io.fabric8.kubernetes.api.model.KeyToPath#io.fabric8.kubernetes.api.model.SecretVolumeSource源码实例Demo

@Test
public void shouldEnsureAndMountServiceAccountSecret() throws IOException {
  when(serviceAccountSecretManager.ensureServiceAccountKeySecret(
      WORKFLOW_INSTANCE.workflowId().toString(), SERVICE_ACCOUNT)).thenReturn(SERVICE_ACCOUNT_SECRET);

  kdr.start(RUN_STATE, RUN_SPEC_WITH_SA);

  verify(serviceAccountSecretManager).ensureServiceAccountKeySecret(
      WORKFLOW_INSTANCE.workflowId().toString(), SERVICE_ACCOUNT);

  verify(k8sClient).createPod(podCaptor.capture());

  final Pod pod = podCaptor.getValue();

  final Optional<SecretVolumeSource> serviceAccountSecretVolume = pod.getSpec().getVolumes().stream()
      .map(Volume::getSecret)
      .filter(Objects::nonNull)
      .filter(v -> SERVICE_ACCOUNT_SECRET.equals(v.getSecretName()))
      .findAny();

  assertThat(serviceAccountSecretVolume.isPresent(), is(true));
}
 

/**
 * Creates a secret volume
 *
 * @param name        Name of the Volume
 * @param secretName  Name of the Secret
 * @param isOpenshift true if underlying cluster OpenShift
 * @return The Volume created
 */
public static Volume createSecretVolume(String name, String secretName, boolean isOpenshift) {
    String validName = getValidVolumeName(name);

    int mode = 0444;
    if (isOpenshift) {
        mode = 0440;
    }

    SecretVolumeSource secretVolumeSource = new SecretVolumeSourceBuilder()
            .withDefaultMode(mode)
            .withSecretName(secretName)
            .build();

    Volume volume = new VolumeBuilder()
            .withName(validName)
            .withSecret(secretVolumeSource)
            .build();
    log.trace("Created secret Volume named '{}' with source secret '{}'", validName, secretName);
    return volume;
}
 

@Override
public Volume buildVolume(String volumeName) {
    SecretVolumeSource secretVolumeSource = new SecretVolumeSource();
    secretVolumeSource.setSecretName(getSecretName());
    secretVolumeSource.setOptional(getOptional());

    if (StringUtils.isNotBlank(defaultMode)) {
        secretVolumeSource.setDefaultMode(Integer.parseInt(getDefaultMode()));
    }

    return new VolumeBuilder()
            .withName(volumeName)
            .withNewSecretLike(secretVolumeSource)
            .endSecret()
            .build();
}
 

protected DeploymentSpec createDeploymentSpec(final int replicas,
                                              final Map<String, String> labels,
                                              final Map<String, String> nodeSelector,
                                              String serviceAccountName,
                                              final String imageName,
                                              final ImagePullPolicy imagePullPolicy,
                                              final int maxHistory,
                                              final String namespace,
                                              final boolean hostNetwork,
                                              final boolean tls,
                                              final boolean verifyTls) {    
  final DeploymentSpec deploymentSpec = new DeploymentSpec();
  deploymentSpec.setReplicas(Math.max(1, replicas));
  final PodTemplateSpec podTemplateSpec = new PodTemplateSpec();
  final ObjectMeta metadata = new ObjectMeta();
  metadata.setLabels(normalizeLabels(labels));
  podTemplateSpec.setMetadata(metadata);
  final PodSpec podSpec = new PodSpec();
  serviceAccountName = normalizeServiceAccountName(serviceAccountName);    
  podSpec.setServiceAccountName(serviceAccountName);
  podSpec.setContainers(Arrays.asList(this.createContainer(imageName, imagePullPolicy, maxHistory, namespace, tls, verifyTls)));
  podSpec.setHostNetwork(Boolean.valueOf(hostNetwork));
  if (nodeSelector != null && !nodeSelector.isEmpty()) {
    podSpec.setNodeSelector(nodeSelector);
  }
  if (tls) {
    final Volume volume = new Volume();
    volume.setName(DEFAULT_NAME + "-certs");
    final SecretVolumeSource secretVolumeSource = new SecretVolumeSource();
    secretVolumeSource.setSecretName(SECRET_NAME);
    volume.setSecret(secretVolumeSource);
    podSpec.setVolumes(Arrays.asList(volume));
  }
  podTemplateSpec.setSpec(podSpec);
  deploymentSpec.setTemplate(podTemplateSpec);
  final LabelSelector selector = new LabelSelector();
  selector.setMatchLabels(labels);
  deploymentSpec.setSelector(selector);
  return deploymentSpec;
}
 

/**
 * Creates a secret volume with given items
 *
 * @param name        Name of the Volume
 * @param secretName  Name of the Secret
 * @param items       contents of the Secret
 * @param isOpenshift true if underlying cluster OpenShift
 * @return The Volume created
 */
public static Volume createSecretVolume(String name, String secretName, Map<String, String> items, boolean isOpenshift) {
    String validName = getValidVolumeName(name);

    int mode = 0444;
    if (isOpenshift) {
        mode = 0440;
    }

    List<KeyToPath> keysPaths = new ArrayList<>();

    for (Map.Entry<String, String> item : items.entrySet()) {
        KeyToPath keyPath = new KeyToPathBuilder()
                .withNewKey(item.getKey())
                .withNewPath(item.getValue())
                .build();

        keysPaths.add(keyPath);
    }

    SecretVolumeSource secretVolumeSource = new SecretVolumeSourceBuilder()
            .withDefaultMode(mode)
            .withSecretName(secretName)
            .withItems(keysPaths)
            .build();

    Volume volume = new VolumeBuilder()
            .withName(validName)
            .withSecret(secretVolumeSource)
            .build();
    log.trace("Created secret Volume named '{}' with source secret '{}'", validName, secretName);
    return volume;
}
 

@Description("Reference to a key in a Secret. " +
        "Exactly one Secret or ConfigMap has to be specified.")
@KubeLink(group = "core", version = "v1", kind = "secretvolumesource")
@JsonInclude(value = JsonInclude.Include.NON_NULL)
public SecretVolumeSource getSecret() {
    return secret;
}
 

private void verifyVolumeIsPresent(Pod pod) {
  List<Volume> podVolumes = pod.getSpec().getVolumes();
  assertEquals(podVolumes.size(), 1);
  Volume certVolume = podVolumes.get(0);
  assertEquals(certVolume.getName(), CHE_SELF_SIGNED_CERT_VOLUME);
  SecretVolumeSource volumeSecret = certVolume.getSecret();
  assertNotNull(volumeSecret);
  assertEquals(volumeSecret.getSecretName(), EXPECTED_CERT_NAME);
}
 

@VisibleForTesting
static Pod createPod(WorkflowInstance workflowInstance,
                     RunSpec runSpec,
                     KubernetesSecretSpec secretSpec,
                     String styxEnvironment) {
  final String imageWithTag = runSpec.imageName().contains(":")
      ? runSpec.imageName()
      : runSpec.imageName() + ":latest";

  final String executionId = runSpec.executionId();
  final PodBuilder podBuilder = new PodBuilder()
      .withNewMetadata()
      .withName(executionId)
      .addToAnnotations(STYX_WORKFLOW_INSTANCE_ANNOTATION, workflowInstance.toKey())
      .addToAnnotations(DOCKER_TERMINATION_LOGGING_ANNOTATION,
                        String.valueOf(runSpec.terminationLogging()))
      .endMetadata();

  final PodSpecBuilder specBuilder = new PodSpecBuilder()
      .withRestartPolicy("Never");

  final ResourceRequirementsBuilder resourceRequirements = new ResourceRequirementsBuilder();
  runSpec.memRequest().ifPresent(s -> resourceRequirements.addToRequests("memory", new Quantity(s)));
  runSpec.memLimit().ifPresent(s -> resourceRequirements.addToLimits("memory", new Quantity(s)));

  final ContainerBuilder mainContainerBuilder = new ContainerBuilder()
      .withName(MAIN_CONTAINER_NAME)
      .withImage(imageWithTag)
      .withArgs(runSpec.args())
      .withEnv(buildEnv(workflowInstance, runSpec, styxEnvironment))
      .withResources(resourceRequirements.build());

  secretSpec.serviceAccountSecret().ifPresent(serviceAccountSecret -> {
    final SecretVolumeSource saVolumeSource = new SecretVolumeSourceBuilder()
        .withSecretName(serviceAccountSecret)
        .build();
    final Volume saVolume = new VolumeBuilder()
        .withName(STYX_WORKFLOW_SA_SECRET_NAME)
        .withSecret(saVolumeSource)
        .build();
    specBuilder.addToVolumes(saVolume);

    final VolumeMount saMount = new VolumeMountBuilder()
        .withMountPath(STYX_WORKFLOW_SA_SECRET_MOUNT_PATH)
        .withName(saVolume.getName())
        .withReadOnly(true)
        .build();
    mainContainerBuilder.addToVolumeMounts(saMount);
    mainContainerBuilder.addToEnv(envVar(STYX_WORKFLOW_SA_ENV_VARIABLE,
                                     saMount.getMountPath() + STYX_WORKFLOW_SA_JSON_KEY));
  });

  secretSpec.customSecret().ifPresent(secret -> {
    final SecretVolumeSource secretVolumeSource = new SecretVolumeSourceBuilder()
        .withSecretName(secret.name())
        .build();
    final Volume secretVolume = new VolumeBuilder()
        .withName(secret.name())
        .withSecret(secretVolumeSource)
        .build();
    specBuilder.addToVolumes(secretVolume);

    final VolumeMount secretMount = new VolumeMountBuilder()
        .withMountPath(secret.mountPath())
        .withName(secretVolume.getName())
        .withReadOnly(true)
        .build();
    mainContainerBuilder.addToVolumeMounts(secretMount);
  });

  specBuilder.addToContainers(mainContainerBuilder.build());
  specBuilder.addToContainers(keepaliveContainer());
  podBuilder.withSpec(specBuilder.build());

  return podBuilder.build();
}
 

public void setSecret(SecretVolumeSource secret) {
    this.secret = secret;
}