diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/MountSecretsBootstrap.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/MountSecretsBootstrap.scala index e83dcdcdc0637..cd9d76ccd8d64 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/MountSecretsBootstrap.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/MountSecretsBootstrap.scala @@ -31,6 +31,14 @@ private[spark] trait MountSecretsBootstrap { * @return the updated pod and container with the secrets mounted. */ def mountSecrets(pod: Pod, container: Container): (Pod, Container) + /** + * Mounts Kubernetes secrets as secret volumes into the given container. Make sure that + * the secret volumes are being added to its pod spec. + * + * @param container the container into which the secret volumes are being mounted. + * @return the updated pod and container with the secrets mounted. + */ + def mountSecrets(container: Container): (Container) } private[spark] class MountSecretsBootstrapImpl( @@ -49,16 +57,20 @@ private[spark] class MountSecretsBootstrapImpl( .endVolume() .endSpec()) + (podBuilder.build(), mountSecrets(container)) + } + + override def mountSecrets(container: Container): (Container) = { var containerBuilder = new ContainerBuilder(container) secretNamesToMountPaths.foreach(namePath => containerBuilder = containerBuilder .addNewVolumeMount() - .withName(secretVolumeName(namePath._1)) - .withMountPath(namePath._2) - .endVolumeMount() + .withName(secretVolumeName(namePath._1)) + .withMountPath(namePath._2) + .endVolumeMount() ) - (podBuilder.build(), containerBuilder.build()) + containerBuilder.build() } private def secretVolumeName(secretName: String): String = { diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/submitsteps/initcontainer/InitContainerMountSecretsStep.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/submitsteps/initcontainer/InitContainerMountSecretsStep.scala index a2df3d35b8c84..f763671936186 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/submitsteps/initcontainer/InitContainerMountSecretsStep.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/submit/submitsteps/initcontainer/InitContainerMountSecretsStep.scala @@ -28,12 +28,9 @@ private[spark] class InitContainerMountSecretsStep( mountSecretsBootstrap: MountSecretsBootstrap) extends InitContainerConfigurationStep { override def configureInitContainer(initContainerSpec: InitContainerSpec) : InitContainerSpec = { - val (podWithSecretsMounted, initContainerWithSecretsMounted) = - mountSecretsBootstrap.mountSecrets( - initContainerSpec.podToInitialize, - initContainerSpec.initContainer) + val initContainerWithSecretsMounted = + mountSecretsBootstrap.mountSecrets(initContainerSpec.initContainer) initContainerSpec.copy( - podToInitialize = podWithSecretsMounted, initContainer = initContainerWithSecretsMounted ) } diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactory.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactory.scala index 1c7ccba394a3c..1b5d73db9e2e9 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactory.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactory.scala @@ -256,13 +256,13 @@ private[spark] class ExecutorPodFactoryImpl( podWithDetachedInitContainer.initContainer) }.getOrElse(podWithDetachedInitContainer.initContainer) - val (mayBePodWithSecretsMountedToInitContainer, mayBeInitContainerWithSecretsMounted) = + val mayBeInitContainerWithSecretsMounted = executorInitContainerMountSecretsBootstrap.map { bootstrap => - bootstrap.mountSecrets(podWithDetachedInitContainer.pod, resolvedInitContainer) - }.getOrElse(podWithDetachedInitContainer.pod, resolvedInitContainer) + bootstrap.mountSecrets(resolvedInitContainer) + }.getOrElse(resolvedInitContainer) val podWithAttachedInitContainer = InitContainerUtil.appendInitContainer( - mayBePodWithSecretsMountedToInitContainer, mayBeInitContainerWithSecretsMounted) + podWithDetachedInitContainer.pod, mayBeInitContainerWithSecretsMounted) val resolvedPodWithMountedSecret = executorMountInitContainerSecretPlugin.map { plugin => plugin.addResourceStagingServerSecretVolumeToPod(podWithAttachedInitContainer) diff --git a/resource-managers/kubernetes/core/src/test/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactorySuite.scala b/resource-managers/kubernetes/core/src/test/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactorySuite.scala index 47493c827ddb5..428ab9d3940a1 100644 --- a/resource-managers/kubernetes/core/src/test/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactorySuite.scala +++ b/resource-managers/kubernetes/core/src/test/scala/org/apache/spark/scheduler/cluster/k8s/ExecutorPodFactorySuite.scala @@ -221,7 +221,7 @@ class ExecutorPodFactorySuite extends SparkFunSuite with BeforeAndAfter with Bef val factory = new ExecutorPodFactoryImpl( conf, nodeAffinityExecutorPodModifier, - None, + Some(secretsBootstrap), None, Some(initContainerBootstrap), Some(secretsBootstrap), @@ -242,6 +242,10 @@ class ExecutorPodFactorySuite extends SparkFunSuite with BeforeAndAfter with Bef assert(executor.getSpec.getInitContainers.get(0).getVolumeMounts.get(0) .getMountPath === "/var/secret1") + // check volume mounted. + assert(executor.getSpec.getVolumes.size() === 1) + assert(executor.getSpec.getVolumes.get(0).getSecret.getSecretName === "secret1") + checkOwnerReferences(executor, driverPodUid) }