Merge branch 'openkruise:master' into feat/ImagePullJob-support-Toler…

…ations

.github/workflows/ci.yaml

@@ -73,7 +73,7 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: 'trivy-results.sarif'
 

.github/workflows/codeql.yml

@@ -52,7 +52,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+      uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -79,6 +79,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/license.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Ruby
-        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
+        uses: ruby/setup-ruby@f321cf5a4d1533575411f8752cf25b86478b0442 # v1.193.0
         with:
           ruby-version: 2.6
       - name: Install dependencies

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v2.25.0
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v2.25.0
         with:
           sarif_file: results.sarif

pkg/webhook/workloadspread/validating/workloadspread_validation.go

@@ -285,23 +285,24 @@ func validateWorkloadSpreadSubsets(ws *appsv1alpha1.WorkloadSpread, subsets []ap
 			allErrs = append(allErrs, corevalidation.ValidateTolerations(coreTolerations, fldPath.Index(i).Child("tolerations"))...)
 		}
 
-		//TODO validate patch
 		if subset.Patch.Raw != nil {
 			// In the case the WorkloadSpread is created before the workload,so no workloadTemplate is obtained, skip the remaining checks.
 			if workloadTemplate != nil {
 				// get the PodTemplateSpec from the workload
 				var podSpec v1.PodTemplateSpec
 				switch workloadTemplate.GetObjectKind().GroupVersionKind() {
 				case controllerKruiseKindCS:
-					podSpec = workloadTemplate.(*appsv1alpha1.CloneSet).Spec.Template
+					cs := workloadTemplate.(*appsv1alpha1.CloneSet)
+					podSpec = withVolumeClaimTemplates(cs.Spec.Template, cs.Spec.VolumeClaimTemplates)
 				case controllerKindDep:
 					podSpec = workloadTemplate.(*appsv1.Deployment).Spec.Template
 				case controllerKindRS:
 					podSpec = workloadTemplate.(*appsv1.ReplicaSet).Spec.Template
 				case controllerKindJob:
 					podSpec = workloadTemplate.(*batchv1.Job).Spec.Template
 				case controllerKindSts:
-					podSpec = workloadTemplate.(*appsv1.StatefulSet).Spec.Template
+					sts := workloadTemplate.(*appsv1.StatefulSet)
+					podSpec = withVolumeClaimTemplates(sts.Spec.Template, sts.Spec.VolumeClaimTemplates)
 				}
 				podBytes, _ := json.Marshal(podSpec)
 				modified, err := strategicpatch.StrategicMergePatch(podBytes, subset.Patch.Raw, &v1.Pod{})
@@ -358,6 +359,20 @@ func validateWorkloadSpreadSubsets(ws *appsv1alpha1.WorkloadSpread, subsets []ap
 	return allErrs
 }
 
+func withVolumeClaimTemplates(pod v1.PodTemplateSpec, claims []v1.PersistentVolumeClaim) v1.PodTemplateSpec {
+	for _, pvc := range claims {
+		pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{
+			Name: pvc.Name,
+			VolumeSource: v1.VolumeSource{
+				PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
+					ClaimName: pvc.Name,
+				},
+			},
+		})
+	}
+	return pod
+}
+
 func validateWorkloadSpreadConflict(ws *appsv1alpha1.WorkloadSpread, others []appsv1alpha1.WorkloadSpread, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, other := range others {

pkg/webhook/workloadspread/validating/workloadspread_validation_test.go

@@ -19,14 +19,17 @@ import (
 	"strconv"
 	"testing"
 
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/json"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
@@ -943,3 +946,171 @@ func TestValidateWorkloadSpreadConflict(t *testing.T) {
 		})
 	}
 }
+
+func Test_validateWorkloadSpreadSubsets(t *testing.T) {
+	cloneset := &appsv1alpha1.CloneSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "CloneSet",
+			APIVersion: "apps.kruise.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-cs",
+		},
+		Spec: appsv1alpha1.CloneSetSpec{
+			Replicas: ptr.To(int32(6)),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": "test",
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": "test",
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "main",
+							Image: "img:latest",
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "vol-1--0",
+									MountPath: "/logs",
+									SubPath:   "logs",
+								},
+							},
+						},
+					},
+				},
+			},
+			VolumeClaimTemplates: []corev1.PersistentVolumeClaim{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "vol-1--0",
+					},
+				},
+			},
+		},
+	}
+
+	sts := &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-sts",
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To(int32(6)),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": "nginx",
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": "nginx",
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "main",
+							Image: "img:latest",
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "vol-1--0",
+									MountPath: "/logs",
+									SubPath:   "logs",
+								},
+							},
+						},
+					},
+				},
+			},
+			VolumeClaimTemplates: []corev1.PersistentVolumeClaim{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "vol-1--0",
+					},
+				},
+			},
+		},
+	}
+	patchData := map[string]any{
+		"metadata": map[string]any{
+			"annotations": map[string]any{
+				"some-key": "some-value",
+			},
+		},
+	}
+	patch, _ := json.Marshal(patchData)
+	ws := &appsv1alpha1.WorkloadSpread{
+		Spec: appsv1alpha1.WorkloadSpreadSpec{
+			Subsets: []appsv1alpha1.WorkloadSpreadSubset{
+				{
+					Name: "test",
+					Patch: runtime.RawExtension{
+						Raw: patch,
+					},
+				},
+			},
+		},
+	}
+
+	badCloneSet := cloneset.DeepCopy()
+	badCloneSet.Spec.VolumeClaimTemplates[0].Name = "bad-boy"
+	badSts := sts.DeepCopy()
+	badSts.Spec.VolumeClaimTemplates[0].Name = "bad-boy"
+
+	testCases := []struct {
+		name     string
+		workload client.Object
+		testFunc func(errList field.ErrorList)
+	}{
+		{
+			name:     "good cloneset",
+			workload: cloneset,
+			testFunc: func(errList field.ErrorList) {
+				if len(errList) != 0 {
+					t.Fatalf("expected 0 error, got %d, errList = %+v", len(errList), errList)
+				}
+			},
+		}, {
+			name:     "bad cloneset",
+			workload: badCloneSet,
+			testFunc: func(errList field.ErrorList) {
+				if len(errList) != 1 {
+					t.Fatalf("expected 1 error, got %d, errList = %+v", len(errList), errList)
+				}
+			},
+		}, {
+			name:     "good sts",
+			workload: sts,
+			testFunc: func(errList field.ErrorList) {
+				if len(errList) != 0 {
+					t.Fatalf("expected 0 error, got %d, errList = %+v", len(errList), errList)
+				}
+			},
+		}, {
+			name:     "bad sts",
+			workload: badSts,
+			testFunc: func(errList field.ErrorList) {
+				if len(errList) != 1 {
+					t.Fatalf("expected 1 error, got %d, errList = %+v", len(errList), errList)
+				}
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.testFunc(
+				validateWorkloadSpreadSubsets(ws, ws.Spec.Subsets, tc.workload, field.NewPath("spec").Child("subsets")),
+			)
+		})
+	}
+}