fix: Add volume for plugin and tmp folder

[tommy351]

The latest manifests (v1.7.0-rc1) throws the following error during plugin download. The reason probably is the stricter security context introduced in #3424. I added a new volume for downloaded plugin files.

time="2024-04-30T06:38:26Z" level=fatal msg="Failed to download plugins: failed to create plugin folder for plugin (argoproj-labs/gatewayAPI): (mkdir /home/argo-rollouts/plugin-bin: read-only file system)"

It seems files in emptyDir is not executable even if securityContext.fsGroup is set. I'm still investigating. Fixed by adding tmp volume.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
• The title of the PR is (a) conventional with a list of types and scopes found here, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
• I've signed my commits with DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My builds are green. Try syncing with master if they are not.
• My organization is added to USERS.md.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.19%. Comparing base (8405f2e) to head (64a30cc).
Report is 102 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3546      +/-   ##
==========================================
- Coverage   81.83%   78.19%   -3.65%     
==========================================
  Files         135      158      +23     
  Lines       20688    18397    -2291     
==========================================
- Hits        16931    14386    -2545     
- Misses       2883     3104     +221     
- Partials      874      907      +33     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Go Published Test Results

2 160 tests   2 160 ✅  2m 53s ⏱️
  119 suites      0 💤
    1 files        0 ❌

Results for commit 64a30cc.

♻️ This comment has been updated with latest results.

[github-actions]

E2E Tests Published Test Results

  4 files    4 suites   3h 23m 55s ⏱️
110 tests  97 ✅  6 💤 7 ❌
450 runs  417 ✅ 24 💤 9 ❌

For more details on these failures, see this check.

Results for commit 64a30cc.

♻️ This comment has been updated with latest results.

[agaudreault]

By default, the plugin folder for Rollout is at the root afaik. But I am using Dockerfile.dev, so maybe it is different with that one.

Edit: Dockerfile.dev is indeed different and I updated it to the same workdir on my branch, but you could do it in this PR too.

Here is the patch I currently have to be able to run plugins.

/tmp should be added, otherwise the volume will be read-only and it it used for socket creation.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argo-rollouts
spec:
  template:
    spec:
      containers:
        - name: argo-rollouts
          volumeMounts:
            - mountPath: /home/argo-rollouts/plugin-bin
              name: plugin-bin
              readOnly: false
            - mountPath: /tmp
              name: tmp
              readOnly: false
      volumes:
        - name: plugin-bin
          emptyDir: {}
        - name: tmp
          emptyDir: {}

[tommy351]

Updated in da2dea5

[agaudreault]

tmp volume added but not mounted.

[tommy351]

Fixed in 64a30cc

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[agaudreault]

LGTM