Automatically mirror connections in user's sidecar conainters

polyaxon-ci · polyaxon-ci · commit 0a23a231b0e0 · 2025-12-06T12:28:34.000+01:00
diff --git a/cli/polyaxon/_auxiliaries/sidecar.py b/cli/polyaxon/_auxiliaries/sidecar.py
@@ -143,6 +143,15 @@ class V1PolyaxonSidecarContainer(BaseSchemaModel):
     >>> sidecar:
     >>>   monitorSpec: true
     ```
+
+    ### noConnections
+
+    Whether to prevent mounting connections and context volumes to sidecars, default `None` (false).
+
+    ```yaml
+    >>> sidecar:
+    >>>   noConnections: true
+    ```
     """
 
     _IDENTIFIER = "polyaxon_sidecar"
@@ -156,6 +165,7 @@ class V1PolyaxonSidecarContainer(BaseSchemaModel):
     sync_interval: Optional[IntOrRef] = Field(alias="syncInterval", default=None)
     monitor_logs: Optional[BoolOrRef] = Field(alias="monitorLogs", default=None)
     monitor_spec: Optional[BoolOrRef] = Field(alias="monitorSpec", default=None)
+    no_connections: Optional[BoolOrRef] = Field(alias="noConnections", default=None)
     resources: Optional[Union[Dict[str, Any], RefField]] = None
 
     def get_image(self):
diff --git a/cli/polyaxon/_docker/converter/base/base.py b/cli/polyaxon/_docker/converter/base/base.py
@@ -238,6 +238,11 @@ def get_replica_resource(
             plugins=plugins,
             artifacts_store=artifacts_store,
             sidecar_containers=sidecars,
+            connections=connections,
+            connection_by_names=connection_by_names,
+            secrets=secrets,
+            config_maps=config_maps,
+            kv_env_vars=kv_env_vars,
             log_level=plugins.log_level,
             volumes=volumes,
         )
diff --git a/cli/polyaxon/_flow/run/ray/autoscaler.py b/cli/polyaxon/_flow/run/ray/autoscaler.py
@@ -80,4 +80,4 @@ class V1RayAutoscalerOptions(BaseSchemaModel):
 
     upscaling_mode: Optional[str] = Field(alias="upscalingMode", default=None)
     image_pull_policy: Optional[str] = Field(alias="imagePullPolicy", default=None)
-    resources: Optional[Union[k8s_schemas.V1ResourceRequirements, RefField]] = None
+    resources: Optional[Union[k8s_schemas.V1ResourceRequirements, RefField]] = None
diff --git a/cli/polyaxon/_k8s/converter/base/base.py b/cli/polyaxon/_k8s/converter/base/base.py
@@ -185,6 +185,11 @@ def get_replica_resource(
             plugins=plugins,
             artifacts_store=artifacts_store,
             sidecar_containers=sidecars,
+            connections=connections,
+            connection_by_names=connection_by_names,
+            secrets=secrets,
+            config_maps=config_maps,
+            kv_env_vars=kv_env_vars,
             log_level=plugins.log_level,
         )
 
diff --git a/cli/polyaxon/_k8s/converter/base/sidecar.py b/cli/polyaxon/_k8s/converter/base/sidecar.py
@@ -1,9 +1,9 @@
-from typing import List, Optional
+from typing import Dict, Iterable, List, Optional
 
 from clipped.utils.lists import to_list
 
 from polyaxon._auxiliaries import V1PolyaxonSidecarContainer
-from polyaxon._connections import V1Connection
+from polyaxon._connections import V1Connection, V1ConnectionResource
 from polyaxon._containers.names import SIDECAR_CONTAINER
 from polyaxon._env_vars.keys import ENV_KEYS_ARTIFACTS_STORE_NAME, ENV_KEYS_CONTAINER_ID
 from polyaxon._flow import V1Plugins
@@ -165,3 +165,93 @@ def _get_sidecar_container(
         )
 
         return cls._patch_container(container)
+
+    def _get_user_sidecar_container(
+        self,
+        sidecar: k8s_schemas.V1Container,
+        plugins: V1Plugins,
+        artifacts_store: Optional[V1Connection],
+        connections: Optional[List[str]],
+        connection_by_names: Optional[Dict[str, V1Connection]],
+        secrets: Optional[Iterable[V1ConnectionResource]],
+        config_maps: Optional[Iterable[V1ConnectionResource]],
+        kv_env_vars: Optional[List[List]],
+    ) -> k8s_schemas.V1Container:
+        """Apply connections and context volumes to a user-defined sidecar container."""
+        if plugins and plugins.sidecar and plugins.sidecar.no_connections:
+            return sidecar
+
+        connections = connections or []
+        connection_by_names = connection_by_names or {}
+        secrets = secrets or []
+        config_maps = config_maps or []
+
+        if artifacts_store and (
+            not plugins.collect_artifacts or plugins.mount_artifacts_store
+        ):
+            if artifacts_store.name not in connection_by_names:
+                connection_by_names[artifacts_store.name] = artifacts_store
+            if artifacts_store.name not in connections:
+                connections.append(artifacts_store.name)
+
+        requested_connections = [connection_by_names[c] for c in connections]
+        requested_config_maps = V1Connection.get_requested_resources(
+            resources=config_maps,
+            connections=requested_connections,
+            resource_key="config_map",
+        )
+        requested_secrets = V1Connection.get_requested_resources(
+            resources=secrets, connections=requested_connections, resource_key="secret"
+        )
+
+        # Volume mounts
+        volume_mounts = (
+            self._get_mounts(
+                use_auth_context=plugins.auth,
+                use_artifacts_context=False,
+                use_docker_context=plugins.docker,
+                use_shm_context=plugins.shm,
+                run_path=self.run_path,
+            )
+            if plugins
+            else []
+        )
+        volume_mounts = volume_mounts + self._get_main_volume_mounts(
+            plugins=plugins,
+            init=[],
+            connections=requested_connections,
+            secrets=requested_secrets,
+            config_maps=requested_config_maps,
+            run_path=self.run_path,
+        )
+
+        # Env vars
+        env = self._get_main_env_vars(
+            plugins=plugins,
+            kv_env_vars=kv_env_vars,
+            artifacts_store_name=artifacts_store.name if artifacts_store else None,
+            connections=requested_connections,
+            secrets=requested_secrets,
+            config_maps=requested_config_maps,
+        )
+        env += self._get_resources_env_vars(sidecar.resources)
+        if sidecar.env:
+            sidecar.env = list(sidecar.env) + env
+        else:
+            sidecar.env = env
+
+        # Env from
+        env_from = self._get_env_from_k8s_resources(
+            secrets=requested_secrets, config_maps=requested_config_maps
+        )
+        if env_from:
+            if sidecar.env_from:
+                sidecar.env_from = list(sidecar.env_from) + env_from
+            else:
+                sidecar.env_from = env_from
+        if sidecar.volume_mounts:
+            sidecar.volume_mounts = list(sidecar.volume_mounts) + volume_mounts
+        else:
+            sidecar.volume_mounts = volume_mounts
+
+        return sidecar
diff --git a/cli/polyaxon/_local_process/converter/base/base.py b/cli/polyaxon/_local_process/converter/base/base.py
@@ -120,6 +120,11 @@ def get_replica_resource(
             plugins=plugins,
             artifacts_store=artifacts_store,
             sidecar_containers=sidecars,
+            connections=connections,
+            connection_by_names=connection_by_names,
+            secrets=secrets,
+            config_maps=config_maps,
+            kv_env_vars=kv_env_vars,
             log_level=plugins.log_level,
             volumes=volumes,
         )
diff --git a/cli/polyaxon/_runner/converter/converter.py b/cli/polyaxon/_runner/converter/converter.py
@@ -968,6 +968,11 @@ def get_sidecar_containers(
         plugins: V1Plugins,
         artifacts_store: V1Connection,
         sidecar_containers: List[Container],
+        connections: Optional[List[str]] = None,
+        connection_by_names: Optional[Dict[str, V1Connection]] = None,
+        secrets: Optional[Iterable[V1ConnectionResource]] = None,
+        config_maps: Optional[Iterable[V1ConnectionResource]] = None,
+        kv_env_vars: Optional[List[List]] = None,
         log_level: Optional[str] = None,
         volumes: Optional[List[k8s_schemas.V1Volume]] = None,
     ) -> List[Container]:
@@ -987,9 +992,37 @@ def get_sidecar_containers(
             run_path=self.run_path,
         )
         containers = to_list(polyaxon_sidecar_container, check_none=True)
-        containers += sidecar_containers
+
+        # Handle user sidecars with connections
+        for sidecar in sidecar_containers:
+            _sidecar = self._get_user_sidecar_container(
+                sidecar=sidecar,
+                plugins=plugins,
+                artifacts_store=artifacts_store,
+                connections=connections,
+                connection_by_names=connection_by_names,
+                secrets=secrets,
+                config_maps=config_maps,
+                kv_env_vars=kv_env_vars,
+            )
+            if _sidecar:
+                containers.append(sidecar)
+
         return [self._ensure_container(c, volumes) for c in containers]
 
+    def _get_user_sidecar_container(
+        self,
+        sidecar: Container,
+        plugins: V1Plugins,
+        artifacts_store: Optional[V1Connection],
+        connections: Optional[List[str]],
+        connection_by_names: Optional[Dict[str, V1Connection]],
+        secrets: Optional[Iterable[V1ConnectionResource]],
+        config_maps: Optional[Iterable[V1ConnectionResource]],
+        kv_env_vars: Optional[List[List]],
+    ) -> Optional[Container]:
+        return None
+
     def get_main_container(
         self,
         main_container: Container,
diff --git a/cli/tests/test_k8s/test_converters/test_converters/test_sidecar_connections.py b/cli/tests/test_k8s/test_converters/test_converters/test_sidecar_connections.py
@@ -0,0 +1,133 @@
+from polyaxon._auxiliaries import V1PolyaxonSidecarContainer
+from polyaxon._connections import (
+    V1ClaimConnection,
+    V1Connection,
+    V1ConnectionKind,
+)
+from polyaxon._flow import V1Plugins
+from polyaxon._k8s import k8s_schemas
+from tests.test_k8s.test_converters.base import BaseConverterTest
+
+
+class TestSidecarConnections(BaseConverterTest):
+    def test_get_sidecars_with_connections(self):
+        store = V1Connection(
+            name="test_claim",
+            kind=V1ConnectionKind.VOLUME_CLAIM,
+            schema_=V1ClaimConnection(
+                mount_path="/claim/path", volume_claim="claim", read_only=True
+            ),
+        )
+        plugins = V1Plugins.get_or_create(
+            V1Plugins(
+                collect_logs=False,
+                collect_artifacts=False,
+                auth=True,
+                sidecar=V1PolyaxonSidecarContainer(no_connections=False),
+            )
+        )
+        sidecar = k8s_schemas.V1Container(name="sidecar", image="foo")
+
+        containers = self.converter.get_sidecar_containers(
+            plugins=plugins,
+            artifacts_store=None,
+            sidecar_containers=[sidecar],
+            polyaxon_sidecar=V1PolyaxonSidecarContainer(image="sidecar/sidecar"),
+            connections=[store.name],
+            connection_by_names={store.name: store},
+        )
+
+        # Check that sidecar has volume mounts
+        # Since collect_artifacts=False and collect_logs=False, polyaxon sidecar is not created
+        # Only user sidecar is returned
+        assert len(containers) == 1
+        user_sidecar = containers[0]
+        assert "sidecar" in user_sidecar.name
+
+        # Check mounts
+        mount_paths = [m.mount_path for m in user_sidecar.volume_mounts]
+        assert "/claim/path" in mount_paths
+
+        # Check auth context (since plugins.auth=True)
+        # Auth context mount path is /plx-context/configs
+        from polyaxon._contexts import paths as ctx_paths
+
+        assert ctx_paths.CONTEXT_MOUNT_CONFIGS in mount_paths
+
+    def test_get_sidecars_with_multiple_connections(self):
+        """Test that sidecars get volume mounts for multiple connections."""
+        store1 = V1Connection(
+            name="test_claim",
+            kind=V1ConnectionKind.VOLUME_CLAIM,
+            schema_=V1ClaimConnection(
+                mount_path="/claim/path", volume_claim="claim", read_only=True
+            ),
+        )
+        store2 = V1Connection(
+            name="test_claim2",
+            kind=V1ConnectionKind.VOLUME_CLAIM,
+            schema_=V1ClaimConnection(
+                mount_path="/claim/path2", volume_claim="claim2", read_only=False
+            ),
+        )
+        plugins = V1Plugins.get_or_create(
+            V1Plugins(collect_logs=False, collect_artifacts=False, auth=False)
+        )
+        sidecar = k8s_schemas.V1Container(name="sidecar", image="foo")
+
+        containers = self.converter.get_sidecar_containers(
+            plugins=plugins,
+            artifacts_store=None,
+            sidecar_containers=[sidecar],
+            polyaxon_sidecar=V1PolyaxonSidecarContainer(image="sidecar/sidecar"),
+            connections=[store1.name, store2.name],
+            connection_by_names={store1.name: store1, store2.name: store2},
+        )
+
+        assert len(containers) == 1
+        user_sidecar = containers[0]
+
+        # Check both connections are mounted
+        mount_paths = [m.mount_path for m in user_sidecar.volume_mounts]
+        assert "/claim/path" in mount_paths
+        assert "/claim/path2" in mount_paths
+
+    def test_get_sidecars_without_mirroring(self):
+        """Test that sidecars do NOT get volume mounts when mirror_connections is False or default."""
+        store = V1Connection(
+            name="test_claim",
+            kind=V1ConnectionKind.VOLUME_CLAIM,
+            schema_=V1ClaimConnection(
+                mount_path="/claim/path", volume_claim="claim", read_only=True
+            ),
+        )
+        # plugins without sidecar config (defaults to mirror_connections=None/False)
+        plugins = V1Plugins.get_or_create(
+            V1Plugins(
+                collect_logs=False,
+                collect_artifacts=False,
+                auth=True,
+                sidecar=V1PolyaxonSidecarContainer(no_connections=True),
+            )
+        )
+        sidecar = k8s_schemas.V1Container(name="sidecar", image="foo")
+
+        containers = self.converter.get_sidecar_containers(
+            plugins=plugins,
+            artifacts_store=None,
+            sidecar_containers=[sidecar],
+            polyaxon_sidecar=V1PolyaxonSidecarContainer(image="sidecar/sidecar"),
+            connections=[store.name],
+            connection_by_names={store.name: store},
+        )
+
+        assert len(containers) == 1
+        user_sidecar = containers[0]
+
+        # Check NO connection mounts are present
+        mount_paths = (
+            [m.mount_path for m in user_sidecar.volume_mounts]
+            if user_sidecar.volume_mounts
+            else []
+        )
+        assert "/claim/path" not in mount_paths
