Specify service account for kaniko jobs

.github/workflows/merlin.yml

@@ -348,7 +348,7 @@ jobs:
       LOCAL_REGISTRY: "dev.localhost"
       INGRESS_HOST: "127.0.0.1.nip.io"
       MLP_CHART_VERSION: 0.3.4
-      E2E_PYTHON_VERSION: "3.10"
+      E2E_PYTHON_VERSION: "3.10.6"
     steps:
       - uses: actions/checkout@v2
         with:

api/cmd/api/setup.go

@@ -139,6 +139,7 @@ func initImageBuilder(cfg *config.Config) (webserviceBuilder imagebuilder.ImageB
 		ContextSubPath:       cfg.ImageBuilderConfig.ContextSubPath,
 		BuildTimeoutDuration: timeout,
 		KanikoImage:          cfg.ImageBuilderConfig.KanikoImage,
+		KanikoServiceAccount: cfg.ImageBuilderConfig.KanikoServiceAccount,
 		Resources:            cfg.ImageBuilderConfig.Resources,
 		Tolerations:          cfg.ImageBuilderConfig.Tolerations,
 		NodeSelectors:        cfg.ImageBuilderConfig.NodeSelectors,
@@ -158,6 +159,7 @@ func initImageBuilder(cfg *config.Config) (webserviceBuilder imagebuilder.ImageB
 		ContextSubPath:       cfg.ImageBuilderConfig.PredictionJobContextSubPath,
 		BuildTimeoutDuration: timeout,
 		KanikoImage:          cfg.ImageBuilderConfig.KanikoImage,
+		KanikoServiceAccount: cfg.ImageBuilderConfig.KanikoServiceAccount,
 		Resources:            cfg.ImageBuilderConfig.Resources,
 		Tolerations:          cfg.ImageBuilderConfig.Tolerations,
 		NodeSelectors:        cfg.ImageBuilderConfig.NodeSelectors,

api/config/config.go

@@ -162,6 +162,7 @@ type ImageBuilderConfig struct {
 	DockerRegistry               string                 `envconfig:"IMG_BUILDER_DOCKER_REGISTRY"`
 	BuildTimeout                 string                 `envconfig:"IMG_BUILDER_TIMEOUT" default:"10m"`
 	KanikoImage                  string                 `envconfig:"IMG_BUILDER_KANIKO_IMAGE" default:"gcr.io/kaniko-project/executor:v1.6.0"`
+	KanikoServiceAccount         string                 `envconfig:"IMG_BUILDER_KANIKO_SERVICE_ACCOUNT"`
 	Resources                    ResourceRequestsLimits `envconfig:"IMG_BUILDER_RESOURCES"`
 	// How long to keep the image building job resource in the Kubernetes cluster. Default: 2 days (48 hours).
 	Retention     time.Duration        `envconfig:"IMG_BUILDER_RETENTION" default:"48h"`

api/pkg/imagebuilder/config.go

@@ -35,6 +35,8 @@ type Config struct {
 	BuildTimeoutDuration time.Duration
 	// Kaniko docker image
 	KanikoImage string
+	// Kaniko kubernetes service account
+	KanikoServiceAccount string
 	// Kubernetes resource request and limits for kaniko
 	Resources cfg.ResourceRequestsLimits
 	// Tolerations for Jobs Specification

api/pkg/imagebuilder/imagebuilder.go

@@ -349,7 +349,6 @@ func (c *imageBuilder) createKanikoJobSpec(project mlp.Project, model *models.Mo
 		fmt.Sprintf("--context=%s", baseImageTag.BuildContextURI),
 		fmt.Sprintf("--build-arg=MODEL_URL=%s/model", version.ArtifactURI),
 		fmt.Sprintf("--build-arg=BASE_IMAGE=%s", baseImageTag.ImageName),
-		fmt.Sprintf("--build-arg=%s=%s", gacEnvKey, saFilePath),
 		fmt.Sprintf("--destination=%s", imageRef),
 		"--cache=true",
 		"--single-snapshot",
@@ -360,6 +359,37 @@ func (c *imageBuilder) createKanikoJobSpec(project mlp.Project, model *models.Mo
 	}
 
 	activeDeadlineSeconds := int64(c.config.BuildTimeoutDuration / time.Second)
+	var volume []v1.Volume
+	var volumeMount []v1.VolumeMount
+	var envVar []v1.EnvVar
+
+	// If kaniko service account is not set, use kaniko secret
+	if c.config.KanikoServiceAccount == "" {
+		kanikoArgs = append(kanikoArgs,
+			fmt.Sprintf("--build-arg=%s=%s", gacEnvKey, saFilePath))
+		volume = []v1.Volume{
+			{
+				Name: kanikoSecretName,
+				VolumeSource: v1.VolumeSource{
+					Secret: &v1.SecretVolumeSource{
+						SecretName: kanikoSecretName,
+					},
+				},
+			},
+		}
+		volumeMount = []v1.VolumeMount{
+			{
+				Name:      kanikoSecretName,
+				MountPath: "/secret",
+			},
+		}
+		envVar = []v1.EnvVar{
+			{
+				Name:  gacEnvKey,
+				Value: saFilePath,
+			},
+		}
+	}
 
 	resourceRequirements := RequestLimitResources{
 		Request: Resource{
@@ -380,7 +410,7 @@ func (c *imageBuilder) createKanikoJobSpec(project mlp.Project, model *models.Mo
 		},
 	}
 
-	return &batchv1.Job{
+	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      kanikoPodName,
 			Namespace: c.config.BuildNamespace,
@@ -400,39 +430,24 @@ func (c *imageBuilder) createKanikoJobSpec(project mlp.Project, model *models.Mo
 					RestartPolicy: v1.RestartPolicyNever,
 					Containers: []v1.Container{
 						{
-							Name:  containerName,
-							Image: c.config.KanikoImage,
-							Args:  kanikoArgs,
-							VolumeMounts: []v1.VolumeMount{
-								{
-									Name:      kanikoSecretName,
-									MountPath: "/secret",
-								},
-							},
-							Env: []v1.EnvVar{
-								{
-									Name:  gacEnvKey,
-									Value: saFilePath,
-								},
-							},
+							Name:                     containerName,
+							Image:                    c.config.KanikoImage,
+							Args:                     kanikoArgs,
+							VolumeMounts:             volumeMount,
+							Env:                      envVar,
 							Resources:                resourceRequirements.Build(),
 							TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
 						},
 					},
-					Volumes: []v1.Volume{
-						{
-							Name: kanikoSecretName,
-							VolumeSource: v1.VolumeSource{
-								Secret: &v1.SecretVolumeSource{
-									SecretName: kanikoSecretName,
-								},
-							},
-						},
-					},
+					Volumes:      volume,
 					Tolerations:  c.config.Tolerations,
 					NodeSelector: c.config.NodeSelectors,
 				},
 			},
 		},
-	}, nil
+	}
+	if c.config.KanikoServiceAccount != "" {
+		job.Spec.Template.Spec.ServiceAccountName = c.config.KanikoServiceAccount
+	}
+	return job, nil
 }

api/pkg/imagebuilder/imagebuilder_test.go

@@ -134,6 +134,61 @@ var (
 		},
 		MaximumRetry: jobBackOffLimit,
 	}
+	configWithSa = Config{
+		BuildNamespace: buildNamespace,
+		ContextSubPath: "python/pyfunc-server",
+		BaseImages: cfg.BaseImageConfigs{
+			"3.7.*": cfg.BaseImageConfig{
+				ImageName:       "gojek/base-image:1",
+				BuildContextURI: buildContextURL,
+				DockerfilePath:  "./Dockerfile",
+			},
+			"3.8.*": cfg.BaseImageConfig{
+				ImageName:       "gojek/base-image:2",
+				BuildContextURI: buildContextURL,
+				DockerfilePath:  "./Dockerfile",
+			},
+			"3.9.*": cfg.BaseImageConfig{
+				ImageName:       "gojek/base-image:3",
+				BuildContextURI: buildContextURL,
+				DockerfilePath:  "./Dockerfile",
+			},
+			"3.10.*": cfg.BaseImageConfig{
+				ImageName:       "gojek/base-image:4",
+				BuildContextURI: buildContextURL,
+				DockerfilePath:  "./Dockerfile",
+			},
+		},
+		DockerRegistry:       dockerRegistry,
+		BuildTimeoutDuration: timeout,
+		ClusterName:          "my-cluster",
+		GcpProject:           "test-project",
+		Environment:          "dev",
+		KanikoImage:          "gcr.io/kaniko-project/executor:v1.1.0",
+		Resources: cfg.ResourceRequestsLimits{
+			Requests: cfg.Resource{
+				CPU:    "500m",
+				Memory: "1Gi",
+			},
+			Limits: cfg.Resource{
+				CPU:    "500m",
+				Memory: "1Gi",
+			},
+		},
+		Tolerations: []v1.Toleration{
+			{
+				Key:      "image-build-job",
+				Value:    "true",
+				Operator: v1.TolerationOpEqual,
+				Effect:   v1.TaintEffectNoSchedule,
+			},
+		},
+		NodeSelectors: map[string]string{
+			"cloud.google.com/gke-nodepool": "image-building-job-node-pool",
+		},
+		MaximumRetry:         jobBackOffLimit,
+		KanikoServiceAccount: "kaniko-sa",
+	}
 
 	defaultResourceRequests = RequestLimitResources{
 		Request: Resource{
@@ -214,11 +269,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -266,6 +321,84 @@ func TestBuildImage(t *testing.T) {
 			wantImageRef:      fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID),
 			config:            config,
 		},
+		{
+			name: "success: no existing job, use K8s Service account",
+			args: args{
+				project: project,
+				model:   model,
+				version: modelVersion,
+			},
+			existingJob: nil,
+			wantCreateJob: &batchv1.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("%s-%s-%s", project.Name, model.Name, modelVersion.ID),
+					Namespace: config.BuildNamespace,
+					Labels: map[string]string{
+						"gojek.com/app":          model.Name,
+						"gojek.com/orchestrator": "merlin",
+						"gojek.com/stream":       project.Stream,
+						"gojek.com/team":         project.Team,
+						"gojek.com/environment":  config.Environment,
+						"gojek.com/component":    "image-builder",
+					},
+				},
+				Spec: batchv1.JobSpec{
+					Completions:             &jobCompletions,
+					BackoffLimit:            &jobBackOffLimit,
+					TTLSecondsAfterFinished: &jobTTLSecondAfterComplete,
+					ActiveDeadlineSeconds:   &timeoutInSecond,
+					Template: v1.PodTemplateSpec{
+						ObjectMeta: metav1.ObjectMeta{
+							Labels: map[string]string{
+								"gojek.com/app":          model.Name,
+								"gojek.com/orchestrator": "merlin",
+								"gojek.com/stream":       project.Stream,
+								"gojek.com/team":         project.Team,
+								"gojek.com/environment":  config.Environment,
+								"gojek.com/component":    "image-builder",
+							},
+						},
+						Spec: v1.PodSpec{
+							RestartPolicy: v1.RestartPolicyNever,
+							Containers: []v1.Container{
+								{
+									Name:  containerName,
+									Image: "gcr.io/kaniko-project/executor:v1.1.0",
+									Args: []string{
+										fmt.Sprintf("--dockerfile=%s", config.BaseImages[modelVersion.PythonVersion].DockerfilePath),
+										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
+										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
+										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
+										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
+										"--cache=true",
+										"--single-snapshot",
+										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+									},
+									Resources:                defaultResourceRequests.Build(),
+									TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
+								},
+							},
+							Tolerations: []v1.Toleration{
+								{
+									Key:      "image-build-job",
+									Operator: v1.TolerationOpEqual,
+									Value:    "true",
+									Effect:   v1.TaintEffectNoSchedule,
+								},
+							},
+							NodeSelector: map[string]string{
+								"cloud.google.com/gke-nodepool": "image-building-job-node-pool",
+							},
+							ServiceAccountName: "kaniko-sa",
+						},
+					},
+				},
+				Status: batchv1.JobStatus{},
+			},
+			wantDeleteJobName: "",
+			wantImageRef:      fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID),
+			config:            configWithSa,
+		},
 		{
 			name: "success: no existing job, tolerations is not set",
 			args: args{
@@ -314,11 +447,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -442,11 +575,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -580,10 +713,10 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -712,11 +845,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -811,11 +944,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -913,11 +1046,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{
@@ -1003,11 +1136,11 @@ func TestBuildImage(t *testing.T) {
 										fmt.Sprintf("--context=%s", config.BaseImages[modelVersion.PythonVersion].BuildContextURI),
 										fmt.Sprintf("--build-arg=MODEL_URL=%s/model", modelVersion.ArtifactURI),
 										fmt.Sprintf("--build-arg=BASE_IMAGE=%s", config.BaseImages[modelVersion.PythonVersion].ImageName),
-										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 										fmt.Sprintf("--destination=%s", fmt.Sprintf("%s/%s-%s:%s", config.DockerRegistry, project.Name, model.Name, modelVersion.ID)),
 										"--cache=true",
 										"--single-snapshot",
 										fmt.Sprintf("--context-sub-path=%s", config.ContextSubPath),
+										fmt.Sprintf("--build-arg=GOOGLE_APPLICATION_CREDENTIALS=%s", "/secret/kaniko-secret.json"),
 									},
 									VolumeMounts: []v1.VolumeMount{
 										{