Merge branch 'main' into rmdir-support

metalbear-co · Jan 13, 2025 · d7172c9 · d7172c9
2 parents 68509b9 + 6668e3c
commit d7172c9
Show file tree

Hide file tree

Showing 9 changed files with 177 additions and 199 deletions.
diff --git a/changelog.d/+fs-policy-test.internal.md b/changelog.d/+fs-policy-test.internal.md
@@ -0,0 +1 @@
+Fixed fs policy E2E test.
diff --git a/changelog.d/+pinned-cargo-chef.internal.md b/changelog.d/+pinned-cargo-chef.internal.md
@@ -0,0 +1 @@
+Pinned `cargo-chef` version to `0.1.68` in the dockerfiles.
diff --git a/mirrord/agent/Dockerfile b/mirrord/agent/Dockerfile
@@ -8,7 +8,8 @@ RUN ./platform.sh
 # this takes around 1 minute since libgit2 is slow https://github.com/rust-lang/cargo/issues/9167
 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
 
-RUN cargo install cargo-chef
+# cargo-chef 0.1.69 breaks the build
+RUN cargo install [email protected]
 
 FROM chef AS planner
 

diff --git a/mirrord/cli/Dockerfile b/mirrord/cli/Dockerfile
@@ -8,7 +8,8 @@ RUN ./platform.sh
 # this takes around 1 minute since libgit2 is slow https://github.com/rust-lang/cargo/issues/9167
 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
 
-RUN cargo install cargo-chef
+# cargo-chef 0.1.69 breaks the build
+RUN cargo install [email protected]
 
 FROM chef AS planner
 

diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs
@@ -104,7 +104,7 @@ pub struct MirrordClusterPolicySpec {
 
 /// Policy for controlling environment variables access from mirrord instances.
 #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)]
-#[serde(rename_all = "kebab-case")]
+#[serde(rename_all = "camelCase")]
 pub struct EnvPolicy {
     /// List of environment variables that should be excluded when using mirrord.
     ///
@@ -123,20 +123,29 @@ pub struct EnvPolicy {
 /// Allows the operator control over remote file ops behaviour, overriding what the user has set in
 /// their mirrord config file, if it matches something in one of the lists (regex sets) of this
 /// struct.
+///
+/// If the file path matches regexes in multiple sets, priority is as follows:
+/// 1. `local`
+/// 2. `notFound`
+/// 3. `readOnly`
 #[derive(Clone, Default, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema)]
-#[serde(rename_all = "kebab-case")]
+#[serde(rename_all = "camelCase")]
 pub struct FsPolicy {
-    /// The file can only be opened in read-only mode, otherwise the operator returns an IO error.
+    /// Files that cannot be opened for writing.
+    ///
+    /// Opening the file for writing is rejected with an IO error.
     #[serde(default)]
     pub read_only: HashSet<String>,
 
-    /// The file cannot be opened in the remote target.
+    /// Files that cannot be opened at all.
     ///
-    /// `open` calls that match this are forced to be opened in the local user's machine.
+    /// Opening the file will be rejected and mirrord will open the file locally instead.
     #[serde(default)]
     pub local: HashSet<String>,
 
-    /// Any file that matches this returns a file not found error from the operator.
+    /// Files that cannot be opened at all.
+    ///
+    /// Opening the file is rejected with an IO error.
     #[serde(default)]
     pub not_found: HashSet<String>,
 }

diff --git a/tests/node-e2e/fspolicy/test_operator_fs_policy.mjs b/tests/node-e2e/fspolicy/test_operator_fs_policy.mjs
@@ -1,54 +1,19 @@
 import fs from 'fs';
 
-fs.open("/app/file.local", (fail, fd) => {
-  console.log(`open file.local ${fd}`);
-  if (fd) {
-    console.log(`SUCCESS /app/file.local ${fd}`);
-  }
-
-  if (fail) {
-    console.error(`FAIL /app/file.local ${fail}`);
-  }
-});
-
-fs.open("/app/file.not-found", (fail, fd) => {
-  console.log(`open file.not-found ${fd}`);
-  if (fd) {
-    console.log(`SUCCESS /app/file.not-found ${fd}`);
-  }
-
-  if (fail) {
-    console.error(`FAIL /app/file.not-found ${fail}`);
-  }
-});
-
-fs.open("/app/file.read-only", (fail, fd) => {
-  if (fd) {
-    console.log(`SUCCESS /app/file.read-only ${fd}`);
-  }
-
-  if (fail) {
-    console.error(`FAIL /app/file.read-only ${fail}`);
-  }
-});
-
-fs.open("/app/file.read-only", "r+", (fail, fd) => {
-  if (fd) {
-    console.log(`SUCCESS r+ /app/file.read-only ${fd}`);
-  }
-
-  if (fail) {
-    console.error(`FAIL r+ /app/file.read-only ${fail}`);
-  }
-});
-
-fs.open("/app/file.read-write", "r+", (fail, fd) => {
-  if (fd) {
-    console.log(`SUCCESS /app/file.read-write ${fd}`);
-  }
-
-  if (fail) {
-    console.error(`FAIL /app/file.read-write ${fail}`);
-  }
-});
-
+function test_open(path, mode) {
+  fs.open(path, mode, (fail, fd) => {
+    if (fd) {
+      console.log(`SUCCESS ${mode} ${path} ${fd}`);
+    }
+
+    if (fail) {
+      console.log(`FAIL ${mode} ${path} ${fail}`);
+    }
+  });
+}
+
+test_open("/app/file.local", "r");
+test_open("/app/file.not-found", "r");
+test_open("/app/file.read-only", "r");
+test_open("/app/file.read-only", "r+");
+test_open("/app/file.read-write", "r+");
diff --git a/tests/src/operator/policies.rs b/tests/src/operator/policies.rs
@@ -33,28 +33,18 @@ impl PolicyGuard {
     ) -> Self {
         let policy_api: Api<MirrordPolicy> = Api::namespaced(kube_client.clone(), namespace);
         PolicyGuard {
-            _inner: ResourceGuard::create(
-                policy_api,
-                policy.metadata.name.clone().unwrap(),
-                policy,
-                true,
-            )
-            .await
-            .expect("Could not create policy in E2E test."),
+            _inner: ResourceGuard::create(policy_api, policy, true)
+                .await
+                .expect("Could not create policy in E2E test."),
         }
     }
 
     pub async fn clusterwide(kube_client: kube::Client, policy: &MirrordClusterPolicy) -> Self {
         let policy_api: Api<MirrordClusterPolicy> = Api::all(kube_client.clone());
         PolicyGuard {
-            _inner: ResourceGuard::create(
-                policy_api,
-                policy.metadata.name.clone().unwrap(),
-                policy,
-                true,
-            )
-            .await
-            .expect("Could not create policy in E2E test."),
+            _inner: ResourceGuard::create(policy_api, policy, true)
+                .await
+                .expect("Could not create policy in E2E test."),
         }
     }
 }

diff --git a/tests/src/operator/policies/fs.rs b/tests/src/operator/policies/fs.rs
@@ -39,14 +39,14 @@ pub async fn create_namespaced_fs_policy_and_try_file_open(
         &MirrordPolicy::new(
             "e2e-test-fs-policy-with-path-pattern",
             MirrordPolicySpec {
-                target_path: Some("fs_policy_e2e-test-*".into()),
+                target_path: Some("*fs-policy-e2e-test-*".into()),
                 selector: None,
                 block: Default::default(),
                 env: Default::default(),
                 fs: FsPolicy {
-                    read_only: HashSet::from_iter(vec!["file.read-only".to_string()]),
-                    local: HashSet::from_iter(vec!["file.local".to_string()]),
-                    not_found: HashSet::from_iter(vec!["file.not-found".to_string()]),
+                    read_only: HashSet::from_iter(vec!["file\\.read-only".to_string()]),
+                    local: HashSet::from_iter(vec!["file\\.local".to_string()]),
+                    not_found: HashSet::from_iter(vec!["file\\.not-found".to_string()]),
                 },
             },
         ),
@@ -68,20 +68,25 @@ pub async fn create_namespaced_fs_policy_and_try_file_open(
 
     test_process.wait_assert_success().await;
 
-    test_process
-        .assert_stderr_contains("FAIL /app/file.local")
-        .await;
-    test_process
-        .assert_stderr_contains("FAIL /app/file.not-found")
-        .await;
-    test_process
-        .assert_stderr_contains("FAIL r+ /app/file.read-only")
-        .await;
+    let stdout = test_process.get_stdout().await;
 
-    test_process
-        .assert_stdout_contains("SUCCESS /app/file.read-only")
-        .await;
-    test_process
-        .assert_stdout_contains("SUCCESS /app/file.read-write")
-        .await;
+    let reading_local_failed = stdout.contains("FAIL r /app/file.local");
+    let reading_not_found_failed = stdout.contains("FAIL r /app/file.not-found");
+    let reading_read_only_succeeded = stdout.contains("SUCCESS r /app/file.read-only");
+    let writing_read_only_failed = stdout.contains("FAIL r+ /app/file.read-only");
+    let writing_read_write_succeeded = stdout.contains("SUCCESS r+ /app/file.read-write");
+
+    assert!(
+        reading_local_failed
+            && reading_not_found_failed
+            && reading_read_only_succeeded
+            && writing_read_only_failed
+            && writing_read_write_succeeded,
+        "some file operations did not finish as expected:\n
+        \treading_local_failed={reading_local_failed}\n
+        \treading_not_found_failed={reading_not_found_failed}\n
+        \treading_read_only_succeeded={reading_read_only_succeeded} \n
+        \twriting_read_only_failed={writing_read_only_failed}\n
+        \twriting_read_write_succeeded={writing_read_write_succeeded}",
+    )
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Pinned `cargo-chef` version to `0.1.68` in the dockerfiles.