Add values to volume copy

Chart.yaml

@@ -4,5 +4,5 @@ description: For deploying a CircleCI Container Agent
 icon: https://raw.githubusercontent.com/circleci/media/master/logo/build/horizontal_dark.1.png
 type: application
 
-version: "101.0.21"
+version: "101.0.22"
 appVersion: "3"

README.md

@@ -92,6 +92,9 @@ The command removes all the Kubernetes objects associated with the chart and del
 | agent.ssh.numPorts | int | `20` | Specify the total number of ports for SSH. This, along with `agent.ssh.startPort`, sets the port range. Note that the number of concurrent jobs rerun using SSH will be limited by the size of this range. |
 | agent.ssh.parametersRef | object | `{}` | Specify controller-specific configuration for the GatewayClass. For details, refer to the [Gateway API reference](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/#gatewayclass-parameters), and the documentation for the Gateway controller specified by `agent.ssh.controllerName`. |
 | agent.ssh.startPort | int | `54782` | Define the start port for SSH. This, combined with `agent.ssh.numPorts`, is used to define a range of ports. Be aware that you may need to configure your firewall or security groups to allow this port range. |
+| agent.taskVolume | object | `{"enabled":true,"selector":{"matchExpressions":[{"key":"environment","operator":"In","values":["dev"]}],"matchLabels":{"release":"stable"}},"storageClassName":"name"}` | Use a volume to store task related binaries to avoid copying into the task pod filesystem for every task on startup. A volume of at least 1Gi is required. The chart will create a PVC and the cluster administrator must ensure an appropriate volume provider is available (or a provisioned volume) NOTE: THIS FEATURE IS EXPERIMENTAL. NO SUPPORT IS OFFERED AT THIS TIME |
+| agent.taskVolume.selector | object | `{"matchExpressions":[{"key":"environment","operator":"In","values":["dev"]}],"matchLabels":{"release":"stable"}}` | Volume selector assigned to the PVC (Optional) |
+| agent.taskVolume.storageClassName | string | `"name"` | Storage class name assigned to the PVC (Optional) |
 | agent.terminationGracePeriodSeconds | int | `18300` | Tasks are drained during the termination grace period, so this should be sufficiently long relative to the maximum run time to ensure graceful shutdown |
 | agent.tolerations | list | `[]` | Node tolerations for agent scheduling to nodes with taints Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | logging | object | `{"image":{"registry":"","repository":"circleci/logging-collector","tag":3},"rbac":{"create":true,"role":{"name":"logging-collector","rules":[]}},"serviceAccount":{"annotations":{},"create":true,"name":"logging-collector","secret":{"name":"logging-collector-token"}}}` | Configuration values for the logging containers. These containers run alongside service containers and stream their logs to the CircleCI UI |

templates/_helpers.tpl

@@ -93,6 +93,15 @@ true
 {{- end }}
 {{- end }}
 
+{{- define "container-agent.agent-security-context" -}}
+{{- if .Values.agent.taskVolume.enabled }}
+{{- range $key, $value := .Values.agent.podSecurityContext -}}
+{{- printf "%s: %s\n" $key $value -}}
+{{- end -}}
+fsGroup: 1500
+{{- end }}
+{{- end }}
+
 {{/* 
 proxy.env defines http proxy environment variables. It expects a list 
 with .Values.proxy first and additional no_proxy hosts as the         

templates/deployment.yaml

@@ -1,4 +1,5 @@
 {{- $fullName := include "container-agent.fullname" . -}}
+{{- $securityContext := include "container-agent.agent-security-context" . -}}
 
 apiVersion: apps/v1
 kind: Deployment
@@ -28,8 +29,8 @@ spec:
       {{- end}}
     {{- end }}
       serviceAccountName: {{ include "container-agent.serviceAccountName" . }}
-    {{- if .Values.agent.podSecurityContext }}
-      securityContext: {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
+    {{- if $securityContext }}
+      securityContext: {{- $securityContext | nindent 8 }}
     {{- end }}
     {{- if .Values.agent.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}
@@ -38,9 +39,11 @@ spec:
         - name: taskpod-config
           configMap:
             name: {{ include "container-agent.fullname" . }}
+        {{- if .Values.agent.taskVolume.enabled }}
         - name: shared-task-agent
           persistentVolumeClaim:
             claimName: {{ include "container-agent.fullname" . }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           {{- with .Values.agent.image }}
@@ -51,14 +54,16 @@ spec:
           {{- end }}
           {{- end }}
           imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
-        {{- if .Values.agent.containerSecurityContext }}
+          {{- if .Values.agent.containerSecurityContext }}
           securityContext: {{- toYaml .Values.agent.containerSecurityContext | nindent 12 }}
-        {{- end }}
+          {{- end }}
           volumeMounts:
             - name: taskpod-config
               mountPath: /etc/container-agent
+            {{- if .Values.agent.taskVolume.enabled }}
             - name: shared-task-agent
               mountPath: /task-agent
+            {{- end }}
           env:
             - name: RUNNER_API
               value: {{ .Values.agent.runnerAPI }}
@@ -89,12 +94,14 @@ spec:
             - name: KUBE_LOGGING_IMAGE
               value: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}:{{ .tag }}"
             {{- end }}
-            - name: KUBE_SHARED_TASK_AGENT_VOLUME
-              value: {{ include "container-agent.fullname" . }}
             - name: KUBE_LOGGING_SECRET
               value: {{ .Values.logging.serviceAccount.secret.name | quote }}
             - name: KUBE_AUTODETECT_PLATFORM
               value: {{ .Values.agent.autodetectPlatform | quote }}
+            {{- if .Values.agent.taskVolume.enabled }}
+            - name: KUBE_SHARED_TASK_AGENT_VOLUME
+              value: {{ include "container-agent.fullname" . }}
+            {{- end }}
             {{- with .Values.agent }}
             # Agent logging settings
             - name: O11Y_LEVEL
@@ -156,9 +163,9 @@ spec:
 
           livenessProbe: {{ toYaml .Values.agent.livenessProbe | nindent 12 }}
           readinessProbe: {{ toYaml .Values.agent.readinessProbe | nindent 12 }}
-        {{- if .Values.agent.resources }}
+          {{- if .Values.agent.resources }}
           resources: {{ toYaml .Values.agent.resources | nindent 12 }}
-        {{- end }}
+          {{- end }}
     {{- if .Values.agent.nodeSelector }}
       nodeSelector: {{ toYaml .Values.agent.nodeSelector | nindent 8 }}
     {{- end }}

templates/pvc.yaml

@@ -1,10 +1,21 @@
+{{- if .Values.agent.taskVolume.enabled }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "container-agent.fullname" . }}
 spec:
   accessModes:
     - ReadWriteOnce
+  volumeMode: Filesystem
+  {{- with .Values.agent.taskVolume }}
+  {{- if .storageClassName }}
+  storageClassName: {{ .storageClassName }}
+  {{- end }}
+  {{- if .selector }}
+  selector: {{- toYaml .selector | nindent 4 }}
+  {{- end }}
   resources:
     requests:
       storage: 1Gi
+  {{- end }}
+{{- end }}

values.yaml

@@ -7,7 +7,6 @@
 
 agent:
   replicaCount: 1
-
   # -- Agent image settings. NOTE: Setting an image digest will take precedence over the image tag
   image:
     registry: ""
@@ -25,8 +24,7 @@ agent:
   podAnnotations: {}
 
   # -- Security Context policies for agent pods
-  podSecurityContext:
-    fsGroup: 1500
+  podSecurityContext: {}
 
   # -- Security Context policies for agent containers
   containerSecurityContext: {}
@@ -202,16 +200,16 @@ agent:
     #       custom.io: my-annotation
     #   spec:
     #     containers:
-    #       - resources:
-    #           limits:
-    #             cpu: 500m
-    #         volumeMounts:
-    #           - name: xyz
-    #             mountPath: /path/to/mount
-    #     securityContext:
-    #       runAsNonRoot: true
-    #     imagePullSecrets:
-    #       - name: my_cred
+    #     - resources:
+    #         limits:
+    #           cpu: 500m
+    #       volumeMounts:
+    #         - name: xyz
+    #           mountPath: /path/to/mount
+    #   securityContext:
+    #     runAsNonRoot: true
+    #   imagePullSecrets:
+    #     - name: my_cred
     # circleci-runner/resourceClass2:
     #   token: XXXX
     #   spec:
@@ -263,6 +261,25 @@ agent:
     # Note that the number of concurrent jobs rerun using SSH will be limited by the size of this range.
     numPorts: 20
 
+  # -- Use a volume to store task related binaries to avoid copying into the task pod filesystem for
+  # every task on startup. A volume of at least 1Gi is required. The chart will create a PVC and the cluster
+  # administrator must ensure an appropriate volume provider is available (or a provisioned volume)
+  # NOTE: THIS FEATURE IS EXPERIMENTAL. NO SUPPORT IS OFFERED AT THIS TIME
+  taskVolume: 
+
+    # Enable the shared volume
+    enabled: true
+
+    # -- Storage class name assigned to the PVC (Optional)
+    storageClassName: "name"
+
+    # -- Volume selector assigned to the PVC (Optional)
+    selector:
+      matchLabels:
+        release: "stable"
+      matchExpressions:
+        - {key: environment, operator: In, values: [dev]}
+
 # -- Kubernetes service account settings
 serviceAccount:
   create: true