From 92c478d29c3b75bd36093e4f52587a5a1e76a328 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Wed, 1 Jul 2026 12:27:23 +0200 Subject: [PATCH] refactor(api): remove SandboxTemplate.volume_claim_templates The field was added during the Kubernetes driver extraction refactor (#817) as a pass-through mechanism, but was never wired up to a CLI flag, Python SDK helper, or any documentation. The only reachable user path was raw gRPC construction. The Kubernetes driver now always injects the default workspace PVC, removing the branching logic that checked for a user-supplied VCT. Field number 9 is reserved in the proto to prevent reuse. Signed-off-by: Evan Lezar --- .../openshell-driver-kubernetes/src/driver.rs | 32 ++++--------------- crates/openshell-server/src/compute/mod.rs | 14 ++------ .../openshell-server/src/grpc/validation.rs | 8 ----- proto/openshell.proto | 4 +-- 4 files changed, 10 insertions(+), 48 deletions(-) diff --git a/crates/openshell-driver-kubernetes/src/driver.rs b/crates/openshell-driver-kubernetes/src/driver.rs index 909568302..bdab5d120 100644 --- a/crates/openshell-driver-kubernetes/src/driver.rs +++ b/crates/openshell-driver-kubernetes/src/driver.rs @@ -1298,17 +1298,6 @@ fn sandbox_to_k8s_spec( ) -> serde_json::Value { let mut root = serde_json::Map::new(); - // Determine early whether the user provided custom volumeClaimTemplates. - // When they haven't, we inject a default workspace VCT and corresponding - // init container + volume mount so sandbox data persists. We need this - // flag before building the podTemplate because the workspace persistence - // transforms are applied inside sandbox_template_to_k8s. - let user_has_vct = spec - .and_then(|s| s.template.as_ref()) - .and_then(|t| platform_config_struct(t, "volume_claim_templates")) - .is_some(); - let inject_workspace = !user_has_vct; - if let Some(spec) = spec { let pod_env = spec_pod_env(Some(spec)); if let Some(template) = spec.template.as_ref() { @@ -1318,7 +1307,7 @@ fn sandbox_to_k8s_spec( template, driver_gpu_requirements(spec.resource_requirements.as_ref()), &pod_env, - inject_workspace, + true, params, ), ); @@ -1328,22 +1317,13 @@ fn sandbox_to_k8s_spec( serde_json::json!(template.agent_socket_path), ); } - if let Some(volume_templates) = - platform_config_struct(template, "volume_claim_templates") - { - root.insert("volumeClaimTemplates".to_string(), volume_templates); - } } } - // Inject the default workspace volumeClaimTemplate when the user didn't - // provide their own. - if inject_workspace { - root.insert( - "volumeClaimTemplates".to_string(), - default_workspace_volume_claim_templates(params.workspace_default_storage_size), - ); - } + root.insert( + "volumeClaimTemplates".to_string(), + default_workspace_volume_claim_templates(params.workspace_default_storage_size), + ); // podTemplate is required by the Kubernetes CRD - ensure it's always present if !root.contains_key("podTemplate") { @@ -1354,7 +1334,7 @@ fn sandbox_to_k8s_spec( &SandboxTemplate::default(), driver_gpu_requirements(spec.and_then(|s| s.resource_requirements.as_ref())), &pod_env, - inject_workspace, + true, params, ), ); diff --git a/crates/openshell-server/src/compute/mod.rs b/crates/openshell-server/src/compute/mod.rs index fec29f0c4..3a92cd209 100644 --- a/crates/openshell-server/src/compute/mod.rs +++ b/crates/openshell-server/src/compute/mod.rs @@ -1666,8 +1666,8 @@ fn extract_typed_resources( } /// Build the opaque `platform_config` Struct from platform-specific public -/// template fields (`runtime_class_name`, annotations, `volume_claim_templates`) -/// plus any resource fields beyond CPU/memory. +/// template fields (`runtime_class_name`, annotations) plus any resource fields +/// beyond CPU/memory. fn build_platform_config(template: &SandboxTemplate) -> Option { use prost_types::{Struct, Value, value::Kind}; @@ -1705,16 +1705,6 @@ fn build_platform_config(template: &SandboxTemplate) -> Option Result<(), Status> { ))); } } - if let Some(ref s) = tmpl.volume_claim_templates { - let size = s.encoded_len(); - if size > MAX_TEMPLATE_STRUCT_SIZE { - return Err(Status::invalid_argument(format!( - "template.volume_claim_templates serialized size exceeds maximum ({size} > {MAX_TEMPLATE_STRUCT_SIZE})" - ))); - } - } if let Some(ref s) = tmpl.driver_config { let size = s.encoded_len(); if size > MAX_TEMPLATE_STRUCT_SIZE { diff --git a/proto/openshell.proto b/proto/openshell.proto index bf803e864..d2d884f2e 100644 --- a/proto/openshell.proto +++ b/proto/openshell.proto @@ -362,8 +362,8 @@ message SandboxTemplate { map environment = 6; // Platform-specific compute resource requirements and limits. google.protobuf.Struct resources = 7; - // Optional platform-specific volume claim templates. - google.protobuf.Struct volume_claim_templates = 9; + reserved 9; + reserved "volume_claim_templates"; // Enable Kubernetes user namespace isolation (hostUsers: false). // When true, container UID 0 maps to a non-root host UID and capabilities // become namespaced. Requires Kubernetes 1.33+ with user namespace support