
 	podLabels := radixlabels.Merge(
 		jobLabels,
@@ -136,7 +136,7 @@ func (s *syncer) buildJob(batchJob *radixv1.RadixBatchJob, jobComponent *radixv1
 	}
 
 	kubeJobName := getKubeJobName(s.radixBatch.GetName(), batchJob.Name)
-	containers, err := s.getContainers(rd, jobComponent, batchJob, kubeJobName)
+	containers, err := s.getContainers(ctx, rd, jobComponent, batchJob, kubeJobName)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +217,7 @@ func (s *syncer) getVolumes(namespace, environment string, batchJob *radixv1.Rad
 	return volumes, nil
 }
 
-func (s *syncer) getContainers(rd *radixv1.RadixDeployment, jobComponent *radixv1.RadixDeployJobComponent, batchJob *radixv1.RadixBatchJob, kubeJobName string) ([]corev1.Container, error) {
+func (s *syncer) getContainers(ctx context.Context, rd *radixv1.RadixDeployment, jobComponent *radixv1.RadixDeployJobComponent, batchJob *radixv1.RadixBatchJob, kubeJobName string) ([]corev1.Container, error) {
 	volumeMounts, err := s.getContainerVolumeMounts(batchJob, jobComponent, rd.GetName())
 	if err != nil {
 		return nil, err
@@ -227,7 +227,10 @@ func (s *syncer) getContainers(rd *radixv1.RadixDeployment, jobComponent *radixv
 		return nil, err
 	}
 	ports := getContainerPorts(jobComponent)
-	resources := s.getContainerResources(batchJob, jobComponent)
+	resources, err := s.getContainerResources(batchJob, jobComponent)
+	if err != nil {
+		return nil, err
+	}
 
 	image := getJobImage(jobComponent, batchJob)
 	securityContext := securitycontext.Container(securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault), securitycontext.WithReadOnlyRootFileSystem(jobComponent.GetReadOnlyFileSystem()))
@@ -267,7 +270,7 @@ func (s *syncer) getContainerEnvironmentVariables(rd *radixv1.RadixDeployment, j
 	return environmentVariables, nil
 }
 
-func (s *syncer) getContainerResources(batchJob *radixv1.RadixBatchJob, jobComponent *radixv1.RadixDeployJobComponent) corev1.ResourceRequirements {
+func (s *syncer) getContainerResources(batchJob *radixv1.RadixBatchJob, jobComponent *radixv1.RadixDeployJobComponent) (corev1.ResourceRequirements, error) {
 	if batchJob.Resources != nil {
 		return operatorUtils.BuildResourceRequirement(batchJob.Resources)
 	}

pkg/apis/batch/syncer.go

@@ -1,6 +1,9 @@
 package batch
 
 import (
+	"context"
+	"fmt"
+
 	"github.com/equinor/radix-operator/pkg/apis/kube"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	radixlabels "github.com/equinor/radix-operator/pkg/apis/utils/labels"
@@ -17,10 +20,7 @@ type Syncer interface {
 }
 
 // NewSyncer Constructor os RadixBatches Syncer
-func NewSyncer(kubeclient kubernetes.Interface,
-	kubeUtil *kube.Kube,
-	radixClient radixclient.Interface,
-	radixBatch *radixv1.RadixBatch) Syncer {
+func NewSyncer(kubeclient kubernetes.Interface, kubeUtil *kube.Kube, radixClient radixclient.Interface, radixBatch *radixv1.RadixBatch) Syncer {
 	return &syncer{
 		kubeClient:  kubeclient,
 		kubeUtil:    kubeUtil,
@@ -46,10 +46,10 @@ func (s *syncer) OnSync() error {
 		return nil
 	}
 
-	return s.syncStatus(s.reconcile())
+	return s.syncStatus(s.reconcile(context.TODO()))
 }
 
-func (s *syncer) reconcile() error {
+func (s *syncer) reconcile(ctx context.Context) error {
 	const syncStatusForEveryNumberOfBatchJobsReconciled = 10
 
 	rd, jobComponent, err := s.getRadixDeploymentAndJobComponent()
@@ -69,16 +69,16 @@ func (s *syncer) reconcile() error {
 
 	for i, batchJob := range s.radixBatch.Spec.Jobs {
 		if err := s.reconcileService(&batchJob, rd, jobComponent, existingServices); err != nil {
-			return err
+			return fmt.Errorf("batchjob %s: failed to reconcile service: %w", batchJob.Name, err)
 		}
 
-		if err := s.reconcileKubeJob(&batchJob, rd, jobComponent, existingJobs); err != nil {
-			return err
+		if err := s.reconcileKubeJob(ctx, &batchJob, rd, jobComponent, existingJobs); err != nil {
+			return fmt.Errorf("batchjob %s: failed to reconcile kubejob: %w", batchJob.Name, err)
 		}
 
 		if i%syncStatusForEveryNumberOfBatchJobsReconciled == 0 {
 			if err := s.syncStatus(nil); err != nil {
-				return err
+				return fmt.Errorf("batchjob %s: failed to sync status: %w", batchJob.Name, err)
 			}
 		}
 	}

pkg/apis/batch/syncer_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/equinor/radix-operator/pkg/apis/kube"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	"github.com/equinor/radix-operator/pkg/apis/securitycontext"
+	_ "github.com/equinor/radix-operator/pkg/apis/test"
 	"github.com/equinor/radix-operator/pkg/apis/utils"
 	radixlabels "github.com/equinor/radix-operator/pkg/apis/utils/labels"
 	fakeradix "github.com/equinor/radix-operator/pkg/client/clientset/versioned/fake"

pkg/apis/deployment/config_maps.go

@@ -1,11 +1,14 @@
 package deployment
 
 import (
+	"context"
 	"errors"
 	"fmt"
+
+	"github.com/rs/zerolog/log"
 )
 
-func (deploy *Deployment) garbageCollectConfigMapsNoLongerInSpec() error {
+func (deploy *Deployment) garbageCollectConfigMapsNoLongerInSpec(ctx context.Context) error {
 	namespace := deploy.radixDeployment.Namespace
 
 	// List env var config maps
@@ -32,7 +35,7 @@ func (deploy *Deployment) garbageCollectConfigMapsNoLongerInSpec() error {
 		}
 
 		if !componentName.ExistInDeploymentSpecComponentList(deploy.radixDeployment) {
-			deploy.logger.Debug().Msgf("ConfigMap object %s in namespace %s belongs to deleted component %s, garbage collecting the configmap", cm.Name, namespace, componentName)
+			log.Ctx(ctx).Debug().Msgf("ConfigMap object %s in namespace %s belongs to deleted component %s, garbage collecting the configmap", cm.Name, namespace, componentName)
 			err = deploy.kubeutil.DeleteConfigMap(namespace, cm.Name)
 		}
 		if err != nil {