evan.jarrett.net / loom
Kubernetes Operator for Tangled Spindles
fork atom

custom motd and secret masking?

evan.jarrett.net dcbdea60 7e3fdced

verified
workflow-amd64.yaml
workflow-arm64.yaml
+157 -157
+10 -1
Dockerfile
··· 1 1 # Build both binaries 2 2 # Use BUILDPLATFORM so Go runs natively, cross-compile for target arch 3 - FROM --platform=$BUILDPLATFORM golang:1.24 AS builder 3 + FROM --platform=$BUILDPLATFORM golang:1.25 AS builder 4 4 5 5 ARG TARGETOS 6 6 ARG TARGETARCH ··· 43 43 FROM gcr.io/distroless/base-debian12:nonroot 44 44 COPY --from=builder /workspace/loom/manager /manager 45 45 COPY --from=builder /workspace/loom/loom-runner /loom-runner 46 + 47 + LABEL org.opencontainers.image.title="Loom" \ 48 + org.opencontainers.image.description="Kubernetes Operator for Tangled Spindles " \ 49 + org.opencontainers.image.authors="Evan Jarrett" \ 50 + org.opencontainers.image.source="https://tangled.org/evan.jarrett.net/loom" \ 51 + org.opencontainers.image.documentation="https://tangled.org/evan.jarrett.net/loom" \ 52 + org.opencontainers.image.licenses="MIT" \ 53 + org.opencontainers.image.version="latest" 54 + 46 55 ENTRYPOINT ["/manager"]
+17
cmd/controller/main.go
··· 19 19 import ( 20 20 "context" 21 21 "crypto/tls" 22 + _ "embed" 22 23 "flag" 23 24 "fmt" 24 25 "os" ··· 80 81 CPU string `yaml:"cpu"` 81 82 Memory string `yaml:"memory"` 82 83 } 84 + 85 + //go:embed motd.txt 86 + var motd []byte 83 87 84 88 var ( 85 89 scheme = runtime.NewScheme() ··· 354 358 if loomCfg.MaxConcurrentJobs > 0 { 355 359 spindleCfg.Server.MaxJobCount = loomCfg.MaxConcurrentJobs 356 360 } 361 + 362 + // Write embedded MOTD to temp file and configure spindle to use it 363 + motdFile, err := os.CreateTemp("", "loom-motd-*.txt") 364 + if err != nil { 365 + setupLog.Error(err, "failed to create MOTD temp file") 366 + os.Exit(1) 367 + } 368 + if _, err := motdFile.Write(motd); err != nil { 369 + setupLog.Error(err, "failed to write MOTD temp file") 370 + os.Exit(1) 371 + } 372 + motdFile.Close() 373 + spindleCfg.Server.MOTDFile = motdFile.Name() 357 374 358 375 mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ 359 376 Scheme: scheme,
+13
cmd/controller/motd.txt
··· 1 + __/\\\___________________/\\\\\____________/\\\\\_______/\\\\____________/\\\\_ 2 + _\/\\\_________________/\\\///\\\________/\\\///\\\____\/\\\\\\________/\\\\\\_ 3 + _\/\\\_______________/\\\/__\///\\\____/\\\/__\///\\\__\/\\\//\\\____/\\\//\\\_ 4 + _\/\\\______________/\\\______\//\\\__/\\\______\//\\\_\/\\\\///\\\/\\\/_\/\\\_ 5 + _\/\\\_____________\/\\\_______\/\\\_\/\\\_______\/\\\_\/\\\__\///\\\/___\/\\\_ 6 + _\/\\\_____________\//\\\______/\\\__\//\\\______/\\\__\/\\\____\///_____\/\\\_ 7 + _\/\\\______________\///\\\__/\\\_____\///\\\__/\\\____\/\\\_____________\/\\\_ 8 + _\/\\\\\\\\\\\\\\\____\///\\\\\/________\///\\\\\/_____\/\\\_____________\/\\\_ 9 + _\///////////////_______\/////____________\/////_______\///______________\///__ 10 + 11 + tangled.org CI/CD spindles 12 + 13 + More info at https://tangled.org/evan.jarrett.net/loom
+3 -3
config/crd/bases/loom.j5t.io_spindlesets.yaml
··· 783 783 most preferred is the one with the greatest sum of weights, i.e. 784 784 for each node that meets all of the scheduling requirements (resource 785 785 request, requiredDuringScheduling anti-affinity expressions, etc.), 786 - compute a sum by iterating through the elements of this field and adding 787 - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 786 + compute a sum by iterating through the elements of this field and subtracting 787 + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the 788 788 node(s) with the highest sum are the most preferred. 789 789 items: 790 790 description: The weights of all of the matched WeightedPodAffinityTerm ··· 1162 1162 Claims lists the names of resources, defined in spec.resourceClaims, 1163 1163 that are used by this container. 1164 1164 1165 - This is an alpha field and requires enabling the 1165 + This field depends on the 1166 1166 DynamicResourceAllocation feature gate. 1167 1167 1168 1168 This field is immutable. It can only be set for containers.
+29 -26
go.mod
··· 1 1 module tangled.org/evan.jarrett.net/loom 2 2 3 - go 1.24.4 3 + go 1.25.0 4 4 5 - toolchain go1.24.10 5 + toolchain go1.25.5 6 6 7 7 require ( 8 8 github.com/cenkalti/backoff/v4 v4.3.0 ··· 10 10 github.com/onsi/ginkgo/v2 v2.23.4 11 11 github.com/onsi/gomega v1.37.0 12 12 gopkg.in/yaml.v3 v3.0.1 13 - k8s.io/api v0.33.0 14 - k8s.io/apimachinery v0.33.0 15 - k8s.io/client-go v0.33.0 16 - sigs.k8s.io/controller-runtime v0.21.0 13 + k8s.io/api v0.34.1 14 + k8s.io/apimachinery v0.34.1 15 + k8s.io/client-go v0.34.1 16 + sigs.k8s.io/controller-runtime v0.22.4 17 17 tangled.org/core v1.11.0-alpha 18 18 ) 19 19 20 20 require ( 21 - cel.dev/expr v0.23.0 // indirect 21 + cel.dev/expr v0.24.0 // indirect 22 22 github.com/Blank-Xu/sql-adapter v1.1.1 // indirect 23 23 github.com/Microsoft/go-winio v0.6.2 // indirect 24 24 github.com/antlr4-go/antlr/v4 v4.13.0 // indirect ··· 47 47 github.com/docker/docker v28.2.2+incompatible // indirect 48 48 github.com/docker/go-connections v0.5.0 // indirect 49 49 github.com/docker/go-units v0.5.0 // indirect 50 - github.com/emicklei/go-restful/v3 v3.11.0 // indirect 50 + github.com/emicklei/go-restful/v3 v3.12.2 // indirect 51 51 github.com/evanphx/json-patch/v5 v5.9.11 // indirect 52 52 github.com/felixge/httpsnoop v1.0.4 // indirect 53 - github.com/fsnotify/fsnotify v1.7.0 // indirect 54 - github.com/fxamacker/cbor/v2 v2.7.0 // indirect 53 + github.com/fsnotify/fsnotify v1.9.0 // indirect 54 + github.com/fxamacker/cbor/v2 v2.9.0 // indirect 55 55 github.com/go-chi/chi/v5 v5.2.0 // indirect 56 56 github.com/go-git/go-git/v5 v5.14.0 // indirect 57 57 github.com/go-jose/go-jose/v3 v3.0.4 // indirect ··· 68 68 github.com/gogo/protobuf v1.3.2 // indirect 69 69 github.com/golang-jwt/jwt/v5 v5.2.3 // indirect 70 70 github.com/google/btree v1.1.3 // indirect 71 - github.com/google/cel-go v0.23.2 // indirect 72 - github.com/google/gnostic-models v0.6.9 // indirect 71 + github.com/google/cel-go v0.26.0 // indirect 72 + github.com/google/gnostic-models v0.7.0 // indirect 73 73 github.com/google/go-cmp v0.7.0 // indirect 74 74 github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect 75 75 github.com/google/uuid v1.6.0 // indirect ··· 113 113 github.com/moby/docker-image-spec v1.3.1 // indirect 114 114 github.com/moby/sys/sequential v0.6.0 // indirect 115 115 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 116 - github.com/modern-go/reflect2 v1.0.2 // indirect 116 + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect 117 117 github.com/mr-tron/base58 v1.2.0 // indirect 118 118 github.com/muesli/termenv v0.16.0 // indirect 119 119 github.com/multiformats/go-base32 v0.1.0 // indirect ··· 128 128 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect 129 129 github.com/pjbgf/sha1cd v0.3.2 // indirect 130 130 github.com/pkg/errors v0.9.1 // indirect 131 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 131 132 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect 132 133 github.com/prometheus/client_golang v1.22.0 // indirect 133 134 github.com/prometheus/client_model v0.6.2 // indirect ··· 138 139 github.com/ryanuber/go-glob v1.0.0 // indirect 139 140 github.com/sethvargo/go-envconfig v1.1.0 // indirect 140 141 github.com/spaolacci/murmur3 v1.1.0 // indirect 141 - github.com/spf13/cobra v1.8.1 // indirect 142 - github.com/spf13/pflag v1.0.5 // indirect 142 + github.com/spf13/cobra v1.9.1 // indirect 143 + github.com/spf13/pflag v1.0.6 // indirect 143 144 github.com/stoewer/go-strcase v1.3.0 // indirect 144 145 github.com/vmihailenco/go-tinylfu v0.2.2 // indirect 145 146 github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect ··· 152 153 go.opentelemetry.io/auto/sdk v1.1.0 // indirect 153 154 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect 154 155 go.opentelemetry.io/otel v1.37.0 // indirect 155 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect 156 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect 156 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect 157 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect 157 158 go.opentelemetry.io/otel/metric v1.37.0 // indirect 158 159 go.opentelemetry.io/otel/sdk v1.37.0 // indirect 159 160 go.opentelemetry.io/otel/trace v1.37.0 // indirect ··· 162 163 go.uber.org/automaxprocs v1.6.0 // indirect 163 164 go.uber.org/multierr v1.11.0 // indirect 164 165 go.uber.org/zap v1.27.0 // indirect 166 + go.yaml.in/yaml/v2 v2.4.2 // indirect 167 + go.yaml.in/yaml/v3 v3.0.4 // indirect 165 168 golang.org/x/crypto v0.41.0 // indirect 166 169 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect 167 170 golang.org/x/net v0.43.0 // indirect ··· 182 185 gopkg.in/fsnotify.v1 v1.4.7 // indirect 183 186 gopkg.in/inf.v0 v0.9.1 // indirect 184 187 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect 185 - k8s.io/apiextensions-apiserver v0.33.0 // indirect 186 - k8s.io/apiserver v0.33.0 // indirect 187 - k8s.io/component-base v0.33.0 // indirect 188 + k8s.io/apiextensions-apiserver v0.34.1 // indirect 189 + k8s.io/apiserver v0.34.1 // indirect 190 + k8s.io/component-base v0.34.1 // indirect 188 191 k8s.io/klog/v2 v2.130.1 // indirect 189 - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect 190 - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect 192 + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect 193 + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect 191 194 lukechampine.com/blake3 v1.4.1 // indirect 192 195 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect 193 - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect 196 + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect 194 197 sigs.k8s.io/randfill v1.0.0 // indirect 195 - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect 196 - sigs.k8s.io/yaml v1.4.0 // indirect 198 + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect 199 + sigs.k8s.io/yaml v1.6.0 // indirect 197 200 ) 198 201 199 202 // Use our custom version of tangled until its upstreamed 200 - replace tangled.org/core => tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251205153606-d61374e9daa6 203 + replace tangled.org/core => tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251215153911-cd243782acda
+53 -49
go.sum
··· 1 - cel.dev/expr v0.23.0 h1:wUb94w6OYQS4uXraxo9U+wUAs9jT47Xvl4iPgAwM2ss= 2 - cel.dev/expr v0.23.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= 1 + cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= 2 + cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= 3 3 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= 4 4 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= 5 5 github.com/Blank-Xu/sql-adapter v1.1.1 h1:+g7QXU9sl/qT6Po97teMpf3GjAO0X9aFaqgSePXvYko= ··· 69 69 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= 70 70 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= 71 71 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= 72 - github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 72 + github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= 73 73 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 74 74 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= 75 75 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= ··· 87 87 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= 88 88 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= 89 89 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= 90 - github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= 91 - github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= 90 + github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= 91 + github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= 92 92 github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k= 93 93 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= 94 94 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= ··· 99 99 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= 100 100 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 101 101 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= 102 - github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= 103 - github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= 104 - github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= 105 - github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= 102 + github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= 103 + github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= 104 + github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= 105 + github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= 106 106 github.com/go-chi/chi/v5 v5.2.0 h1:Aj1EtB0qR2Rdo2dG4O94RIU35w2lvQSj6BRA4+qwFL0= 107 107 github.com/go-chi/chi/v5 v5.2.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= 108 108 github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60= ··· 157 157 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= 158 158 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= 159 159 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= 160 - github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= 161 - github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= 162 - github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= 163 - github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= 160 + github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= 161 + github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= 162 + github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= 163 + github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= 164 164 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 165 165 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 166 166 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= ··· 295 295 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 296 296 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 297 297 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 298 - github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= 299 298 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= 299 + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= 300 + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= 300 301 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= 301 302 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= 302 303 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o= ··· 398 399 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM= 399 400 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= 400 401 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= 401 - github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= 402 - github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= 403 - github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 404 - github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 402 + github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= 403 + github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= 404 + github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= 405 + github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 405 406 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= 406 407 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= 407 408 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= ··· 449 450 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= 450 451 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= 451 452 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= 452 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= 453 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= 454 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= 455 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= 453 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60= 454 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM= 455 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= 456 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= 456 457 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU= 457 458 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4= 458 459 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= ··· 481 482 go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ= 482 483 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= 483 484 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= 485 + go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= 486 + go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= 487 + go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= 488 + go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= 484 489 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 485 490 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 486 491 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= ··· 654 659 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= 655 660 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= 656 661 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 657 - k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU= 658 - k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM= 659 - k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs= 660 - k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc= 661 - k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ= 662 - k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= 663 - k8s.io/apiserver v0.33.0 h1:QqcM6c+qEEjkOODHppFXRiw/cE2zP85704YrQ9YaBbc= 664 - k8s.io/apiserver v0.33.0/go.mod h1:EixYOit0YTxt8zrO2kBU7ixAtxFce9gKGq367nFmqI8= 665 - k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98= 666 - k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg= 667 - k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk= 668 - k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU= 662 + k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= 663 + k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= 664 + k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= 665 + k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= 666 + k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= 667 + k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= 668 + k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= 669 + k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= 670 + k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= 671 + k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= 672 + k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= 673 + k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= 669 674 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= 670 675 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= 671 - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= 672 - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= 673 - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= 674 - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= 676 + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= 677 + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= 678 + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= 679 + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= 675 680 lukechampine.com/blake3 v1.4.1 h1:I3Smz7gso8w4/TunLKec6K2fn+kyKtDxr/xcQEN84Wg= 676 681 lukechampine.com/blake3 v1.4.1/go.mod h1:QFosUxmjB8mnrWFSNwKmvxHpfY72bmD2tQ0kBMM3kwo= 677 682 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= 678 683 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= 679 - sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= 680 - sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= 681 - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= 682 - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= 683 - sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= 684 + sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= 685 + sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= 686 + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= 687 + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= 684 688 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= 685 689 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= 686 - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= 687 - sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= 688 - sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= 689 - sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= 690 - tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251205153606-d61374e9daa6 h1:PyvQ+Ptvb34ZNgF/IMi8UpYOdE7GjnXp/bZpLk2E/pU= 691 - tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251205153606-d61374e9daa6/go.mod h1:DpfEc3N9VfsIYVcXwP71zDQpGWnTQ3wBLBxqV0oom8g= 690 + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= 691 + sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= 692 + sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= 693 + sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= 694 + tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251215153911-cd243782acda h1:d4H5M0fAAMjU8OFMU+sYD4yXjjQMN4v3IltMQRr/6QM= 695 + tangled.org/evan.jarrett.net/core v1.11.0-alpha.0.20251215153911-cd243782acda/go.mod h1:z291K5Y6pwjOD7CpoPyhxKRGvFboADLEr9RRQe5m08A=
+4 -1
internal/controller/spindleset_controller.go
··· 351 351 352 352 // Create Kubernetes Secret for repository secrets if any exist 353 353 var secretName string 354 + var secretKeys []string 354 355 if len(pipelineRun.Secrets) > 0 { 355 356 secretName = fmt.Sprintf("%s-secrets", spindleSet.Name) 356 357 secret := &corev1.Secret{ ··· 365 366 StringData: make(map[string]string), 366 367 } 367 368 368 - // Populate secret data from PipelineRunSpec 369 + // Populate secret data from PipelineRunSpec and collect keys for masking 369 370 for _, secretData := range pipelineRun.Secrets { 370 371 secret.StringData[secretData.Key] = secretData.Value 372 + secretKeys = append(secretKeys, secretData.Key) 371 373 } 372 374 373 375 // Set SpindleSet as owner for automatic cleanup ··· 450 452 CloneCommands: pipelineRun.CloneCommands, 451 453 SkipClone: pipelineRun.SkipClone, 452 454 SecretName: secretName, // Name of K8s Secret to inject (empty if no secrets) 455 + SecretKeys: secretKeys, // Secret env var names for log masking 453 456 Template: spindleSet.Spec.Template, 454 457 Namespace: spindleSet.Namespace, 455 458 }
+3 -2
internal/controller/spindleset_controller_test.go
··· 93 93 It("should successfully reconcile the resource", func() { 94 94 By("Reconciling the created resource") 95 95 controllerReconciler := &SpindleSetReconciler{ 96 - Client: k8sClient, 97 - Scheme: k8sClient.Scheme(), 96 + Client: k8sClient, 97 + Scheme: k8sClient.Scheme(), 98 + LoomImage: "ghcr.io/example/loom:test", 98 99 } 99 100 100 101 _, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+1 -1
internal/engine/kubernetes_engine.go
··· 123 123 StepKind: models.StepKindUser, 124 124 }) 125 125 } 126 - 126 + 127 127 // Build clone step (uses upstream models.BuildCloneStep which is self-contained) 128 128 var cloneStep models.CloneStep 129 129 devMode := false // TODO: Make this configurable
+24 -74
internal/jobbuilder/job_template.go
··· 58 58 // If empty, no secrets are injected 59 59 SecretName string 60 60 61 + // SecretKeys is the list of environment variable names that contain secrets. 62 + // These are passed to the runner for log masking. 63 + SecretKeys []string 64 + 61 65 // Template is the SpindleSet template to apply 62 66 Template loomv1alpha1.SpindleTemplate 63 67 ··· 210 214 // Disable ServiceAccount token mounting for security 211 215 AutomountServiceAccountToken: &[]bool{false}[0], 212 216 213 - // Init containers: setup user, install runner binary, configure buildah, then clone repository 217 + // Init containers: setup user and buildah storage, install runner binary, then clone repository 214 218 InitContainers: []corev1.Container{ 215 219 // Setup user creates /etc/passwd and /etc/group entries for UID 1000 216 220 // This is needed because many tools (like buildah) require a valid passwd entry 221 + // Also configures buildah storage directories and storage.conf 217 222 { 218 223 Name: "setup-user", 219 224 Image: "busybox:latest", ··· 240 245 mkdir -p /home-override/runner/.config/containers 241 246 chmod 700 /home-override/runner/.config 242 247 chown -R 1000:1000 /home-override/runner 243 - echo "User setup complete" 248 + # Configure buildah storage directories (for workflows using buildah images) 249 + mkdir -p /var/lib/containers/storage /var/lib/containers/runroot 250 + cat > /var/lib/containers/storage.conf <<'EOF' 251 + [storage] 252 + driver = "overlay" 253 + runroot = "/var/lib/containers/runroot" 254 + graphroot = "/var/lib/containers/storage" 255 + EOF 256 + chown -R 1000:1000 /var/lib/containers 257 + echo "User and buildah storage setup complete" 244 258 `}, 245 259 SecurityContext: &corev1.SecurityContext{ 246 260 AllowPrivilegeEscalation: &[]bool{false}[0], ··· 262 276 { 263 277 Name: "home-override", 264 278 MountPath: "/home-override", 279 + }, 280 + { 281 + Name: "buildah-storage", 282 + MountPath: "/var/lib/containers", 265 283 }, 266 284 }, 267 285 }, ··· 285 303 }, 286 304 }, 287 305 }, 288 - { 289 - Name: "configure-buildah", 290 - Image: "quay.io/buildah/stable:latest", 291 - Command: []string{"/bin/sh", "-c"}, 292 - Args: []string{` 293 - # Configure buildah storage - native overlay (kernel 6.12+ supports in user namespaces) 294 - mkdir -p /var/lib/containers/storage 295 - cat > /var/lib/containers/storage.conf <<'EOF' 296 - [storage] 297 - driver = "overlay" 298 - runroot = "/var/lib/containers/runroot" 299 - graphroot = "/var/lib/containers/storage" 300 - EOF 301 - 302 - # Copy buildah binary to shared location 303 - cp /usr/bin/buildah /runner-bin/buildah 304 - 305 - echo "Buildah configured successfully" 306 - `}, 307 - Env: []corev1.EnvVar{ 308 - {Name: "HOME", Value: "/home/runner"}, 309 - }, 310 - SecurityContext: &corev1.SecurityContext{ 311 - AllowPrivilegeEscalation: &[]bool{false}[0], 312 - RunAsNonRoot: &[]bool{true}[0], 313 - RunAsUser: &[]int64{1000}[0], 314 - Capabilities: &corev1.Capabilities{ 315 - Drop: []corev1.Capability{"ALL"}, 316 - }, 317 - }, 318 - VolumeMounts: []corev1.VolumeMount{ 319 - { 320 - Name: "buildah-storage", 321 - MountPath: "/var/lib/containers", 322 - }, 323 - { 324 - Name: "runner-binary", 325 - MountPath: "/runner-bin", 326 - }, 327 - { 328 - Name: "tmp", 329 - MountPath: "/tmp", 330 - }, 331 - // Mount passwd/group/subuid/subgid and home directory so buildah 332 - // sees consistent user identity and can write to ~/.config 333 - { 334 - Name: "etc-override", 335 - MountPath: "/etc/passwd", 336 - SubPath: "passwd", 337 - }, 338 - { 339 - Name: "etc-override", 340 - MountPath: "/etc/group", 341 - SubPath: "group", 342 - }, 343 - { 344 - Name: "etc-override", 345 - MountPath: "/etc/subuid", 346 - SubPath: "subuid", 347 - }, 348 - { 349 - Name: "etc-override", 350 - MountPath: "/etc/subgid", 351 - SubPath: "subgid", 352 - }, 353 - { 354 - Name: "home-override", 355 - MountPath: "/home/runner", 356 - SubPath: "runner", 357 - }, 358 - }, 359 - }, 360 306 buildCloneInitContainer(config), 361 307 }, 362 308 ··· 394 340 corev1.EnvVar{ 395 341 Name: "LOOM_WORKFLOW_SPEC", 396 342 Value: string(workflowSpecJSON), 343 + }, 344 + corev1.EnvVar{ 345 + Name: "LOOM_SECRET_KEYS", 346 + Value: strings.Join(config.SecretKeys, ","), 397 347 }, 398 348 ), 399 349