Make results folder writable (Fix for tektoncd#2131)

othomann · Mar 3, 2020 · 3505b5f · 3505b5f
1 parent c317d64
commit 3505b5f
Show file tree

Hide file tree

Showing 5 changed files with 151 additions and 15 deletions.
diff --git a/cmd/entrypoint/README.md b/cmd/entrypoint/README.md
@@ -5,6 +5,7 @@ wrapping it. In `tektoncd/pipeline` this is used to make sure `Task`'s
 steps are executed in order, or for sidecars.
 
 The following flags are available :
+
 - `-entrypoint`: "original" command to be executed (as
   entrypoint). This will be executed as a sub-process on `entrypoint`
 - `-post_file`: file path to write once the sub-process has
@@ -22,13 +23,13 @@ The following flags are available :
 The following example of usage for `entrypoint`, wait's for
 `/tekton/downward/ready` file to exists and have some content before
 executing `/ko-app/bash -- -args mkdir -p /workspace/git-resource`,
-and will write to `/tekton/tools/0` in casse of succes, or
+and will write to `/tekton/tools/0` in case of succes, or
 `/tekton/tools/0.err` in case of failure.
 
-```
+```shell
 entrypoint \
-	-wait_file /tekton/downward/ready \
-	-post_file /tekton/tools/0" \
-	-wait_file_content  \
-	-entrypoint /ko-app/bash -- -args mkdir -p /workspace/git-resource
+ -wait_file /tekton/downward/ready \
+ -post_file /tekton/tools/0" \
+ -wait_file_content  \
+ -entrypoint /ko-app/bash -- -args mkdir -p /workspace/git-resource
 ```
diff --git a/cmd/entrypoint/main.go b/cmd/entrypoint/main.go
@@ -25,7 +25,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
 )
 
@@ -54,13 +53,6 @@ func main() {
 		PostWriter:      &realPostWriter{},
 		Results:         strings.Split(*results, ","),
 	}
-	// strings.Split(..) with an empty string returns an array that contains one element, an empty string.
-	// The result folder should only be created if there are actual results to defined for the entrypoint.
-	if len(e.Results) >= 1 && e.Results[0] != "" {
-		if err := os.MkdirAll(pipeline.DefaultResultPath, 0755); err != nil {
-			log.Fatalf("Error creating the results directory: %v", err)
-		}
-	}
 	if err := e.Go(); err != nil {
 		switch t := err.(type) {
 		case skipError:

diff --git a/examples/pipelineruns/task_results_example_user.yaml b/examples/pipelineruns/task_results_example_user.yaml
@@ -0,0 +1,97 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Pipeline
+metadata:
+  name: sum-and-multiply-pipeline-user
+spec:
+  params:
+    - name: a
+      type: string
+      default: "1"
+    - name: b
+      type: string
+      default: "1"
+  tasks:
+    - name: sum-inputs
+      taskRef:
+        name: sum-user
+      params:
+        - name: a
+          value: "$(params.a)"
+        - name: b
+          value: "$(params.b)"
+    - name: multiply-inputs
+      taskRef:
+        name: multiply-user
+      params:
+        - name: a
+          value: "$(params.a)"
+        - name: b
+          value: "$(params.b)"
+    - name: sum-and-multiply
+      taskRef:
+        name: sum-user
+      params:
+        - name: a
+          value: "$(tasks.multiply-inputs.results.product)$(tasks.sum-inputs.results.sum)"
+        - name: b
+          value: "$(tasks.multiply-inputs.results.product)$(tasks.sum-inputs.results.sum)"
+---
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: sum-user
+  annotations:
+    description: |
+      A simple task that sums the two provided integers
+spec:
+  inputs:
+    params:
+      - name: a
+        type: string
+        default: "1"
+        description: The first integer
+      - name: b
+        type: string
+        default: "1"
+        description: The second integer
+  results:
+    - name: sum
+      description: The sum of the two provided integers
+  steps:
+    - name: sum
+      image: bash:latest
+      script: |
+        #!/usr/bin/env bash
+        echo -n $(( "$(inputs.params.a)" + "$(inputs.params.b)" )) | tee $(results.sum.path)
+      securityContext:
+        runAsUser: 1000
+---
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: multiply-user
+  annotations:
+    description: |
+      A simple task that multiplies the two provided integers
+spec:
+  inputs:
+    params:
+      - name: a
+        type: string
+        default: "1"
+        description: The first integer
+      - name: b
+        type: string
+        default: "1"
+        description: The second integer
+  results:
+    - name: product
+      description: The product of the two provided integers
+  steps:
+    - name: product
+      image: bash:latest
+      script: |
+        #!/usr/bin/env bash
+        echo -n $(( "$(inputs.params.a)" * "$(inputs.params.b)" )) | tee $(results.product.path)
+      securityContext:
+        runAsUser: 1000
diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go
@@ -34,6 +34,9 @@ import (
 const (
 	homeDir = "/tekton/home"
 
+	// ResultsDir is the folder used by default to create the results file
+	ResultsDir = "/tekton/results"
+
 	featureFlagConfigMapName        = "feature-flags"
 	featureFlagDisableHomeEnvKey    = "disable-home-env-overwrite"
 	featureFlagDisableWorkingDirKey = "disable-working-directory-overwrite"
@@ -58,13 +61,19 @@ var (
 	}, {
 		Name:      "tekton-internal-home",
 		MountPath: homeDir,
+	}, {
+		Name:      "tekton-internal-results",
+		MountPath: ResultsDir,
 	}}
 	implicitVolumes = []corev1.Volume{{
 		Name:         "tekton-internal-workspace",
 		VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
 	}, {
 		Name:         "tekton-internal-home",
 		VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+	}, {
+		Name:         "tekton-internal-results",
+		VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
 	}}
 )
 
@@ -94,6 +103,11 @@ func MakePod(images pipeline.Images, taskRun *v1alpha1.TaskRun, taskSpec v1alpha
 		volumes = append(volumes, secretsVolumes...)
 	}
 
+	// make tekton results folder writable by any user
+	if makeTektonFolderWritableInit := makeTektonResultsFolderWritable(images.ShellImage, implicitVolumeMounts); makeTektonFolderWritableInit != nil {
+		initContainers = append(initContainers, *makeTektonFolderWritableInit)
+	}
+
 	// Merge step template with steps.
 	// TODO(#1605): Move MergeSteps to pkg/pod
 	steps, err := v1alpha1.MergeStepsWithStepTemplate(taskSpec.StepTemplate, taskSpec.Steps)
@@ -253,7 +267,7 @@ func MakePod(images pipeline.Images, taskRun *v1alpha1.TaskRun, taskSpec v1alpha
 	}, nil
 }
 
-// makeLabels constructs the labels we will propagate from TaskRuns to Pods.
+// MakeLabels constructs the labels we will propagate from TaskRuns to Pods.
 func MakeLabels(s *v1alpha1.TaskRun) map[string]string {
 	labels := make(map[string]string, len(s.ObjectMeta.Labels)+1)
 	// NB: Set this *before* passing through TaskRun labels. If the TaskRun

diff --git a/pkg/pod/tekton_folder_writable.go b/pkg/pod/tekton_folder_writable.go
@@ -0,0 +1,32 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pod
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+// makeTektonResultsFolderWritable returns a Container that make the tekton folder writable by any user.
+func makeTektonResultsFolderWritable(shellImage string, volumeMounts []corev1.VolumeMount) *corev1.Container {
+	return &corev1.Container{
+		Name:         "tekton-results-folder-writable",
+		Image:        shellImage,
+		Command:      []string{"sh"},
+		Args:         []string{"-c", "chmod 777 " + ResultsDir},
+		VolumeMounts: volumeMounts,
+	}
+}