+386

BUILDAH_IMPLEMENTATION.md

··· 1 1 + # Buildah Container Builds in Loom 2 2 + 3 3 + This document describes the buildah integration in Loom, enabling workflows to build and push container images. 4 4 + 5 5 + ## Quick Start 6 6 + 7 7 + ```yaml 8 8 + # .tangled/workflows/build.yaml 9 9 + image: golang:1.24-bookworm 10 10 + architecture: amd64 11 11 + 12 12 + steps: 13 13 + - name: Build app 14 14 + command: go build -o app ./cmd 15 15 + 16 16 + - name: Build and push container 17 17 + command: | 18 18 + # buildah is available in PATH 19 19 + buildah bud --storage-driver=overlay -t registry.example.com/myapp:latest . 20 20 + buildah push --storage-driver=overlay registry.example.com/myapp:latest 21 21 + ``` 22 22 + 23 23 + For registry authentication, see [Registry Authentication](#2-with-registry-authentication). 24 24 + 25 25 + ## Overview 26 26 + 27 27 + Loom Jobs can now build container images using **buildah**, a rootless, daemonless container building tool. This implementation provides: 28 28 + 29 29 + - ✅ **Rootless operation** - All containers run as UID 10000 (non-root) 30 30 + - ✅ **No privileged mode** - Maintains strict security posture 31 31 + - ✅ **No caching** - Ephemeral builds like GitHub Actions runners 32 32 + - ✅ **Registry authentication** - Optional Docker config secret mounting 33 33 + - ✅ **Native architecture only** - Builds for the node's native arch (amd64/arm64) 34 34 + - ✅ **Simple usage** - `buildah` command available in PATH, no full paths needed 35 35 + 36 36 + ## Architecture Decision 37 37 + 38 38 + ### Why Buildah? 39 39 + 40 40 + After comprehensive research comparing container building options in Kubernetes (2025): 41 41 + 42 42 + | Option | Status | Security | Performance | Verdict | 43 43 + |--------|--------|----------|-------------|---------| 44 44 + | **Docker-in-Docker** | Active | ❌ Requires privileged mode | Good | ❌ Incompatible | 45 45 + | **Kaniko** | ⚠️ Archived (Google) | ✅ Rootless-capable | Poor (63% slower) | ❌ Not recommended | 46 46 + | **Buildah** | ✅ Active | ✅ True rootless | Excellent | ✅ **Selected** | 47 47 + | **BuildKit** | ✅ Active | ✅ Rootless-capable | Best | ⚠️ Alternative | 48 48 + 49 49 + **Buildah was chosen for:** 50 50 + 1. True rootless operation with user namespace support (K8s 1.33+) 51 51 + 2. Simpler configuration than BuildKit 52 52 + 3. Excellent performance 53 53 + 4. Active development (Red Hat/Podman project) 54 54 + 5. Better for OpenShift/Kubernetes environments 55 55 + 56 56 + ## Implementation Details 57 57 + 58 58 + ### Pod Structure 59 59 + 60 60 + When a Job is created, the following components are configured: 61 61 + 62 62 + #### 1. Pod Security Context 63 63 + ```yaml 64 64 + securityContext: 65 65 + runAsNonRoot: true 66 66 + runAsUser: 10000 67 67 + fsGroup: 10000 68 68 + seccompProfile: 69 69 + type: RuntimeDefault 70 70 + ``` 71 71 + 72 72 + **Note:** User namespaces (`hostUsers: false`) for enhanced security require Kubernetes 1.33+ and are not yet available in the current API version. Buildah still works in rootless mode without it. 73 73 + 74 74 + #### 2. Init Containers 75 75 + 76 76 + **a. install-runner** (existing) 77 77 + - Copies `/loom-runner` binary to shared volume 78 78 + 79 79 + **b. configure-buildah** (new) 80 80 + - Image: `quay.io/buildah/stable:latest` 81 81 + - Configures buildah storage driver (`/var/lib/containers/storage.conf`) 82 82 + - Copies `buildah` binary to `/runner-bin/buildah` 83 83 + - Runs as UID 10000 (non-root) 84 84 + 85 85 + **c. clone-repo** (existing) 86 86 + - Clones git repository 87 87 + 88 88 + #### 3. Main Container (runner) 89 89 + 90 90 + Mounts: 91 91 + - `/tangled/workspace` - Git repository workspace 92 92 + - `/runner-bin/` - Loom runner and buildah binaries 93 93 + - `/var/lib/containers` - Buildah storage (emptyDir) 94 94 + - `/home/user/.docker/config.json` - Registry credentials (optional) 95 95 + 96 96 + ### Buildah Configuration 97 97 + 98 98 + The init container creates this storage configuration: 99 99 + 100 100 + ```toml 101 101 + [storage] 102 102 + driver = "overlay" 103 103 + runroot = "/var/lib/containers/runroot" 104 104 + graphroot = "/var/lib/containers/storage" 105 105 + 106 106 + [storage.options] 107 107 + additionalimagestores = [] 108 108 + 109 109 + [storage.options.overlay] 110 110 + mount_program = "/usr/bin/fuse-overlayfs" 111 111 + mountopt = "nodev,metacopy=on" 112 112 + ``` 113 113 + 114 114 + This enables: 115 115 + - **Overlay storage driver** - Efficient layer management 116 116 + - **fuse-overlayfs** - Rootless overlay mounts 117 117 + - **Ephemeral storage** - No persistent caching (like GitHub Actions) 118 118 + 119 119 + ## Usage 120 120 + 121 121 + ### 1. Basic Container Build 122 122 + 123 123 + ```yaml 124 124 + # .tangled/workflows/build.yaml 125 125 + image: golang:1.24-bookworm 126 126 + architecture: amd64 127 127 + 128 128 + steps: 129 129 + - name: Build app 130 130 + command: go build -o app ./cmd 131 131 + 132 132 + - name: Build container 133 133 + command: | 134 134 + # buildah is in PATH (via /runner-bin) 135 135 + buildah bud \ 136 136 + --storage-driver=overlay \ 137 137 + -t registry.example.com/myapp:latest \ 138 138 + . 139 139 + 140 140 + - name: Push container 141 141 + command: | 142 142 + buildah push \ 143 143 + --storage-driver=overlay \ 144 144 + registry.example.com/myapp:latest 145 145 + ``` 146 146 + 147 147 + **Note:** The `buildah` binary is automatically available in PATH. You don't need to use the full path `/runner-bin/buildah`. 148 148 + 149 149 + ### 2. With Registry Authentication 150 150 + 151 151 + **Step 1: Create registry credentials secret** 152 152 + 153 153 + ```bash 154 154 + kubectl create secret docker-registry registry-credentials \ 155 155 + --docker-server=registry.example.com \ 156 156 + --docker-username=myuser \ 157 157 + --docker-password=mypassword 158 158 + ``` 159 159 + 160 160 + **Step 2: Configure in Loom ConfigMap** 161 161 + 162 162 + ```yaml 163 163 + apiVersion: v1 164 164 + kind: ConfigMap 165 165 + metadata: 166 166 + name: loom-config 167 167 + data: 168 168 + config.yaml: | 169 169 + template: 170 170 + registryCredentialsSecret: registry-credentials 171 171 + ``` 172 172 + 173 173 + **Step 3: Use in workflow** 174 174 + 175 175 + ```yaml 176 176 + steps: 177 177 + - name: Build and push 178 178 + command: | 179 179 + # buildah automatically uses /home/user/.docker/config.json 180 180 + buildah bud -t registry.example.com/myapp:latest . 181 181 + buildah push registry.example.com/myapp:latest 182 182 + ``` 183 183 + 184 184 + ### 3. Multi-Tag Builds 185 185 + 186 186 + ```yaml 187 187 + steps: 188 188 + - name: Build with multiple tags 189 189 + command: | 190 190 + buildah bud \ 191 191 + --storage-driver=overlay \ 192 192 + -t registry.example.com/myapp:${TANGLED_COMMIT_SHA} \ 193 193 + -t registry.example.com/myapp:latest \ 194 194 + -t registry.example.com/myapp:${GITHUB_REF_NAME} \ 195 195 + . 196 196 + 197 197 + - name: Push all tags 198 198 + command: | 199 199 + buildah push registry.example.com/myapp:${TANGLED_COMMIT_SHA} 200 200 + buildah push registry.example.com/myapp:latest 201 201 + buildah push registry.example.com/myapp:${GITHUB_REF_NAME} 202 202 + ``` 203 203 + 204 204 + ## Environment Variables 205 205 + 206 206 + The runner container has access to: 207 207 + 208 208 + | Variable | Description | Example | 209 209 + |----------|-------------|---------| 210 210 + | `PATH` | Search path for executables | `/runner-bin:/usr/local/bin:...` | 211 211 + | `TANGLED_WORKFLOW` | Workflow filename | `build.yaml` | 212 212 + | `TANGLED_PIPELINE_ID` | Unique pipeline ID | `abc123` | 213 213 + | `TANGLED_REPO_URL` | Git repository URL | `https://github.com/user/repo` | 214 214 + | `TANGLED_COMMIT_SHA` | Git commit SHA | `abc123def456...` | 215 215 + | `TANGLED_ARCHITECTURE` | Target architecture | `amd64` or `arm64` | 216 216 + | `CI` | CI environment flag | `true` | 217 217 + 218 218 + **Note:** The `PATH` includes `/runner-bin` first, making both `loom-runner` and `buildah` available without full paths. 219 219 + 220 220 + ## Security Model 221 221 + 222 222 + ### Current Security Posture 223 223 + 224 224 + ✅ **Implemented:** 225 225 + - All containers run as UID 10000 (non-root) 226 226 + - `allowPrivilegeEscalation: false` on all containers 227 227 + - All Linux capabilities dropped 228 228 + - `seccompProfile: RuntimeDefault` 229 229 + - Read-only root filesystems where possible 230 230 + - No ServiceAccount token mounting 231 231 + - No privileged mode 232 232 + 233 233 + ⏳ **Future (K8s 1.33+):** 234 234 + - User namespaces (`hostUsers: false`) for enhanced isolation 235 235 + 236 236 + ### What buildah CAN do in this configuration: 237 237 + 238 238 + ✅ Build container images from Dockerfiles 239 239 + ✅ Push to registries with credentials 240 240 + ✅ Tag images 241 241 + ✅ Inspect images 242 242 + ✅ Run rootless containers for builds 243 243 + 244 244 + ### What buildah CANNOT do: 245 245 + 246 246 + ❌ Access host namespaces 247 247 + ❌ Mount host paths 248 248 + ❌ Run privileged operations 249 249 + ❌ Escape the container sandbox 250 250 + 251 251 + ## Troubleshooting 252 252 + 253 253 + ### Issue: Permission denied writing to /var/lib/containers 254 254 + 255 255 + **Cause:** fsGroup not set correctly 256 256 + **Solution:** Verify pod security context has `fsGroup: 10000` 257 257 + 258 258 + ### Issue: buildah: command not found 259 259 + 260 260 + **Cause:** Init container failed to copy buildah binary 261 261 + **Solution:** Check init container logs: 262 262 + ```bash 263 263 + kubectl logs <pod-name> -c configure-buildah 264 264 + ``` 265 265 + 266 266 + ### Issue: Error pushing to registry - authentication required 267 267 + 268 268 + **Cause:** Registry credentials not mounted 269 269 + **Solution:** 270 270 + 1. Verify secret exists: `kubectl get secret registry-credentials` 271 271 + 2. Verify ConfigMap references it: `kubectl get cm loom-config -o yaml` 272 272 + 3. Check mount in pod: `kubectl exec <pod-name> -- ls -la /home/user/.docker/` 273 273 + 274 274 + ### Issue: overlay mount failed 275 275 + 276 276 + **Cause:** Node doesn't support overlay or fuse-overlayfs 277 277 + **Solution:** Ensure node kernel supports overlayfs (Linux 3.18+) and fuse-overlayfs is available 278 278 + 279 279 + ### Issue: Slow builds 280 280 + 281 281 + **Expected:** No layer caching in MVP (ephemeral like GitHub Actions) 282 282 + **Future:** Implement persistent volume for buildah storage to enable caching 283 283 + 284 284 + ## Comparison with Other CI/CD Systems 285 285 + 286 286 + | Feature | Loom (Buildah) | GitHub Actions | GitLab CI | Jenkins | 287 287 + |---------|---------------|----------------|-----------|---------| 288 288 + | Rootless builds | ✅ UID 10000 | ⚠️ root in container | ⚠️ Varies | ⚠️ Varies | 289 289 + | Privileged mode | ❌ Never | ❌ Not by default | ⚠️ Often used | ⚠️ Often used | 290 290 + | Layer caching | ❌ MVP (ephemeral) | ❌ Ephemeral | ✅ Optional | ✅ Optional | 291 291 + | Security isolation | ✅ Strong | ✅ Strong | ⚠️ Medium | ⚠️ Varies | 292 292 + | Multi-arch | ✅ Native only | ✅ Native + QEMU | ✅ Native + QEMU | ⚠️ Varies | 293 293 + 294 294 + ## Files Modified 295 295 + 296 296 + ### API Types 297 297 + - `api/v1alpha1/spindleset_types.go` 298 298 + - Added `RegistryCredentialsSecret` field to `SpindleTemplate` 299 299 + 300 300 + ### Job Builder 301 301 + - `internal/jobbuilder/job_template.go` 302 302 + - Added `configure-buildah` init container 303 303 + - Added `buildah-storage` volume 304 304 + - Added `buildRunnerVolumeMounts()` helper 305 305 + - Added `buildVolumes()` helper 306 306 + - Optional registry credentials mount support 307 307 + 308 308 + ### Examples 309 309 + - `config/samples/workflow-buildah-example.yaml` - Complete example workflow 310 310 + - `config/samples/registry-secret-example.yaml` - Registry credential examples 311 311 + 312 312 + ## Future Enhancements 313 313 + 314 314 + ### 1. Persistent Layer Caching 315 315 + Add PersistentVolumeClaim for `/var/lib/containers/storage`: 316 316 + 317 317 + ```yaml 318 318 + volumes: 319 319 + - name: buildah-storage 320 320 + persistentVolumeClaim: 321 321 + claimName: buildah-cache 322 322 + ``` 323 323 + 324 324 + **Benefits:** 325 325 + - Faster rebuilds (reuse layers) 326 326 + - Reduced network bandwidth 327 327 + - Lower registry costs 328 328 + 329 329 + **Trade-offs:** 330 330 + - Requires storage provisioning 331 331 + - Need cache cleanup strategy 332 332 + - Multi-tenancy considerations 333 333 + 334 334 + ### 2. BuildKit Alternative 335 335 + Support both buildah and BuildKit via workflow configuration: 336 336 + 337 337 + ```yaml 338 338 + # .tangled/workflows/build.yaml 339 339 + builder: buildkit # or buildah (default) 340 340 + ``` 341 341 + 342 342 + **BuildKit advantages:** 343 343 + - 63% faster in benchmarks 344 344 + - Advanced caching (registry-based) 345 345 + - Parallel layer processing 346 346 + 347 347 + ### 3. Multi-Platform Builds 348 348 + Enable cross-platform builds with QEMU: 349 349 + 350 350 + ```yaml 351 351 + architecture: amd64 352 352 + platforms: 353 353 + - linux/amd64 354 354 + - linux/arm64 355 355 + ``` 356 356 + 357 357 + ### 4. Build Arguments from Secrets 358 358 + Inject secrets as build arguments: 359 359 + 360 360 + ```yaml 361 361 + steps: 362 362 + - name: Build with secrets 363 363 + command: | 364 364 + buildah bud \ 365 365 + --secret id=token,env=GITHUB_TOKEN \ 366 366 + -t myapp:latest . 367 367 + ``` 368 368 + 369 369 + ## References 370 370 + 371 371 + - **Buildah Documentation**: https://github.com/containers/buildah 372 372 + - **Buildah Rootless Guide**: https://github.com/containers/buildah/blob/main/docs/tutorials/05-rootless.md 373 373 + - **Loom Architecture**: `/home/data/loom/ARCHITECTURE.md` 374 374 + - **Implementation Research**: See planning discussion for detailed comparison of building options 375 375 + 376 376 + ## Summary 377 377 + 378 378 + Buildah integration provides Loom with secure, rootless container building capabilities. The implementation: 379 379 + 380 380 + ✅ Maintains strict security (no privileged mode, rootless operation) 381 381 + ✅ Provides simple, flexible workflow syntax (use buildah commands directly) 382 382 + ✅ Supports registry authentication 383 383 + ✅ Works like ephemeral GitHub Actions runners (no caching in MVP) 384 384 + ✅ Enables full CI/CD pipelines: test → build → containerize → deploy 385 385 + 386 386 + Next steps: Test in production, add persistent caching, consider BuildKit as alternative.

+49

CONFIGURATION.md

··· 189 189 value: "spindle" # Default mount path 190 190 ``` 191 191 192 192 + ## Security Model 193 193 + 194 194 + ### Secrets Management 195 195 + 196 196 + Loom integrates with the embedded spindle server's secrets management system: 197 197 + 198 198 + **Adding Secrets:** 199 199 + ```bash 200 200 + curl -X POST http://loom:6555/xrpc/sh.tangled.repo.addSecret \ 201 201 + -H "Authorization: Bearer <did-token>" \ 202 202 + -d '{ 203 203 + "repo": "at://did:plc:your-did/sh.tangled.repo/your-repo", 204 204 + "key": "NPM_TOKEN", 205 205 + "value": "npm_xxxxx" 206 206 + }' 207 207 + ``` 208 208 + 209 209 + **How Secrets Work:** 210 210 + 1. Secrets are stored in the vault (SQLite or OpenBao) 211 211 + 2. When a pipeline runs, Loom retrieves secrets for that repository 212 212 + 3. A Kubernetes Secret is created per SpindleSet 213 213 + 4. Job pods receive secrets as environment variables via `envFrom` 214 214 + 215 215 + **Important Notes:** 216 216 + - Secret keys must be valid bash identifiers (`^[a-zA-Z_][a-zA-Z0-9_]*$`) 217 217 + - Secrets are injected directly (e.g., `NPM_TOKEN`, not `TANGLED_NPM_TOKEN`) 218 218 + - Cluster operators with filesystem/database access can view secrets 219 219 + - For operator-blind secrets, configure OpenBao with seal/unseal or cloud KMS 220 220 + 221 221 + ### Job Pod Security 222 222 + 223 223 + Job pods run with hardened security contexts: 224 224 + 225 225 + ```yaml 226 226 + securityContext: 227 227 + runAsNonRoot: true 228 228 + runAsUser: 10000 229 229 + readOnlyRootFilesystem: true 230 230 + allowPrivilegeEscalation: false 231 231 + capabilities: 232 232 + drop: ["ALL"] 233 233 + ``` 234 234 + 235 235 + **Service Account Isolation:** 236 236 + - Jobs use `spindle-job-runner` ServiceAccount (not controller SA) 237 237 + - ServiceAccount token mounting is disabled 238 238 + - Jobs have zero Kubernetes API permissions 239 239 + - Prevents jobs from reading other repos' secrets via K8s API 240 240 + 192 241 ## Persistence 193 242 194 243 ### SQLite Database

+1 -1

PLAN.md

··· 380 380 - Implement Nix store caching (PVC) 381 381 382 382 ### Phase 8: Advanced Features 383 383 - - Kaniko/Buildah integration for container builds 383 383 + - ✅ **Buildah integration for container builds** (MVP completed - no caching) 384 384 - Service containers (like GitHub Actions services) 385 385 - Matrix builds (multiple arch/version combinations) 386 386 - Caching strategies (build cache, dependencies)

+25

api/v1alpha1/spindleset_types.go

··· 66 66 // +optional 67 67 SkipClone bool `json:"skipClone,omitempty"` 68 68 69 69 + // Secrets contains the repository secrets to inject into workflow Jobs. 70 70 + // Retrieved from the secrets vault and stored here for the controller to consume. 71 71 + // +optional 72 72 + Secrets []SecretData `json:"secrets,omitempty"` 73 73 + 69 74 // Workflows is the list of workflows to execute in this pipeline. 70 75 // +kubebuilder:validation:MinItems=1 71 76 Workflows []WorkflowSpec `json:"workflows"` 77 77 + } 78 78 + 79 79 + // SecretData represents a single secret key-value pair for injection into Jobs. 80 80 + type SecretData struct { 81 81 + // Key is the environment variable name (e.g., "GITHUB_TOKEN"). 82 82 + // +kubebuilder:validation:Required 83 83 + // +kubebuilder:validation:Pattern=`^[a-zA-Z_][a-zA-Z0-9_]*$` 84 84 + Key string `json:"key"` 85 85 + 86 86 + // Value is the secret value in plaintext. 87 87 + // This field should only be populated transiently during SpindleSet creation 88 88 + // and consumed immediately by the controller to create a Kubernetes Secret. 89 89 + // +kubebuilder:validation:Required 90 90 + Value string `json:"value"` 72 91 } 73 92 74 93 // WorkflowSpec defines a workflow to execute as part of a pipeline. ··· 167 186 // Affinity defines scheduling constraints for spindle job pods. 168 187 // +optional 169 188 Affinity *corev1.Affinity `json:"affinity,omitempty"` 189 189 + 190 190 + // RegistryCredentialsSecret is the name of a kubernetes.io/dockerconfigjson secret 191 191 + // containing registry credentials for buildah to use when pushing images. 192 192 + // If specified, the secret is mounted at /home/user/.docker/config.json. 193 193 + // +optional 194 194 + RegistryCredentialsSecret string `json:"registryCredentialsSecret,omitempty"` 170 195 } 171 196 172 197 // SpindleSetStatus defines the observed state of SpindleSet.

+20

api/v1alpha1/zz_generated.deepcopy.go

··· 34 34 *out = make([]string, len(*in)) 35 35 copy(*out, *in) 36 36 } 37 37 + if in.Secrets != nil { 38 38 + in, out := &in.Secrets, &out.Secrets 39 39 + *out = make([]SecretData, len(*in)) 40 40 + copy(*out, *in) 41 41 + } 37 42 if in.Workflows != nil { 38 43 in, out := &in.Workflows, &out.Workflows 39 44 *out = make([]WorkflowSpec, len(*in)) ··· 72 77 return nil 73 78 } 74 79 out := new(ResourceProfile) 80 80 + in.DeepCopyInto(out) 81 81 + return out 82 82 + } 83 83 + 84 84 + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 85 85 + func (in *SecretData) DeepCopyInto(out *SecretData) { 86 86 + *out = *in 87 87 + } 88 88 + 89 89 + // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretData. 90 90 + func (in *SecretData) DeepCopy() *SecretData { 91 91 + if in == nil { 92 92 + return nil 93 93 + } 94 94 + out := new(SecretData) 75 95 in.DeepCopyInto(out) 76 96 return out 77 97 }

+8 -9

cmd/controller/main.go

··· 191 191 ResourceProfiles: profiles, 192 192 } 193 193 194 194 - kubeEngine := engine.NewKubernetesEngine(mgr.GetClient(), mgr.GetConfig(), namespace, template) 195 195 - 196 196 - // Create engines map with kubernetes engine 197 197 - engines := map[string]models.Engine{ 198 198 - "kubernetes": kubeEngine, 199 199 - } 200 200 - 201 201 - // Use spindle's New() function to create spindle server with our custom engine 202 202 - s, err := spindle.New(ctx, cfg, engines) 194 194 + // Create spindle server first (without engine) to get access to vault 195 195 + s, err := spindle.New(ctx, cfg, map[string]models.Engine{}) 203 196 if err != nil { 204 197 return nil, fmt.Errorf("failed to create spindle: %w", err) 205 198 } 199 199 + 200 200 + // Now create kubernetes engine with access to vault 201 201 + kubeEngine := engine.NewKubernetesEngine(mgr.GetClient(), mgr.GetConfig(), namespace, template, s.Vault()) 202 202 + 203 203 + // Register the engine with spindle by adding to the engines map 204 204 + s.Engines()["kubernetes"] = kubeEngine 206 205 207 206 return s, nil 208 207 }

+30

config/crd/bases/loom.j5t.io_spindlesets.yaml

··· 90 90 repoURL: 91 91 description: RepoURL is the Git repository URL to clone. 92 92 type: string 93 93 + secrets: 94 94 + description: |- 95 95 + Secrets contains the repository secrets to inject into workflow Jobs. 96 96 + Retrieved from the secrets vault and stored here for the controller to consume. 97 97 + items: 98 98 + description: SecretData represents a single secret key-value 99 99 + pair for injection into Jobs. 100 100 + properties: 101 101 + key: 102 102 + description: Key is the environment variable name (e.g., 103 103 + "GITHUB_TOKEN"). 104 104 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ 105 105 + type: string 106 106 + value: 107 107 + description: |- 108 108 + Value is the secret value in plaintext. 109 109 + This field should only be populated transiently during SpindleSet creation 110 110 + and consumed immediately by the controller to create a Kubernetes Secret. 111 111 + type: string 112 112 + required: 113 113 + - key 114 114 + - value 115 115 + type: object 116 116 + type: array 93 117 skipClone: 94 118 description: SkipClone indicates whether to skip the clone init 95 119 container entirely. ··· 1117 1141 x-kubernetes-list-type: atomic 1118 1142 type: object 1119 1143 type: object 1144 1144 + registryCredentialsSecret: 1145 1145 + description: |- 1146 1146 + RegistryCredentialsSecret is the name of a kubernetes.io/dockerconfigjson secret 1147 1147 + containing registry credentials for buildah to use when pushing images. 1148 1148 + If specified, the secret is mounted at /home/user/.docker/config.json. 1149 1149 + type: string 1120 1150 resourceProfiles: 1121 1151 description: |- 1122 1152 ResourceProfiles is an ordered list of resource configurations based on node labels.

+1

config/rbac/kustomization.yaml

··· 5 5 # runtime. Be sure to update RoleBinding and ClusterRoleBinding 6 6 # subjects if changing service account names. 7 7 - service_account.yaml 8 8 + - spindle_job_service_account.yaml 8 9 - role.yaml 9 10 - role_binding.yaml 10 11 - leader_election_role.yaml

+13

config/rbac/spindle_job_service_account.yaml

··· 1 1 + # ServiceAccount for spindle Job pods 2 2 + # This account has ZERO Kubernetes API permissions for security isolation 3 3 + # Jobs should not need to interact with the Kubernetes API 4 4 + apiVersion: v1 5 5 + kind: ServiceAccount 6 6 + metadata: 7 7 + name: spindle-job-runner 8 8 + namespace: system 9 9 + automountServiceAccountToken: false 10 10 + --- 11 11 + # Note: No Role or RoleBinding created intentionally 12 12 + # Job pods should have no permissions to read Secrets, list Pods, etc. 13 13 + # This prevents malicious workflows from accessing other users' secrets via K8s API

+148

config/samples/registry-secret-example.yaml

··· 1 1 + # Example: Creating a registry credentials secret for buildah 2 2 + # 3 3 + # This secret provides authentication for buildah to push images to a container registry. 4 4 + # The secret is mounted at /home/user/.docker/config.json in Job pods when 5 5 + # the SpindleTemplate has registryCredentialsSecret set. 6 6 + # 7 7 + # Usage: 8 8 + # 1. Create the secret using one of the methods below 9 9 + # 2. Configure your SpindleSet template to reference it: 10 10 + # 11 11 + # apiVersion: v1 12 12 + # kind: ConfigMap 13 13 + # metadata: 14 14 + # name: loom-config 15 15 + # data: 16 16 + # config.yaml: | 17 17 + # template: 18 18 + # registryCredentialsSecret: registry-credentials 19 19 + # 20 20 + # Method 1: Create secret using kubectl (recommended) 21 21 + # ===================================================== 22 22 + # 23 23 + # For Docker Hub: 24 24 + # kubectl create secret docker-registry registry-credentials \ 25 25 + # --docker-server=docker.io \ 26 26 + # --docker-username=YOUR_USERNAME \ 27 27 + # --docker-password=YOUR_PASSWORD \ 28 28 + # --docker-email=YOUR_EMAIL 29 29 + # 30 30 + # For GitHub Container Registry (ghcr.io): 31 31 + # kubectl create secret docker-registry registry-credentials \ 32 32 + # --docker-server=ghcr.io \ 33 33 + # --docker-username=YOUR_GITHUB_USERNAME \ 34 34 + # --docker-password=YOUR_GITHUB_PAT \ 35 35 + # --docker-email=YOUR_EMAIL 36 36 + # 37 37 + # For Google Container Registry (gcr.io): 38 38 + # kubectl create secret docker-registry registry-credentials \ 39 39 + # --docker-server=gcr.io \ 40 40 + # --docker-username=_json_key \ 41 41 + # --docker-password="$(cat keyfile.json)" \ 42 42 + # --docker-email=YOUR_EMAIL 43 43 + # 44 44 + # For Amazon ECR: 45 45 + # # First get ECR login token 46 46 + # ECR_TOKEN=$(aws ecr get-login-password --region us-east-1) 47 47 + # kubectl create secret docker-registry registry-credentials \ 48 48 + # --docker-server=123456789012.dkr.ecr.us-east-1.amazonaws.com \ 49 49 + # --docker-username=AWS \ 50 50 + # --docker-password="$ECR_TOKEN" \ 51 51 + # --docker-email=YOUR_EMAIL 52 52 + # 53 53 + # For a private registry: 54 54 + # kubectl create secret docker-registry registry-credentials \ 55 55 + # --docker-server=registry.example.com \ 56 56 + # --docker-username=YOUR_USERNAME \ 57 57 + # --docker-password=YOUR_PASSWORD \ 58 58 + # --docker-email=YOUR_EMAIL 59 59 + 60 60 + --- 61 61 + # Method 2: Create secret from YAML manifest 62 62 + # =========================================== 63 63 + # 64 64 + # First, create a Docker config file: 65 65 + # 66 66 + # { 67 67 + # "auths": { 68 68 + # "registry.example.com": { 69 69 + # "username": "YOUR_USERNAME", 70 70 + # "password": "YOUR_PASSWORD", 71 71 + # "email": "YOUR_EMAIL", 72 72 + # "auth": "BASE64_ENCODED_USERNAME:PASSWORD" 73 73 + # } 74 74 + # } 75 75 + # } 76 76 + # 77 77 + # To generate the "auth" field: 78 78 + # echo -n "YOUR_USERNAME:YOUR_PASSWORD" | base64 79 79 + # 80 80 + # Then base64 encode the entire JSON: 81 81 + # cat docker-config.json | base64 -w 0 82 82 + # 83 83 + # Finally, create the secret manifest: 84 84 + 85 85 + apiVersion: v1 86 86 + kind: Secret 87 87 + metadata: 88 88 + name: registry-credentials 89 89 + namespace: default # Change to your namespace 90 90 + type: kubernetes.io/dockerconfigjson 91 91 + data: 92 92 + # Replace this with your base64-encoded Docker config JSON 93 93 + # Example format after base64 encoding: 94 94 + .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJyZWdpc3RyeS5leGFtcGxlLmNvbSI6IHsKCQkJInVzZXJuYW1lIjogIllPVVJfVVNFUk5BTUUiLAoJCQkicGFzc3dvcmQiOiAiWU9VUl9QQVNTV09SRCIsCgkJCSJlbWFpbCI6ICJZT1VSX0VNQUlMIiwKCQkJImF1dGgiOiAiV1U5VlVsOVZVMFZTVGtGTlJUcFpUMVZTWDFCQlUxTlhUMUpFIgoJCX0KCX0KfQo= 95 95 + 96 96 + --- 97 97 + # Method 3: Multiple registry support 98 98 + # ==================================== 99 99 + # 100 100 + # You can configure credentials for multiple registries in a single secret: 101 101 + 102 102 + apiVersion: v1 103 103 + kind: Secret 104 104 + metadata: 105 105 + name: registry-credentials-multi 106 106 + namespace: default 107 107 + type: kubernetes.io/dockerconfigjson 108 108 + stringData: 109 109 + # Using stringData allows you to provide the JSON directly without base64 encoding 110 110 + .dockerconfigjson: | 111 111 + { 112 112 + "auths": { 113 113 + "docker.io": { 114 114 + "username": "dockerhub-user", 115 115 + "password": "dockerhub-token", 116 116 + "auth": "ZG9ja2VyaHViLXVzZXI6ZG9ja2VyaHViLXRva2Vu" 117 117 + }, 118 118 + "ghcr.io": { 119 119 + "username": "github-user", 120 120 + "password": "ghp_github_personal_access_token", 121 121 + "auth": "Z2l0aHViLXVzZXI6Z2hwX2dpdGh1Yl9wZXJzb25hbF9hY2Nlc3NfdG9rZW4=" 122 122 + }, 123 123 + "registry.example.com": { 124 124 + "username": "private-user", 125 125 + "password": "private-password", 126 126 + "auth": "cHJpdmF0ZS11c2VyOnByaXZhdGUtcGFzc3dvcmQ=" 127 127 + } 128 128 + } 129 129 + } 130 130 + 131 131 + --- 132 132 + # Verification 133 133 + # ============ 134 134 + # 135 135 + # After creating the secret, verify it: 136 136 + # kubectl get secret registry-credentials -o yaml 137 137 + # 138 138 + # To decode and view the contents: 139 139 + # kubectl get secret registry-credentials -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d | jq 140 140 + # 141 141 + # Test buildah authentication in a pod: 142 142 + # kubectl run -it --rm buildah-test \ 143 143 + # --image=quay.io/buildah/stable:latest \ 144 144 + # --overrides='{"spec":{"volumes":[{"name":"docker-config","secret":{"secretName":"registry-credentials"}}],"containers":[{"name":"buildah","image":"quay.io/buildah/stable:latest","command":["sh"],"volumeMounts":[{"name":"docker-config","mountPath":"/home/user/.docker","readOnly":true}]}]}}' \ 145 145 + # -- sh 146 146 + # 147 147 + # # Inside the pod: 148 148 + # buildah login --get-login registry.example.com

+76

config/samples/workflow-buildah-example.yaml

··· 1 1 + # Example workflow demonstrating buildah usage in Loom 2 2 + # 3 3 + # This workflow shows how to: 4 4 + # 1. Run tests in a standard container image 5 5 + # 2. Build an application binary 6 6 + # 3. Build a container image using buildah 7 7 + # 4. Push the image to a registry 8 8 + # 9 9 + # Prerequisites: 10 10 + # - Create a registry credentials secret (see registry-secret-example.yaml) 11 11 + # - Configure the secret in your SpindleSet template: 12 12 + # template: 13 13 + # registryCredentialsSecret: registry-credentials 14 14 + 15 15 + # Workflow metadata 16 16 + name: build-and-push.yaml 17 17 + image: golang:1.24-bookworm 18 18 + architecture: amd64 19 19 + 20 20 + # Workflow steps 21 21 + steps: 22 22 + # Step 1: Run tests 23 23 + - name: Run tests 24 24 + command: | 25 25 + echo "Running Go tests..." 26 26 + go test -v ./... 27 27 + 28 28 + # Step 2: Build application binary 29 29 + - name: Build application 30 30 + command: | 31 31 + echo "Building application binary..." 32 32 + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /tangled/workspace/app ./cmd 33 33 + 34 34 + # Step 3: Create Dockerfile 35 35 + - name: Create Dockerfile 36 36 + command: | 37 37 + cat > /tangled/workspace/Dockerfile <<'EOF' 38 38 + FROM alpine:latest 39 39 + RUN apk add --no-cache ca-certificates 40 40 + COPY app /usr/local/bin/app 41 41 + ENTRYPOINT ["/usr/local/bin/app"] 42 42 + EOF 43 43 + echo "Dockerfile created" 44 44 + 45 45 + # Step 4: Build container image with buildah 46 46 + - name: Build container image 47 47 + command: | 48 48 + echo "Building container image with buildah..." 49 49 + cd /tangled/workspace 50 50 + 51 51 + # Build the image (buildah is in PATH via /runner-bin) 52 52 + buildah bud \ 53 53 + --storage-driver=overlay \ 54 54 + --tag registry.example.com/myapp:${TANGLED_COMMIT_SHA} \ 55 55 + --tag registry.example.com/myapp:latest \ 56 56 + . 57 57 + 58 58 + echo "Container image built successfully" 59 59 + 60 60 + # Step 5: Push image to registry 61 61 + - name: Push container image 62 62 + command: | 63 63 + echo "Pushing image to registry..." 64 64 + 65 65 + # Push both tags (buildah automatically uses credentials from /home/user/.docker/config.json) 66 66 + buildah push \ 67 67 + --storage-driver=overlay \ 68 68 + registry.example.com/myapp:${TANGLED_COMMIT_SHA} 69 69 + 70 70 + buildah push \ 71 71 + --storage-driver=overlay \ 72 72 + registry.example.com/myapp:latest 73 73 + 74 74 + echo "Image pushed successfully" 75 75 + echo "Image: registry.example.com/myapp:${TANGLED_COMMIT_SHA}" 76 76 + echo "Image: registry.example.com/myapp:latest"

+1 -1

go.mod

··· 5 5 toolchain go1.24.9 6 6 7 7 require ( 8 8 + github.com/cyphar/filepath-securejoin v0.4.1 8 9 github.com/onsi/ginkgo/v2 v2.23.4 9 10 github.com/onsi/gomega v1.37.0 10 11 gopkg.in/yaml.v3 v3.0.1 ··· 40 41 github.com/charmbracelet/x/term v0.2.1 // indirect 41 42 github.com/containerd/errdefs v1.0.0 // indirect 42 43 github.com/containerd/errdefs/pkg v0.3.0 // indirect 43 43 - github.com/cyphar/filepath-securejoin v0.4.1 // indirect 44 44 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 45 45 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect 46 46 github.com/distribution/reference v0.6.0 // indirect

+50 -1

internal/controller/spindleset_controller.go

··· 25 25 "tangled.org/core/spindle/models" 26 26 27 27 batchv1 "k8s.io/api/batch/v1" 28 28 + corev1 "k8s.io/api/core/v1" 28 29 apierrors "k8s.io/apimachinery/pkg/api/errors" 29 30 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 30 31 "k8s.io/apimachinery/pkg/runtime" ··· 296 297 297 298 pipelineRun := spindleSet.Spec.PipelineRun 298 299 300 300 + // Create Kubernetes Secret for repository secrets if any exist 301 301 + var secretName string 302 302 + if len(pipelineRun.Secrets) > 0 { 303 303 + secretName = fmt.Sprintf("%s-secrets", spindleSet.Name) 304 304 + secret := &corev1.Secret{ 305 305 + ObjectMeta: metav1.ObjectMeta{ 306 306 + Name: secretName, 307 307 + Namespace: spindleSet.Namespace, 308 308 + Labels: map[string]string{ 309 309 + "loom.j5t.io/spindleset": spindleSet.Name, 310 310 + }, 311 311 + }, 312 312 + Type: corev1.SecretTypeOpaque, 313 313 + StringData: make(map[string]string), 314 314 + } 315 315 + 316 316 + // Populate secret data from PipelineRunSpec 317 317 + for _, secretData := range pipelineRun.Secrets { 318 318 + secret.StringData[secretData.Key] = secretData.Value 319 319 + } 320 320 + 321 321 + // Set SpindleSet as owner for automatic cleanup 322 322 + if err := controllerutil.SetControllerReference(spindleSet, secret, r.Scheme); err != nil { 323 323 + return fmt.Errorf("failed to set controller reference on secret: %w", err) 324 324 + } 325 325 + 326 326 + // Check if Secret already exists 327 327 + existingSecret := &corev1.Secret{} 328 328 + err := r.Get(ctx, client.ObjectKey{ 329 329 + Name: secretName, 330 330 + Namespace: spindleSet.Namespace, 331 331 + }, existingSecret) 332 332 + 333 333 + if err != nil { 334 334 + if apierrors.IsNotFound(err) { 335 335 + // Create the secret 336 336 + logger.Info("Creating Kubernetes Secret for repository secrets", "secret", secretName, "count", len(pipelineRun.Secrets)) 337 337 + if err := r.Create(ctx, secret); err != nil { 338 338 + return fmt.Errorf("failed to create secret: %w", err) 339 339 + } 340 340 + } else { 341 341 + return fmt.Errorf("failed to check for existing secret: %w", err) 342 342 + } 343 343 + } else { 344 344 + logger.V(1).Info("Secret already exists", "secret", secretName) 345 345 + } 346 346 + } 347 347 + 299 348 // Convert workflow steps to jobbuilder format and create Jobs for each workflow 300 349 for _, workflowSpec := range pipelineRun.Workflows { 301 350 // Check if Job already exists ··· 343 392 CommitSHA: pipelineRun.CommitSHA, 344 393 CloneCommands: pipelineRun.CloneCommands, 345 394 SkipClone: pipelineRun.SkipClone, 346 346 - Secrets: nil, // TODO: Handle secrets 395 395 + SecretName: secretName, // Name of K8s Secret to inject (empty if no secrets) 347 396 Template: spindleSet.Spec.Template, 348 397 Namespace: spindleSet.Namespace, 349 398 Knot: pipelineRun.Knot,

+32 -8

internal/engine/kubernetes_engine.go

··· 10 10 "sync" 11 11 "time" 12 12 13 13 + "github.com/cyphar/filepath-securejoin" 13 14 "gopkg.in/yaml.v3" 14 15 batchv1 "k8s.io/api/batch/v1" 15 16 corev1 "k8s.io/api/core/v1" ··· 40 41 config *rest.Config 41 42 namespace string 42 43 template loomv1alpha1.SpindleTemplate 44 44 + vault secrets.Manager 43 45 44 46 // Track created SpindleSets for cleanup 45 47 spindleSets map[string]*loomv1alpha1.SpindleSet ··· 53 55 } 54 56 55 57 // NewKubernetesEngine creates a new Kubernetes-based spindle engine. 56 56 - func NewKubernetesEngine(client client.Client, config *rest.Config, namespace string, template loomv1alpha1.SpindleTemplate) *KubernetesEngine { 58 58 + func NewKubernetesEngine(client client.Client, config *rest.Config, namespace string, template loomv1alpha1.SpindleTemplate, vault secrets.Manager) *KubernetesEngine { 57 59 return &KubernetesEngine{ 58 60 client: client, 59 61 config: config, 60 62 namespace: namespace, 61 63 template: template, 64 64 + vault: vault, 62 65 spindleSets: make(map[string]*loomv1alpha1.SpindleSet), 63 66 logStreams: make(map[string]*workflowLogStream), 64 67 } ··· 156 159 } 157 160 158 161 // Use shared clone command builder to extract commit SHA and build repo URL 159 159 - // Note: We're not using the actual commands here, just extracting the metadata 160 160 - // The Job builder will regenerate the commands for the init container 161 162 cloneConfig := steps.CloneConfig{ 162 163 Workflow: tangled.Pipeline_Workflow{ 163 164 Clone: cloneOpts, ··· 172 173 return fmt.Errorf("failed to build clone commands: %w", err) 173 174 } 174 175 175 175 - commitSHA := cloneCommands.CommitSHA 176 176 - repoURL := cloneCommands.RepoURL 177 177 - 178 176 // Store knot for status reporting 179 177 e.currentKnot = triggerMetadata.Repo.Knot 180 178 179 179 + // Retrieve secrets for this repository from the vault 180 180 + var repoSecrets []loomv1alpha1.SecretData 181 181 + if e.vault != nil { 182 182 + // Build didSlashRepo path: "did:plc:xxx/repo-name" 183 183 + didSlashRepo, err := securejoin.SecureJoin(triggerMetadata.Repo.Did, triggerMetadata.Repo.Repo) 184 184 + if err != nil { 185 185 + logger.Error(err, "Failed to construct repo path for secrets", "did", triggerMetadata.Repo.Did, "repo", triggerMetadata.Repo.Repo) 186 186 + } else { 187 187 + // Get unlocked secrets from vault 188 188 + unlockedSecrets, err := e.vault.GetSecretsUnlocked(ctx, secrets.DidSlashRepo(didSlashRepo)) 189 189 + if err != nil { 190 190 + logger.Error(err, "Failed to retrieve secrets from vault", "repo", didSlashRepo) 191 191 + } else if len(unlockedSecrets) > 0 { 192 192 + logger.Info("Retrieved secrets from vault", "repo", didSlashRepo, "count", len(unlockedSecrets)) 193 193 + // Convert to SecretData for SpindleSet spec 194 194 + for _, s := range unlockedSecrets { 195 195 + repoSecrets = append(repoSecrets, loomv1alpha1.SecretData{ 196 196 + Key: s.Key, 197 197 + Value: s.Value, 198 198 + }) 199 199 + } 200 200 + } 201 201 + } 202 202 + } 203 203 + 181 204 // Generate SpindleSet name: spindle-{workflowName}-{pipelineID} 182 205 // Sanitize workflow name (remove .yaml/.yml, replace dots) 183 206 sanitizedWorkflowName := strings.TrimSuffix(spec.Name, ".yaml") ··· 206 229 PipelineRun: &loomv1alpha1.PipelineRunSpec{ 207 230 PipelineID: wid.PipelineId.Rkey, 208 231 Knot: e.currentKnot, 209 209 - RepoURL: repoURL, 210 210 - CommitSHA: commitSHA, 232 232 + RepoURL: cloneCommands.RepoURL, 233 233 + CommitSHA: cloneCommands.CommitSHA, 211 234 CloneCommands: cloneCommands.All, 212 235 SkipClone: cloneCommands.Skip, 236 236 + Secrets: repoSecrets, // Repository secrets for injection 213 237 Workflows: []loomv1alpha1.WorkflowSpec{spec}, // Single workflow per SpindleSet 214 238 }, 215 239 },

+183 -40

internal/jobbuilder/job_template.go

··· 56 56 // SkipClone indicates whether to skip the clone init container entirely 57 57 SkipClone bool 58 58 59 59 - // Secrets contains auth tokens or other secrets needed 60 60 - Secrets []string 59 59 + // SecretName is the name of the Kubernetes Secret to inject via envFrom 60 60 + // If empty, no secrets are injected 61 61 + SecretName string 61 62 62 63 // Knot is the tangled.org knot URL 63 64 Knot string ··· 174 175 Spec: corev1.PodSpec{ 175 176 RestartPolicy: corev1.RestartPolicyNever, 176 177 SecurityContext: &corev1.PodSecurityContext{ 178 178 + RunAsNonRoot: &[]bool{true}[0], 179 179 + RunAsUser: &[]int64{10000}[0], 180 180 + FSGroup: &[]int64{10000}[0], 181 181 + // Note: User namespaces (hostUsers: false) for enhanced buildah rootless 182 182 + // operation requires Kubernetes 1.33+ and is not yet available in the 183 183 + // current API version. Buildah will still work in rootless mode without it. 177 184 SeccompProfile: &corev1.SeccompProfile{ 178 185 Type: corev1.SeccompProfileTypeRuntimeDefault, 179 186 }, 180 187 }, 188 188 + // Disable ServiceAccount token mounting for security 189 189 + AutomountServiceAccountToken: &[]bool{false}[0], 181 190 182 182 - // Init containers: install runner binary, then clone repository 191 191 + // Init containers: install runner binary, configure buildah, then clone repository 183 192 InitContainers: []corev1.Container{ 184 193 { 185 194 Name: "install-runner", ··· 187 196 Command: []string{"cp", "/loom-runner", "/runner-bin/loom-runner"}, 188 197 SecurityContext: &corev1.SecurityContext{ 189 198 AllowPrivilegeEscalation: &[]bool{false}[0], 199 199 + RunAsNonRoot: &[]bool{true}[0], 200 200 + RunAsUser: &[]int64{10000}[0], 201 201 + ReadOnlyRootFilesystem: &[]bool{true}[0], 190 202 Capabilities: &corev1.Capabilities{ 191 203 Drop: []corev1.Capability{"ALL"}, 192 204 }, ··· 198 210 }, 199 211 }, 200 212 }, 213 213 + { 214 214 + Name: "configure-buildah", 215 215 + Image: "quay.io/buildah/stable:latest", 216 216 + Command: []string{"/bin/sh", "-c"}, 217 217 + Args: []string{` 218 218 + # Configure buildah for rootless operation 219 219 + mkdir -p /var/lib/containers/storage 220 220 + cat > /var/lib/containers/storage.conf <<'EOF' 221 221 + [storage] 222 222 + driver = "overlay" 223 223 + runroot = "/var/lib/containers/runroot" 224 224 + graphroot = "/var/lib/containers/storage" 225 225 + 226 226 + [storage.options] 227 227 + additionalimagestores = [] 228 228 + 229 229 + [storage.options.overlay] 230 230 + mount_program = "/usr/bin/fuse-overlayfs" 231 231 + mountopt = "nodev,metacopy=on" 232 232 + EOF 233 233 + 234 234 + # Copy buildah binary to shared location 235 235 + cp /usr/bin/buildah /runner-bin/buildah 236 236 + 237 237 + echo "Buildah configured successfully" 238 238 + `}, 239 239 + SecurityContext: &corev1.SecurityContext{ 240 240 + AllowPrivilegeEscalation: &[]bool{false}[0], 241 241 + RunAsNonRoot: &[]bool{true}[0], 242 242 + RunAsUser: &[]int64{10000}[0], 243 243 + Capabilities: &corev1.Capabilities{ 244 244 + Drop: []corev1.Capability{"ALL"}, 245 245 + }, 246 246 + }, 247 247 + VolumeMounts: []corev1.VolumeMount{ 248 248 + { 249 249 + Name: "buildah-storage", 250 250 + MountPath: "/var/lib/containers", 251 251 + }, 252 252 + { 253 253 + Name: "runner-binary", 254 254 + MountPath: "/runner-bin", 255 255 + }, 256 256 + { 257 257 + Name: "tmp", 258 258 + MountPath: "/tmp", 259 259 + }, 260 260 + }, 261 261 + }, 201 262 buildCloneInitContainer(config), 202 263 }, 203 264 ··· 211 272 212 273 SecurityContext: &corev1.SecurityContext{ 213 274 AllowPrivilegeEscalation: &[]bool{false}[0], 275 275 + RunAsNonRoot: &[]bool{true}[0], 276 276 + RunAsUser: &[]int64{10000}[0], 277 277 + ReadOnlyRootFilesystem: &[]bool{true}[0], 214 278 Capabilities: &corev1.Capabilities{ 215 279 Drop: []corev1.Capability{"ALL"}, 216 280 }, ··· 218 282 219 283 Resources: resources, 220 284 221 221 - VolumeMounts: []corev1.VolumeMount{ 222 222 - { 223 223 - Name: "workspace", 224 224 - MountPath: "/tangled/workspace", 225 225 - }, 226 226 - { 227 227 - Name: "runner-binary", 228 228 - MountPath: "/runner-bin", 229 229 - }, 230 230 - }, 285 285 + VolumeMounts: buildRunnerVolumeMounts(config), 231 286 232 287 Env: append(buildEnvironmentVariables(config), corev1.EnvVar{ 233 288 Name: "LOOM_WORKFLOW_SPEC", 234 289 Value: string(workflowSpecJSON), 235 290 }), 291 291 + 292 292 + // Inject repository secrets via envFrom if available 293 293 + EnvFrom: buildEnvFromSources(config), 236 294 }, 237 295 }, 238 296 239 297 // Volumes 240 240 - Volumes: []corev1.Volume{ 241 241 - { 242 242 - Name: "workspace", 243 243 - VolumeSource: corev1.VolumeSource{ 244 244 - EmptyDir: &corev1.EmptyDirVolumeSource{}, 245 245 - }, 246 246 - }, 247 247 - { 248 248 - Name: "runner-binary", 249 249 - VolumeSource: corev1.VolumeSource{ 250 250 - EmptyDir: &corev1.EmptyDirVolumeSource{}, 251 251 - }, 252 252 - }, 253 253 - }, 298 298 + Volumes: buildVolumes(config), 254 299 255 300 // Node targeting 256 301 NodeSelector: finalNodeSelector, 257 302 Tolerations: config.Template.Tolerations, 258 303 Affinity: finalAffinity, 259 304 260 260 - // Use controller service account for imagePullSecrets 261 261 - ServiceAccountName: "loom-controller-manager", 305 305 + // Use dedicated service account with minimal permissions 306 306 + // Note: imagePullSecrets should be attached to this SA, not the controller SA 307 307 + ServiceAccountName: "spindle-job-runner", 262 308 }, 263 309 }, 264 310 }, ··· 271 317 func buildEnvironmentVariables(config WorkflowConfig) []corev1.EnvVar { 272 318 env := []corev1.EnvVar{ 273 319 { 320 320 + Name: "PATH", 321 321 + Value: "/runner-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 322 322 + }, 323 323 + { 274 324 Name: "TANGLED_WORKFLOW", 275 325 Value: config.WorkflowName, 276 326 }, ··· 296 346 }, 297 347 } 298 348 299 299 - // Add secret references if provided 300 300 - for i, secretName := range config.Secrets { 301 301 - env = append(env, corev1.EnvVar{ 302 302 - Name: fmt.Sprintf("TANGLED_SECRET_%d", i), 303 303 - ValueFrom: &corev1.EnvVarSource{ 304 304 - SecretKeyRef: &corev1.SecretKeySelector{ 305 305 - LocalObjectReference: corev1.LocalObjectReference{ 306 306 - Name: secretName, 307 307 - }, 308 308 - Key: "value", 349 349 + return env 350 350 + } 351 351 + 352 352 + // buildEnvFromSources creates EnvFromSource entries for secrets injection. 353 353 + func buildEnvFromSources(config WorkflowConfig) []corev1.EnvFromSource { 354 354 + var envFrom []corev1.EnvFromSource 355 355 + 356 356 + // Inject repository secrets from Kubernetes Secret if available 357 357 + if config.SecretName != "" { 358 358 + envFrom = append(envFrom, corev1.EnvFromSource{ 359 359 + SecretRef: &corev1.SecretEnvSource{ 360 360 + LocalObjectReference: corev1.LocalObjectReference{ 361 361 + Name: config.SecretName, 309 362 }, 310 363 }, 311 364 }) 312 365 } 313 366 314 314 - return env 367 367 + return envFrom 315 368 } 316 369 317 370 // buildCloneInitContainer creates the init container for cloning the git repository. ··· 332 385 Command: []string{"/bin/sh", "-c"}, 333 386 SecurityContext: &corev1.SecurityContext{ 334 387 AllowPrivilegeEscalation: &[]bool{false}[0], 388 388 + RunAsNonRoot: &[]bool{true}[0], 389 389 + RunAsUser: &[]int64{10000}[0], 390 390 + ReadOnlyRootFilesystem: &[]bool{true}[0], 335 391 Capabilities: &corev1.Capabilities{ 336 392 Drop: []corev1.Capability{"ALL"}, 337 393 }, ··· 341 397 { 342 398 Name: "workspace", 343 399 MountPath: "/tangled/workspace", 400 400 + }, 401 401 + { 402 402 + Name: "tmp", 403 403 + MountPath: "/tmp", 344 404 }, 345 405 }, 346 406 } 347 407 } 408 408 + 409 409 + // buildRunnerVolumeMounts creates the volume mounts for the runner container. 410 410 + func buildRunnerVolumeMounts(config WorkflowConfig) []corev1.VolumeMount { 411 411 + mounts := []corev1.VolumeMount{ 412 412 + { 413 413 + Name: "workspace", 414 414 + MountPath: "/tangled/workspace", 415 415 + }, 416 416 + { 417 417 + Name: "runner-binary", 418 418 + MountPath: "/runner-bin", 419 419 + }, 420 420 + { 421 421 + Name: "tmp", 422 422 + MountPath: "/tmp", 423 423 + }, 424 424 + { 425 425 + Name: "buildah-storage", 426 426 + MountPath: "/var/lib/containers", 427 427 + }, 428 428 + } 429 429 + 430 430 + // Mount registry credentials if specified 431 431 + if config.Template.RegistryCredentialsSecret != "" { 432 432 + mounts = append(mounts, corev1.VolumeMount{ 433 433 + Name: "registry-credentials", 434 434 + MountPath: "/home/user/.docker", 435 435 + ReadOnly: true, 436 436 + }) 437 437 + } 438 438 + 439 439 + return mounts 440 440 + } 441 441 + 442 442 + // buildVolumes creates the volumes for the pod. 443 443 + func buildVolumes(config WorkflowConfig) []corev1.Volume { 444 444 + volumes := []corev1.Volume{ 445 445 + { 446 446 + Name: "workspace", 447 447 + VolumeSource: corev1.VolumeSource{ 448 448 + EmptyDir: &corev1.EmptyDirVolumeSource{}, 449 449 + }, 450 450 + }, 451 451 + { 452 452 + Name: "runner-binary", 453 453 + VolumeSource: corev1.VolumeSource{ 454 454 + EmptyDir: &corev1.EmptyDirVolumeSource{}, 455 455 + }, 456 456 + }, 457 457 + { 458 458 + Name: "tmp", 459 459 + VolumeSource: corev1.VolumeSource{ 460 460 + EmptyDir: &corev1.EmptyDirVolumeSource{}, 461 461 + }, 462 462 + }, 463 463 + { 464 464 + Name: "buildah-storage", 465 465 + VolumeSource: corev1.VolumeSource{ 466 466 + EmptyDir: &corev1.EmptyDirVolumeSource{}, 467 467 + }, 468 468 + }, 469 469 + } 470 470 + 471 471 + // Add registry credentials volume if specified 472 472 + if config.Template.RegistryCredentialsSecret != "" { 473 473 + volumes = append(volumes, corev1.Volume{ 474 474 + Name: "registry-credentials", 475 475 + VolumeSource: corev1.VolumeSource{ 476 476 + Secret: &corev1.SecretVolumeSource{ 477 477 + SecretName: config.Template.RegistryCredentialsSecret, 478 478 + Items: []corev1.KeyToPath{ 479 479 + { 480 480 + Key: ".dockerconfigjson", 481 481 + Path: "config.json", 482 482 + }, 483 483 + }, 484 484 + }, 485 485 + }, 486 486 + }) 487 487 + } 488 488 + 489 489 + return volumes 490 490 + }