Merge pull request #20 from bdpiparva/run-container-in-privileged-mode

Run container in privileged mode to support docker-in-docker and docker-out-of-docker.

Author: bdpiprava

README.md

@@ -15,7 +15,7 @@ To build the jar, run `./gradlew clean build`
 ## License
 
 ```plain
-Copyright 2017 ThoughtWorks, Inc.
+Copyright 2018 ThoughtWorks, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 ThoughtWorks, Inc.
+ * Copyright 2018 ThoughtWorks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,7 +54,7 @@ dependencies {
     compile group: 'com.google.guava', name: 'guava', version: '19.0'
     compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.4'
     compile group: 'joda-time', name: 'joda-time', version: '2.9.4'
-    compile group: 'io.fabric8', name: 'kubernetes-client', version: '3.1.6'
+    compile group: 'io.fabric8', name: 'kubernetes-client', version: '3.1.8'
     compile group: 'com.github.spullara.mustache.java', name: 'compiler', version: '0.9.5'
     compile group: 'org.freemarker', name: 'freemarker', version: '2.3.23'
 
@@ -81,9 +81,9 @@ jar {
     from(configurations.compile) {
         into "lib/"
     }
-    from(sourceSets.main.java) {
-        into "/"
-    }
+//    from(sourceSets.main.java) {
+//        into "/"
+//    }
 }
 
 tasks.withType(Jar) { jarTask ->

src/main/java/cd/go/contrib/elasticagent/KubernetesInstanceFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 ThoughtWorks, Inc.
+ * Copyright 2018 ThoughtWorks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@
 
 import static cd.go.contrib.elasticagent.KubernetesPlugin.LOG;
 import static cd.go.contrib.elasticagent.executors.GetProfileMetadataExecutor.POD_CONFIGURATION;
+import static cd.go.contrib.elasticagent.executors.GetProfileMetadataExecutor.PRIVILEGED;
 import static cd.go.contrib.elasticagent.utils.Util.GSON;
 import static cd.go.contrib.elasticagent.utils.Util.getSimpleDateFormat;
 import static org.apache.commons.lang3.StringUtils.isBlank;
@@ -57,6 +58,7 @@ private KubernetesInstance create(CreateAgentRequest request, PluginSettings set
         container.setName(containerName);
         container.setImage(image(request.properties()));
         container.setImagePullPolicy("IfNotPresent");
+        container.setSecurityContext(new SecurityContextBuilder().withPrivileged(privileged(request)).build());
 
         container.setResources(getPodResources(request));
 
@@ -73,6 +75,14 @@ private KubernetesInstance create(CreateAgentRequest request, PluginSettings set
         return createKubernetesPod(client, elasticAgentPod);
     }
 
+    private Boolean privileged(CreateAgentRequest request) {
+        final String privilegedMode = request.properties().get(PRIVILEGED.getKey());
+        if (StringUtils.isBlank(privilegedMode)) {
+            return false;
+        }
+        return Boolean.valueOf(privilegedMode);
+    }
+
     private void setGoCDMetadata(CreateAgentRequest request, PluginSettings settings, PluginRequest pluginRequest, Pod elasticAgentPod) {
         elasticAgentPod.getMetadata().setCreationTimestamp(getSimpleDateFormat().format(new Date()));
 

src/main/java/cd/go/contrib/elasticagent/executors/GetProfileMetadataExecutor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 ThoughtWorks, Inc.
+ * Copyright 2018 ThoughtWorks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ public class GetProfileMetadataExecutor implements RequestExecutor {
     public static final Metadata ENVIRONMENT = new Metadata("Environment", false, false);
     public static final Metadata POD_CONFIGURATION = new Metadata("PodConfiguration", false, false);
     public static final Metadata SPECIFIED_USING_POD_CONFIGURATION = new Metadata("SpecifiedUsingPodConfiguration", true, false);
+    public static final Metadata PRIVILEGED = new Metadata("Privileged", false, false);
     public static final List<Metadata> FIELDS = new ArrayList<>();
 
     static {
@@ -43,6 +44,7 @@ public class GetProfileMetadataExecutor implements RequestExecutor {
         FIELDS.add(ENVIRONMENT);
         FIELDS.add(POD_CONFIGURATION);
         FIELDS.add(SPECIFIED_USING_POD_CONFIGURATION);
+        FIELDS.add(PRIVILEGED);
     }
 
     @Override

src/main/resources/profile.template.html

@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright 2017 ThoughtWorks, Inc.
+  ~ Copyright 2018 ThoughtWorks, Inc.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -87,6 +87,14 @@
             background-color: #e6e6e6;
             border-radius: 3px;
         }
+
+        [data-plugin-style-id="kubernetes-plugin"] .form-help-content {
+            color: #666;
+            font-style: italic;
+            clear: both;
+            font-size: 0.82rem;
+        }
+
     </style>
 
     <div class="row collapse">
@@ -150,6 +158,16 @@
                       ng-show="GOINPUTNAME[MaxCPU].$error.server">{{GOINPUTNAME[MaxCPU].$error.server}}</span>
             </div>
         </div>
+
+        <div class="form_item_block">
+            <input ng-class="{'is-invalid-input': GOINPUTNAME[Privileged].$error.server}" type="checkbox" ng-model="Privileged" ng-required="true" ng-true-value="true" ng-false-value="false" id="Privileged"/>
+            <label ng-class="{'is-invalid-label': GOINPUTNAME[Privileged].$error.server}" for="Privileged">Privileged</label>
+            <span class="form_error form-error" ng-class="{'is-visible': GOINPUTNAME[Privileged].$error.server}" ng-show="GOINPUTNAME[Privileged].$error.server">{{GOINPUTNAME[Privileged].$error.server}}</span>
+            <span class="form-help-content">
+                <strong>Note:</strong> When privileged mode is enabled, the container is given elevated privileges on the host container instance.
+            </span>
+        </div>
+
         <div class="form_item_block">
             <label ng-class="{'is-invalid-label': GOINPUTNAME[Environment].$error.server}">Environment Variables
                 <small>(Enter one variable per line)</small>
@@ -200,7 +218,9 @@
 spec:
   containers:
     - name: gocd-agent-container-{{ CONTAINER_POSTFIX }}
-      image: {{ GOCD_AGENT_IMAGE }}:{{ LATEST_VERSION }}')">
+      image: {{ GOCD_AGENT_IMAGE }}:{{ LATEST_VERSION }}
+      securityContext:
+        privileged: true')">
             </textarea>
             <span class="form_error form-error" ng-class="{'is-visible': GOINPUTNAME[PodConfiguration].$error.server}"
                   ng-show="GOINPUTNAME[PodConfiguration].$error.server">{{GOINPUTNAME[PodConfiguration].$error.server}}</span>

src/test/java/cd/go/contrib/elasticagent/CreateAgentRequestMother.java

@@ -33,6 +33,7 @@ public static CreateAgentRequest defaultCreateAgentRequest() {
                 "ENV2=VALUE2");
         properties.put("PodConfiguration", "");
         properties.put("SpecifiedUsingPodConfiguration", "false");
+        properties.put("Privileged", "false");
 
         String environment = "QA";
         JobIdentifier identifier = new JobIdentifier("up_42", 1L, "up_42_label", "up42_stage", "20", "up42_job", 10L);

src/test/java/cd/go/contrib/elasticagent/KubernetesAgentInstancesIntegrationTest.java

@@ -25,14 +25,14 @@
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
-import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import static cd.go.contrib.elasticagent.executors.GetProfileMetadataExecutor.PRIVILEGED;
 import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.*;
 import static org.mockito.ArgumentMatchers.any;
@@ -66,12 +66,9 @@ public void setUp() throws Exception {
 
         when(pods.inNamespace(Constants.KUBERNETES_NAMESPACE)).thenReturn(pods);
 
-        when(pods.create(any())).thenAnswer(new Answer<Pod>() {
-            @Override
-            public Pod answer(InvocationOnMock invocation) throws Throwable {
-                Object[] args = invocation.getArguments();
-                return (Pod) args[0];
-            }
+        when(pods.create(any())).thenAnswer((Answer<Pod>) invocation -> {
+            Object[] args = invocation.getArguments();
+            return (Pod) args[0];
         });
 
         when(pods.list()).thenReturn(new PodList());
@@ -104,6 +101,24 @@ public void shouldCreateKubernetesPodWithContainerSpecification() throws Excepti
 
         assertThat(gocdAgentContainer.getImage(), is("gocd/custom-gocd-agent-alpine:latest"));
         assertThat(gocdAgentContainer.getImagePullPolicy(), is("IfNotPresent"));
+        assertThat(gocdAgentContainer.getSecurityContext().getPrivileged(), is(false));
+    }
+
+    @Test
+    public void shouldCreateKubernetesPodWithPrivilegedMod() throws Exception {
+        createAgentRequest.properties().put(PRIVILEGED.getKey(), "true");
+        ArgumentCaptor<Pod> argumentCaptor = ArgumentCaptor.forClass(Pod.class);
+        KubernetesInstance instance = kubernetesAgentInstances.create(createAgentRequest, settings, mockedPluginRequest);
+        verify(pods).create(argumentCaptor.capture());
+        Pod elasticAgentPod = argumentCaptor.getValue();
+
+        List<Container> containers = elasticAgentPod.getSpec().getContainers();
+        assertThat(containers.size(), is(1));
+
+        Container gocdAgentContainer = containers.get(0);
+
+        assertThat(gocdAgentContainer.getName(), is(instance.name()));
+        assertThat(gocdAgentContainer.getSecurityContext().getPrivileged(), is(true));
     }
 
     @Test

src/test/java/cd/go/contrib/elasticagent/executors/GetProfileMetadataExecutorTest.java

@@ -82,10 +82,16 @@ public void assertJsonStructure() throws Exception {
                 "      \"required\": true,\n" +
                 "      \"secure\": false\n" +
                 "    }\n" +
+                "  },\n" +
+                "  {\n" +
+                "    \"key\": \"Privileged\",\n" +
+                "    \"metadata\": {\n" +
+                "      \"required\": false,\n" +
+                "      \"secure\": false\n" +
+                "    }\n" +
                 "  }\n" +
                 "]";
 
         JSONAssert.assertEquals(expectedJSON, response.responseBody(), true);
     }
-
 }

src/test/java/cd/go/contrib/elasticagent/executors/GetProfileViewExecutorTest.java

@@ -41,7 +41,7 @@ public void shouldRenderTheTemplateInJSON() throws Exception {
     }
 
     @Test
-    public void allFieldsShouldBePresentInView() throws Exception {
+    public void allFieldsShouldBePresentInView() {
         String template = Util.readResource("/profile.template.html");
         final Document document = Jsoup.parse(template);
 
@@ -58,8 +58,7 @@ public void allFieldsShouldBePresentInView() throws Exception {
             assertThat(spanToShowError.text(), is("{{GOINPUTNAME[" + field.getKey() + "].$error.server}}"));
         }
 
-        final Elements inputs = document.select("textarea,input[type=text],select");
+        final Elements inputs = document.select("textarea,input[type=text],select,input[type=checkbox]");
         assertThat(inputs, hasSize(GetProfileMetadataExecutor.FIELDS.size() - 1)); // do not include SPECIFIED_USING_POD_CONFIGURATION key
     }
-
 }