github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/initializer/common/config/hsmdaemon.go

github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/initializer/common/config/hsmdaemon.go (about)

     1  /*
     2   * Copyright contributors to the Hyperledger Fabric Operator project
     3   *
     4   * SPDX-License-Identifier: Apache-2.0
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License");
     7   * you may not use this file except in compliance with the License.
     8   * You may obtain a copy of the License at:
     9   *
    10   * 	  http://www.apache.org/licenses/LICENSE-2.0
    11   *
    12   * Unless required by applicable law or agreed to in writing, software
    13   * distributed under the License is distributed on an "AS IS" BASIS,
    14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15   * See the License for the specific language governing permissions and
    16   * limitations under the License.
    17   */
    18  
    19  package config
    20  
    21  import (
    22  	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container"
    23  	corev1 "k8s.io/api/core/v1"
    24  )
    25  
    26  const DAEMON_CHECK_CMD = "while true; do if [ -f /shared/daemon-launched ]; then break; fi; done"
    27  
    28  // Resource defines the contract required for adding a daemon init containter on to a kubernetes resource
    29  type Resource interface {
    30  	AddContainer(add container.Container)
    31  	AppendVolumeIfMissing(volume corev1.Volume)
    32  	AppendPullSecret(imagePullSecret corev1.LocalObjectReference)
    33  }
    34  
    35  // AddDaemonContainer appends an init container responsible for launching HSM daemon
    36  // as a background process within the processNamespace of the pod
    37  func AddDaemonContainer(config *HSMConfig, resource Resource, contResource corev1.ResourceRequirements, pvcMount *corev1.VolumeMount) {
    38  	t := true
    39  	f := false
    40  
    41  	// The daemon needs to be started by root user, otherwise, results in this error:
    42  	// This daemon needs root privileges, but the effective user id is not 'root'.
    43  	user := int64(0)
    44  
    45  	cont := corev1.Container{
    46  		Name:            "hsm-daemon",
    47  		Image:           config.Daemon.Image,
    48  		ImagePullPolicy: corev1.PullAlways,
    49  		SecurityContext: &corev1.SecurityContext{
    50  			RunAsUser:                &user,
    51  			RunAsNonRoot:             &f,
    52  			Privileged:               &t,
    53  			AllowPrivilegeEscalation: &t,
    54  		},
    55  		Resources: contResource,
    56  		VolumeMounts: []corev1.VolumeMount{
    57  			{
    58  				Name:      "shared",
    59  				MountPath: "/shared",
    60  			},
    61  		},
    62  		Env: config.Daemon.Envs,
    63  	}
    64  
    65  	volumeMounts := config.GetVolumeMounts()
    66  	if pvcMount != nil {
    67  		volumeMounts = append(volumeMounts, *pvcMount)
    68  	}
    69  
    70  	cont.VolumeMounts = append(cont.VolumeMounts, volumeMounts...)
    71  	if config.Daemon.Auth != nil {
    72  		resource.AppendPullSecret(config.BuildPullSecret())
    73  	}
    74  	// if securityContext is passed in hsm config override the same
    75  	if config.Daemon.SecurityContext != nil {
    76  		if config.Daemon.SecurityContext.Privileged != nil {
    77  			cont.SecurityContext.Privileged = config.Daemon.SecurityContext.Privileged
    78  		}
    79  		if config.Daemon.SecurityContext.RunAsNonRoot != nil {
    80  			cont.SecurityContext.RunAsNonRoot = config.Daemon.SecurityContext.RunAsNonRoot
    81  		}
    82  		if config.Daemon.SecurityContext.RunAsUser != nil {
    83  			cont.SecurityContext.RunAsUser = config.Daemon.SecurityContext.RunAsUser
    84  		}
    85  		if config.Daemon.SecurityContext.AllowPrivilegeEscalation != nil {
    86  			cont.SecurityContext.AllowPrivilegeEscalation = config.Daemon.SecurityContext.AllowPrivilegeEscalation
    87  		}
    88  	}
    89  
    90  	// if resources are passed in hsm config, override
    91  	if config.Daemon.Resources != nil {
    92  		cont.Resources = *config.Daemon.Resources
    93  	}
    94  
    95  	resource.AddContainer(container.Container{Container: &cont})
    96  }
    97  
    98  // Daemon represents that configuration for the HSM Daemon
    99  type Daemon struct {
   100  	Image           string                       `json:"image"`
   101  	Envs            []corev1.EnvVar              `json:"envs,omitempty"`
   102  	Auth            *Auth                        `json:"auth,omitempty"`
   103  	SecurityContext *container.SecurityContext   `json:"securityContext,omitempty"`
   104  	Resources       *corev1.ResourceRequirements `json:"daemon,omitempty"`
   105  }
   106  
   107  // GetEnvs returns environment variables
   108  func (d *Daemon) GetEnvs() []corev1.EnvVar {
   109  	return d.Envs
   110  }
   111  
   112  // BuildPullSecret builds the string secret into the type expected by kubernetes
   113  func (d *Daemon) BuildPullSecret() corev1.LocalObjectReference {
   114  	if d.Auth != nil {
   115  		return d.Auth.BuildPullSecret()
   116  	}
   117  	return corev1.LocalObjectReference{}
   118  }