fix(executor/emissary): fix nonroot sidecars + input/output params & artifacts

[Bobgy]

This fully fixes emissary + nonroot.
I've tested sidecars, input/output parameters and artifacts

Checklist:

• My organization is added to USERS.md.

Tips:

• Your PR needs to pass the required checks before it can be approved. If the check is not required (e.g. E2E tests) it does not need to pass
• Sign-off your commits to pass the DCO check: git commit --signoff.
• Run make pre-commit -B to fix codegen or lint problems.
• Say how how you tested your changes. If you changed the UI, attach screenshots.

[Bobgy]

Should I put this into os_specific?

[alexec]

syscall.Umask(0) is not available on Windows. So you'll need to move this command into os_specific. The Windows implementation can be a no-op.

[codecov]

Codecov Report

Merging #6403 (2ca568a) into master (4da8fd9) will decrease coverage by 0.01%.
The diff coverage is 25.00%.

@@            Coverage Diff             @@
##           master    #6403      +/-   ##
==========================================
- Coverage   48.81%   48.80%   -0.02%     
==========================================
  Files         253      253              
  Lines       18153    18155       +2     
==========================================
- Hits         8861     8860       -1     
- Misses       8324     8327       +3     
  Partials      968      968              

Impacted Files	Coverage Δ
workflow/executor/emissary/emissary.go	0.00% <0.00%> (ø)
cmd/argoexec/commands/emissary.go	50.35% <40.00%> (+0.35%)	⬆️
workflow/metrics/server.go	15.78% <0.00%> (-3.51%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4da8fd9...2ca568a. Read the comment docs.

[Bobgy]

Hi @alexec, I wonder whether you have any docs or examples for how to add workflows as tests?
I think it'll be a lot more confident checking in workflows to verify the fix and make sure we don't break it in the future.

[Bobgy]

nonroot sidecar example:

#### sidecar example ####
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: nonroot-sidecar-
spec:
  serviceAccountName: pipeline-runner
  entrypoint: sidecar-example
  templates:
  - name: sidecar-example
    container:
      image: alpine:latest
      command: [sh, -c]
      args: ["
        apk update &&
        apk add curl &&
        until curl 'http:https://127.0.0.1:8080'; do sleep 5; done &&
      "]
    sidecars:
    - name: http-echo
      image: mendhak/http-https-echo:19
      command: ['docker-entrypoint.sh']
      args: ['node', './index.js']
      envs:
      - name: HTTP_PORT
        value: 8080

nonroot parameter passing

#### parameter passing test workflow for non-root ####
# Output parameters provide a way to use the contents of a file,
# as a parameter value in a workflow. In that regard, they are
# similar in concept to script templates, with the difference being
# that the output parameter values are obtained via file contents
# instead of stdout (as with script templates). Secondly, there can
# be multiple 'output.parameters.xxx' in a single template, versus
# a single 'output.result' from a script template.
# 
# In this example, the 'whalesay' template produces an output
# parameter named 'hello-param', taken from the file contents of
# /tmp/hello_world.txt. This parameter is passed to a subsequent
# step as an input parameter to the template, 'print-message'.
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: nonroot-parameter-
spec:
  serviceAccountName: pipeline-runner
  entrypoint: output-parameter
  templates:
  - name: output-parameter
    steps:
    - - name: generate-parameter
        template: whalesay
    - - name: consume-parameter
        template: print-message
        arguments:
          parameters:
          - name: message
            value: "{{steps.generate-parameter.outputs.parameters.hello-param}}"

  - name: whalesay
    container:
      image: curlimages/curl:latest
      command: [sh, -c]
      args: ["sleep 1; echo -n hello world > /tmp/hello_world.txt"]
    outputs:
      parameters:
      - name: hello-param
        valueFrom:
          default: "Foobar"   # Default value to use if retrieving valueFrom fails. If not provided workflow will fail instead
          path: /tmp/hello_world.txt

  - name: print-message
    inputs:
      parameters:
      - name: message
    container:
      image: curlimages/curl:latest
      command: [sh, -c]
      args: ["echo {{inputs.parameters.message}}"]

non root hello world workflow:

#### one step test workflow for non-root ####
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: nonroot-helloworld-
spec:
  serviceAccountName: pipeline-runner
  entrypoint: hw
  templates:
  - name: hw
    container:
      image: curlimages/curl:latest
      command: [sh, -c, "echo hello"]

nonroot artifact passing workflow:

#### artifact passing test workflow for non-root ####
# This example demonstrates the ability to pass artifacts
# from one step to the next.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: nonroot-artifact-
spec:
  serviceAccountName: pipeline-runner
  entrypoint: artifact-example
  templates:
  - name: artifact-example
    steps:
    - - name: generate-artifact
        template: whalesay
    - - name: consume-artifact
        template: print-message
        arguments:
          artifacts:
          - name: message
            from: "{{steps.generate-artifact.outputs.artifacts.hello-art}}"

  - name: whalesay
    container:
      image: curlimages/curl:latest
      command: [sh, -c]
      args: ["sleep 1; echo hello world | tee /tmp/hello_world.txt"]
    outputs:
      artifacts:
      - name: hello-art
        path: /tmp/hello_world.txt

  - name: print-message
    inputs:
      artifacts:
      - name: message
        path: /tmp/message
    container:
      image: curlimages/curl:latest
      command: [sh, -c]
      args: ["cat /tmp/message"]

[alexec]

great stuff! you're correct about Umask - this needs to go into os_specific

[alexec]

syscall.Umask(0) is not available on Windows. So you'll need to move this command into os_specific. The Windows implementation can be a no-op.

[Bobgy]

@alexec thanks for the review! Updated to os specific

[Bobgy]

Any guidance for this?

Hi @alexec, I wonder whether you have any docs or examples for how to add workflows as tests?
I think it'll be a lot more confident checking in workflows to verify the fix and make sure we don't break it in the future.

[alexec]

minor - you ignore the return value and you only ever pass in zero - so how about:

func UmaskZero() {
// ...
}

What might be even better is name it after you intent.

[alexec]

GrantWriteAccessToNonRootUsers

??

[Bobgy]

What do you think about AllowGrantingAccessToEveryone?

[Bobgy]

OK, updated

[alexec]

@sarabala1979 this needs to be back-ported to v3.1. Do you think we should do another patch release this week?