floe 0.10.0 → 0.11.0

data/lib/floe/container_runner/kubernetes.rb

@@ -0,0 +1,329 @@
+# frozen_string_literal: true
+
+module Floe
+  class ContainerRunner
+    class Kubernetes < Floe::Runner
+      include Floe::ContainerRunner::DockerMixin
+
+      TOKEN_FILE      = "/run/secrets/kubernetes.io/serviceaccount/token"
+      CA_CERT_FILE    = "/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+      RUNNING_PHASES  = %w[Pending Running].freeze
+      FAILURE_REASONS = %w[CrashLoopBackOff ImagePullBackOff ErrImagePull].freeze
+
+      def initialize(options = {})
+        require "active_support/core_ext/hash/keys"
+        require "awesome_spawn"
+        require "securerandom"
+        require "base64"
+        require "kubeclient"
+        require "yaml"
+
+        @kubeconfig_file    = ENV.fetch("KUBECONFIG", nil) || options.fetch("kubeconfig", File.join(Dir.home, ".kube", "config"))
+        @kubeconfig_context = options["kubeconfig_context"]
+
+        @token   = options["token"]
+        @token ||= File.read(options["token_file"]) if options.key?("token_file")
+        @token ||= File.read(TOKEN_FILE) if File.exist?(TOKEN_FILE)
+
+        @server   = options["server"]
+        @server ||= URI::HTTPS.build(:host => ENV.fetch("KUBERNETES_SERVICE_HOST"), :port => ENV.fetch("KUBERNETES_SERVICE_PORT", 6443)) if ENV.key?("KUBERNETES_SERVICE_HOST")
+
+        @ca_file   = options["ca_file"]
+        @ca_file ||= CA_CERT_FILE if File.exist?(CA_CERT_FILE)
+
+        @verify_ssl = options["verify_ssl"] == "false" ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
+
+        if server.nil? && token.nil? && !File.exist?(kubeconfig_file)
+          raise ArgumentError, "Missing connections options, provide a kubeconfig file or pass server and token via --docker-runner-options"
+        end
+
+        @namespace = options.fetch("namespace", "default")
+
+        @pull_policy          = options["pull-policy"]
+        @task_service_account = options["task_service_account"]
+
+        super
+      end
+
+      def run_async!(resource, env = {}, secrets = {}, _context = {})
+        raise ArgumentError, "Invalid resource" unless resource&.start_with?("docker://")
+
+        image  = resource.sub("docker://", "")
+        name   = container_name(image)
+        secret = create_secret!(secrets) if secrets && !secrets.empty?
+
+        runner_context = {"container_ref" => name, "container_state" => {"phase" => "Pending"}, "secrets_ref" => secret}
+
+        begin
+          create_pod!(name, image, env, secret)
+          runner_context
+        rescue Kubeclient::HttpError => err
+          cleanup(runner_context)
+          {"Error" => "States.TaskFailed", "Cause" => err.to_s}
+        end
+      end
+
+      def status!(runner_context)
+        return if runner_context.key?("Error")
+
+        runner_context["container_state"] = pod_info(runner_context["container_ref"]).to_h.deep_stringify_keys["status"]
+      end
+
+      def running?(runner_context)
+        return false unless pod_running?(runner_context)
+        # If a pod is Pending and the containers are waiting with a failure
+        # reason such as ImagePullBackOff or CrashLoopBackOff then the pod
+        # will never be run.
+        return false if container_failed?(runner_context)
+
+        true
+      end
+
+      def success?(runner_context)
+        runner_context.dig("container_state", "phase") == "Succeeded"
+      end
+
+      def output(runner_context)
+        if runner_context.key?("Error")
+          runner_context.slice("Error", "Cause")
+        elsif container_failed?(runner_context)
+          failed_state = failed_container_states(runner_context).first
+          {"Error" => failed_state["reason"], "Cause" => failed_state["message"]}
+        else
+          runner_context["output"] = kubeclient.get_pod_log(runner_context["container_ref"], namespace).body
+        end
+      end
+
+      def cleanup(runner_context)
+        pod, secret = runner_context.values_at("container_ref", "secrets_ref")
+
+        delete_pod(pod)       if pod
+        delete_secret(secret) if secret
+      end
+
+      def wait(timeout: nil, events: %i[create update delete])
+        retry_connection = true
+
+        begin
+          watcher = kubeclient.watch_pods(:namespace => namespace)
+
+          retry_connection = true
+
+          if timeout.to_i > 0
+            timeout_thread = Thread.new do
+              sleep(timeout)
+              watcher.finish
+            end
+          end
+
+          watcher.each do |notice|
+            break if error_notice?(notice)
+
+            event = kube_notice_type_to_event(notice.type)
+            next unless events.include?(event)
+
+            runner_context = parse_notice(notice)
+            next if runner_context.nil?
+
+            if block_given?
+              yield [event, runner_context]
+            else
+              timeout_thread&.kill # If we break out before the timeout, kill the timeout thread
+              return [[event, runner_context]]
+            end
+          end
+        rescue Kubeclient::HttpError => err
+          raise unless err.error_code == 401 && retry_connection
+
+          @kubeclient = nil
+          retry_connection = false
+          retry
+        ensure
+          begin
+            watch&.finish
+          rescue
+            nil
+          end
+
+          timeout_thread&.join(0)
+        end
+      end
+
+      private
+
+      attr_reader :ca_file, :kubeconfig_file, :kubeconfig_context, :namespace, :server, :token, :verify_ssl
+
+      def pod_info(pod_name)
+        kubeclient.get_pod(pod_name, namespace)
+      end
+
+      def pod_running?(context)
+        RUNNING_PHASES.include?(context.dig("container_state", "phase"))
+      end
+
+      def failed_container_states(context)
+        container_statuses = context.dig("container_state", "containerStatuses") || []
+        container_statuses.filter_map { |status| status["state"]&.values&.first }
+                          .select { |state| FAILURE_REASONS.include?(state["reason"]) }
+      end
+
+      def container_failed?(context)
+        failed_container_states(context).any?
+      end
+
+      def pod_spec(name, image, env, secret = nil)
+        spec = {
+          :kind       => "Pod",
+          :apiVersion => "v1",
+          :metadata   => {
+            :name      => name,
+            :namespace => namespace
+          },
+          :spec       => {
+            :containers    => [
+              {
+                :name  => name[0...-9], # remove the random suffix and its leading hyphen
+                :image => image,
+                :env   => env.map { |k, v| {:name => k, :value => v.to_s} }
+              }
+            ],
+            :restartPolicy => "Never"
+          }
+        }
+
+        spec[:spec][:imagePullPolicy]    = @pull_policy          if @pull_policy
+        spec[:spec][:serviceAccountName] = @task_service_account if @task_service_account
+
+        if secret
+          spec[:spec][:volumes] = [
+            {
+              :name   => "secret-volume",
+              :secret => {:secretName => secret}
+            }
+          ]
+
+          spec[:spec][:containers][0][:env] << {
+            :name  => "_CREDENTIALS",
+            :value => "/run/secrets/#{secret}/secret"
+          }
+
+          spec[:spec][:containers][0][:volumeMounts] = [
+            {
+              :name      => "secret-volume",
+              :mountPath => "/run/secrets/#{secret}",
+              :readOnly  => true
+            }
+          ]
+        end
+
+        spec
+      end
+
+      def create_pod!(name, image, env, secret = nil)
+        kubeclient.create_pod(pod_spec(name, image, env, secret))
+      end
+
+      def delete_pod!(name)
+        kubeclient.delete_pod(name, namespace)
+      end
+
+      def delete_pod(name)
+        delete_pod!(name)
+      rescue
+        nil
+      end
+
+      def create_secret!(secrets)
+        secret_name = SecureRandom.uuid
+
+        secret_config = {
+          :kind       => "Secret",
+          :apiVersion => "v1",
+          :metadata   => {
+            :name      => secret_name,
+            :namespace => namespace
+          },
+          :data       => {
+            :secret => Base64.urlsafe_encode64(secrets.to_json)
+          },
+          :type       => "Opaque"
+        }
+
+        kubeclient.create_secret(secret_config)
+
+        secret_name
+      end
+
+      def delete_secret!(secret_name)
+        kubeclient.delete_secret(secret_name, namespace)
+      end
+
+      def delete_secret(name)
+        delete_secret!(name)
+      rescue
+        nil
+      end
+
+      def kube_notice_type_to_event(type)
+        case type
+        when "ADDED"
+          :create
+        when "MODIFIED"
+          :update
+        when "DELETED"
+          :delete
+        else
+          :unknown
+        end
+      end
+
+      def error_notice?(notice)
+        return false unless notice.type == "ERROR"
+
+        message = notice.object&.message
+        code    = notice.object&.code
+        reason  = notice.object&.reason
+
+        logger.warn("Received [#{code} #{reason}], [#{message}]")
+
+        true
+      end
+
+      def parse_notice(notice)
+        return if notice.object.nil?
+
+        pod             = notice.object
+        container_ref   = pod.metadata.name
+        container_state = pod.to_h[:status].deep_stringify_keys
+
+        {"container_ref" => container_ref, "container_state" => container_state}
+      end
+
+      def kubeclient
+        return @kubeclient unless @kubeclient.nil?
+
+        if server && token
+          api_endpoint = server
+          auth_options = {:bearer_token => token}
+          ssl_options  = {:verify_ssl => verify_ssl}
+          ssl_options[:ca_file] = ca_file if ca_file
+        else
+          context = kubeconfig&.context(kubeconfig_context)
+          raise ArgumentError, "Missing connections options, provide a kubeconfig file or pass server and token via --docker-runner-options" if context.nil?
+
+          api_endpoint = context.api_endpoint
+          auth_options = context.auth_options
+          ssl_options  = context.ssl_options
+        end
+
+        @kubeclient = Kubeclient::Client.new(api_endpoint, "v1", :ssl_options => ssl_options, :auth_options => auth_options).tap(&:discover)
+      end
+
+      def kubeconfig
+        return if kubeconfig_file.nil? || !File.exist?(kubeconfig_file)
+
+        Kubeclient::Config.read(kubeconfig_file)
+      end
+    end
+  end
+end

data/lib/floe/container_runner/podman.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module Floe
+  class ContainerRunner
+    class Podman < Docker
+      DOCKER_COMMAND = "podman"
+
+      def initialize(options = {})
+        require "awesome_spawn"
+        require "securerandom"
+
+        super
+
+        @identity        = options["identity"]
+        @log_level       = options["log-level"]
+        @network         = options["network"]
+        @noout           = options["noout"].to_s == "true" if options.key?("noout")
+        @pull_policy     = options["pull-policy"]
+        @root            = options["root"]
+        @runroot         = options["runroot"]
+        @runtime         = options["runtime"]
+        @runtime_flag    = options["runtime-flag"]
+        @storage_driver  = options["storage-driver"]
+        @storage_opt     = options["storage-opt"]
+        @syslog          = options["syslog"].to_s == "true" if options.key?("syslog")
+        @tmpdir          = options["tmpdir"]
+        @transient_store = !!options["transient-store"] if options.key?("transient-store")
+        @volumepath      = options["volumepath"]
+      end
+
+      private
+
+      def run_container_params(image, env, secret)
+        params  = ["run"]
+        params << :detach
+        params += env.map { |k, v| [:e, "#{k}=#{v}"] }
+        params << [:e, "_CREDENTIALS=/run/secrets/#{secret}"] if secret
+        params << [:pull, @pull_policy] if @pull_policy
+        params << [:net, "host"]        if @network == "host"
+        params << [:secret, secret] if secret
+        params << [:name, container_name(image)]
+        params << image
+      end
+
+      def create_secret(secrets)
+        secret_guid = SecureRandom.uuid
+        podman!("secret", "create", secret_guid, "-", :in_data => secrets.to_json)
+        secret_guid
+      end
+
+      def delete_secret(secret_guid)
+        podman!("secret", "rm", secret_guid)
+      rescue
+        nil
+      end
+
+      def parse_notice(notice)
+        id, status, exit_code = JSON.parse(notice).values_at("ID", "Status", "ContainerExitCode")
+
+        event   = podman_event_status_to_event(status)
+        running = event != :delete
+
+        runner_context = {"container_ref" => id, "container_state" => {"Running" => running, "ExitCode" => exit_code.to_i}}
+
+        [event, runner_context]
+      rescue JSON::ParserError
+        []
+      end
+
+      def podman_event_status_to_event(status)
+        case status
+        when "create"
+          :create
+        when "init", "start"
+          :update
+        when "died", "cleanup", "remove"
+          :delete
+        else
+          :unknown
+        end
+      end
+
+      alias podman! docker!
+
+      def global_docker_options
+        options = []
+        options << [:identity, @identity]                 if @identity
+        options << [:"log-level", @log_level]             if @log_level
+        options << :noout                                 if @noout
+        options << [:root, @root]                         if @root
+        options << [:runroot, @runroot]                   if @runroot
+        options << [:runtime, @runtime]                   if @runtime
+        options << [:"runtime-flag", @runtime_flag]       if @runtime_flag
+        options << [:"storage-driver", @storage_driver]   if @storage_driver
+        options << [:"storage-opt", @storage_opt]         if @storage_opt
+        options << :syslog                                if @syslog
+        options << [:tmpdir, @tmpdir]                     if @tmpdir
+        options << [:"transient-store", @transient_store] if @transient_store
+        options << [:volumepath, @volumepath]             if @volumepath
+        options
+      end
+    end
+  end
+end

data/lib/floe/container_runner.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "container_runner/docker_mixin"
+require_relative "container_runner/docker"
+require_relative "container_runner/kubernetes"
+require_relative "container_runner/podman"
+
+module Floe
+  class ContainerRunner
+    class << self
+      def cli_options(optimist)
+        optimist.banner("")
+        optimist.banner("Container runner options:")
+
+        optimist.opt :container_runner, "Type of runner for docker container images (docker, podman, or kubernetes)", :type => :string, :short => 'r'
+        optimist.opt :container_runner_options, "Options to pass to the container runner", :type => :strings, :short => 'o'
+
+        optimist.opt :docker,     "Use docker to run container images     (short for --container-runner=docker)",     :type => :boolean
+        optimist.opt :podman,     "Use podman to run container images     (short for --container-runner=podman)",     :type => :boolean
+        optimist.opt :kubernetes, "Use kubernetes to run container images (short for --container-runner=kubernetes)", :type => :boolean
+      end
+
+      def resolve_cli_options!(opts)
+        # shortcut support
+        opts[:container_runner] ||= "docker" if opts[:docker]
+        opts[:container_runner] ||= "podman" if opts[:podman]
+        opts[:container_runner] ||= "kubernetes" if opts[:kubernetes]
+
+        runner_options = opts[:container_runner_options].to_h { |opt| opt.split("=", 2) }
+
+        begin
+          set_runner(opts[:container_runner], runner_options)
+        rescue ArgumentError => e
+          Optimist.die(:container_runner, e.message)
+        end
+      end
+
+      def runner
+        @runner || set_runner(nil)
+      end
+
+      def set_runner(name_or_instance, options = {})
+        @runner =
+          case name_or_instance
+          when "docker", nil
+            Floe::ContainerRunner::Docker.new(options)
+          when "podman"
+            Floe::ContainerRunner::Podman.new(options)
+          when "kubernetes"
+            Floe::ContainerRunner::Kubernetes.new(options)
+          when Floe::Runner
+            name_or_instance
+          else
+            raise ArgumentError, "container runner must be one of: docker, podman, kubernetes"
+          end
+      end
+    end
+  end
+end
+
+Floe::Runner.register_scheme("docker", -> { Floe::ContainerRunner.runner })

data/lib/floe/runner.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Floe
+  class Runner
+    include Logging
+
+    OUTPUT_MARKER = "__FLOE_OUTPUT__\n"
+
+    def initialize(_options = {})
+    end
+
+    @runners = {}
+    class << self
+      def register_scheme(scheme, klass_or_proc)
+        @runners[scheme] = klass_or_proc
+      end
+
+      private def resolve_scheme(scheme)
+        runner = @runners[scheme]
+        runner = @runners[scheme] = @runners[scheme].call if runner.is_a?(Proc)
+        runner
+      end
+
+      def for_resource(resource)
+        raise ArgumentError, "resource cannot be nil" if resource.nil?
+
+        scheme = resource.split("://").first
+        resolve_scheme(scheme) || raise(ArgumentError, "Invalid resource scheme [#{scheme}]")
+      end
+    end
+
+    # Run a command asynchronously and create a runner_context
+    # @return [Hash] runner_context
+    def run_async!(_resource, _env = {}, _secrets = {}, _context = {})
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    # update the runner_context
+    # @param  [Hash] runner_context (the value returned from run_async!)
+    # @return [void]
+    def status!(_runner_context)
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    # check runner_contet to determine if the task is still running or completed
+    # @param  [Hash] runner_context (the value returned from run_async!)
+    # @return [Boolean] value if the task is still running
+    #   true if the task is still running
+    #   false if it has completed
+    def running?(_runner_context)
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    # For a non-running? task, check if it was successful
+    # @param  [Hash] runner_context (the value returned from run_async!)
+    # @return [Boolean] value if the task is still running
+    #   true if the task completed successfully
+    #   false if the task had an error
+    def success?(_runner_context)
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    # For a successful task, return the output
+    # @param  [Hash] runner_context (the value returned from run_async!)
+    # @return [String, Hash] output from task
+    def output(_runner_context)
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    # Cleanup runner context resources
+    # Called after a task is completed and the runner_context is no longer needed.
+    # @param  [Hash] runner_context (the value returned from run_async!)
+    # @return [void]
+    def cleanup(_runner_context)
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+
+    def wait(timeout: nil, events: %i[create update delete])
+      raise NotImplementedError, "Must be implemented in a subclass"
+    end
+  end
+end

data/lib/floe/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Floe
-  VERSION = "0.10.0"
+  VERSION = "0.11.0"
 end

data/lib/floe/workflow/context.rb

@@ -5,8 +5,10 @@ module Floe
     class Context
       # @param context [Json|Hash] (default, create another with input and execution params)
       # @param input [Hash] (default: {})
-      def initialize(context = nil, input: {})
+      def initialize(context = nil, input: nil)
         context = JSON.parse(context) if context.kind_of?(String)
+
+        input ||= {}
         input = JSON.parse(input) if input.kind_of?(String)
 
         @context = context || {}

data/lib/floe/workflow/states/task.rb

@@ -18,7 +18,7 @@ module Floe
           @next              = payload["Next"]
           @end               = !!payload["End"]
           @resource          = payload["Resource"]
-          @runner            = Floe::Workflow::Runner.for_resource(@resource)
+          @runner            = Floe::Runner.for_resource(@resource)
           @timeout_seconds   = payload["TimeoutSeconds"]
           @retry             = payload["Retry"].to_a.map { |retrier| Retrier.new(retrier) }
           @catch             = payload["Catch"].to_a.map { |catcher| Catcher.new(catcher) }
@@ -36,7 +36,7 @@ module Floe
           super
 
           input          = process_input(input)
-          runner_context = runner.run_async!(resource, input, credentials&.value({}, workflow.credentials))
+          runner_context = runner.run_async!(resource, input, credentials&.value({}, workflow.credentials), context)
 
           context.state["RunnerContext"] = runner_context
         end

data/lib/floe.rb

@@ -5,6 +5,8 @@ require_relative "floe/version"
 require_relative "floe/null_logger"
 require_relative "floe/logging"
 
+require_relative "floe/runner"
+
 require_relative "floe/workflow"
 require_relative "floe/workflow/catcher"
 require_relative "floe/workflow/choice_rule"
@@ -17,11 +19,6 @@ require_relative "floe/workflow/path"
 require_relative "floe/workflow/payload_template"
 require_relative "floe/workflow/reference_path"
 require_relative "floe/workflow/retrier"
-require_relative "floe/workflow/runner"
-require_relative "floe/workflow/runner/docker_mixin"
-require_relative "floe/workflow/runner/docker"
-require_relative "floe/workflow/runner/kubernetes"
-require_relative "floe/workflow/runner/podman"
 require_relative "floe/workflow/state"
 require_relative "floe/workflow/states/choice"
 require_relative "floe/workflow/states/fail"
@@ -55,17 +52,4 @@ module Floe
   def self.logger=(logger)
     @logger = logger
   end
-
-  # Set the runner to use
-  #
-  # @example
-  #   Floe.set_runner "docker", kubernetes", {}
-  #   Floe.set_runner "docker", Floe::Workflow::Runner::Kubernetes.new({})
-  #
-  # @param scheme [String] scheme                           Protocol to register (e.g.: docker)
-  # @param name_or_instance [String|Floe::Workflow::Runner] Name of runner to use for docker (e.g.: docker)
-  # @param options [Hash]                                   Options for constructor of the runner (optional)
-  def self.set_runner(scheme, name_or_instance, options = {})
-    Floe::Workflow::Runner.set_runner(scheme, name_or_instance, options)
-  end
 end