neondatabase · conradludgate · Mar 11, 2025 · Mar 12, 2025
diff --git a/neonvm-runner/cmd/disks.go b/neonvm-runner/cmd/disks.go
@@ -74,7 +74,7 @@ func setupVMDisks(
 				discard = ",discard=unmap"
 			}
 			qemuCmd = append(qemuCmd, "-drive", fmt.Sprintf("id=%s,file=%s,if=virtio,media=disk,%s%s", disk.Name, dPath, diskCacheSettings, discard))
-		case disk.ConfigMap != nil || disk.Secret != nil:
+		case disk.ConfigMap != nil || disk.Secret != nil || disk.Projected != nil:
 			dPath := fmt.Sprintf("%s/%s.iso", mountedDiskPath, disk.Name)
 			mnt := fmt.Sprintf("/vm/mounts%s", disk.MountPath)
 			logger.Info("creating iso9660 image", zap.String("diskPath", dPath), zap.String("diskName", disk.Name), zap.String("mountPath", mnt))
@@ -206,7 +206,7 @@ func createISO9660runtime(
 				mounts = append(mounts, fmt.Sprintf(`/neonvm/bin/mount %s $(/neonvm/bin/blkid -L %s) %s`, opts, disk.Name, disk.MountPath))
 				// Note: chmod must be after mount, otherwise it gets overwritten by mount.
 				mounts = append(mounts, fmt.Sprintf(`/neonvm/bin/chmod 0777 %s`, disk.MountPath))
-			case disk.ConfigMap != nil || disk.Secret != nil:
+			case disk.ConfigMap != nil || disk.Secret != nil || disk.Projected != nil:
 				mounts = append(mounts, fmt.Sprintf(`/neonvm/bin/mount -t iso9660 -o ro,mode=0644 $(/neonvm/bin/blkid -L %s) %s`, disk.Name, disk.MountPath))
 			case disk.Tmpfs != nil:
 				mounts = append(mounts, fmt.Sprintf(`/neonvm/bin/chmod 0777 %s`, disk.MountPath))

diff --git a/neonvm-runner/cmd/main.go b/neonvm-runner/cmd/main.go
@@ -239,7 +239,9 @@ func run(logger *zap.Logger) error {
 					EmptyDisk: nil,
 					ConfigMap: nil,
 					Secret:    nil,
+					Projected: nil,
 					Tmpfs:     nil,
+					Implicit:  nil,
 				},
 			})
 		}
@@ -699,7 +701,14 @@ func monitorFiles(ctx context.Context, logger *zap.Logger, wg *sync.WaitGroup, v
 		if disk.Watch != nil && *disk.Watch {
 			// secrets/configmaps are mounted using the atomicwriter utility,
 			// which loads the directory into `..data`.
-			dataDir := fmt.Sprintf("/vm/mounts%s/..data", disk.MountPath)
+			dataDir := fmt.Sprintf("%s/..data", disk.MountPath)
+
+			// when we mount the disk ourselves, it goes into /vm/mounts.
+			// when the volumemount is implicit, it exists where it exists.
+			if disk.DiskSource.Implicit == nil {
+				dataDir = fmt.Sprintf("/vm/mounts%s", dataDir)
+			}
+
 			secrets[dataDir] = disk.MountPath
 			secretsOrd = append(secretsOrd, dataDir)
 		}

diff --git a/neonvm/apis/neonvm/v1/virtualmachine_types.go b/neonvm/apis/neonvm/v1/virtualmachine_types.go
@@ -559,11 +559,20 @@ type DiskSource struct {
 	// Secret represents a secret that should populate this disk.
 	// +optional
 	Secret *corev1.SecretVolumeSource `json:"secret,omitempty"`
+	// Projected represents a projected volume that should populate this disk.
+	// +optional
+	Projected *corev1.ProjectedVolumeSource `json:"projected,omitempty"`
 	// TmpfsDisk represents a tmpfs.
 	// +optional
 	Tmpfs *TmpfsDiskSource `json:"tmpfs,omitempty"`
+	// Implicit represents an implicit volume that will be automatically mounted.
+	// Suitable for `aws-iam-token` or `azure-identity-token`, among other things.
+	// +optional
+	Implicit *ImplicitDiskSource `json:"implicit,omitempty"`
 }
 
+type ImplicitDiskSource struct{}
+
 type EmptyDiskSource struct {
 	Size resource.Quantity `json:"size"`
 	// Discard enables the "discard" mount option for the filesystem

diff --git a/neonvm/apis/neonvm/v1/zz_generated.deepcopy.go b/neonvm/apis/neonvm/v1/zz_generated.deepcopy.go
diff --git a/neonvm/config/crd/bases/vm.neon.tech_virtualmachines.yaml b/neonvm/config/crd/bases/vm.neon.tech_virtualmachines.yaml
diff --git a/pkg/neonvm/controllers/vm_controller.go b/pkg/neonvm/controllers/vm_controller.go
@@ -1663,6 +1663,14 @@ func podSpec(
 					},
 				},
 			})
+		case disk.Projected != nil:
+			pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, mnt)
+			pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{
+				Name: disk.Name,
+				VolumeSource: corev1.VolumeSource{
+					Projected: disk.Projected,
+				},
+			})
 		case disk.EmptyDisk != nil:
 			pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, mnt)
 			pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{

diff --git a/tests/e2e/vm-projected/00-assert.yaml b/tests/e2e/vm-projected/00-assert.yaml
@@ -0,0 +1,21 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 70
+commands:
+  - script: |
+      set -eux
+      pod="$(kubectl get neonvm -n "$NAMESPACE" example -o jsonpath='{.status.podName}')"
+      kubectl exec -n "$NAMESPACE" $pod -- scp guest-vm:/var/run/secrets/tokens/token token
+---
+apiVersion: vm.neon.tech/v1
+kind: VirtualMachine
+metadata:
+  name: example
+status:
+  phase: Running
+  restartCount: 0
+  conditions:
+    - type: Available
+      status: "True"
+  cpus: 250m
+  memorySize: 1Gi
diff --git a/tests/e2e/vm-projected/00-create-vm.yaml b/tests/e2e/vm-projected/00-create-vm.yaml
@@ -0,0 +1,39 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+unitTest: false
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-account
+---
+apiVersion: vm.neon.tech/v1
+kind: VirtualMachine
+metadata:
+  name: example
+spec:
+  schedulerName: autoscale-scheduler
+  enableSSH: true
+  guest:
+    cpus:
+      min: 0.25
+      use: 0.25
+      max: 0.25
+    memorySlotSize: 1Gi
+    memorySlots:
+      min: 1
+      use: 1
+      max: 1
+    rootDisk:
+      image: vm-postgres:15-bullseye
+      size: 1Gi
+  serviceAccountName: "test-account"
+  disks:
+  - projected:
+      sources:
+      - serviceAccountToken:
+          expirationSeconds: 3600
+          path: token
+    mountPath: /var/run/secrets/tokens
+    name: token
+    watch: true