telepresenceio
diff --git a/‎CHANGELOG.yml
+8 b/‎CHANGELOG.yml
+8
diff --git a/‎DEPENDENCIES.md
+2-2 b/‎DEPENDENCIES.md
+2-2
diff --git a/‎charts/telepresence-oss/README.md
+1 b/‎charts/telepresence-oss/README.md
+1
diff --git a/‎charts/telepresence-oss/templates/deployment.yaml
+4 b/‎charts/telepresence-oss/templates/deployment.yaml
+4
diff --git a/‎charts/telepresence-oss/values.schema.yaml
+11 b/‎charts/telepresence-oss/values.schema.yaml
+11
diff --git a/‎charts/telepresence-oss/values.yaml
+2 b/‎charts/telepresence-oss/values.yaml
+2
diff --git a/‎cmd/traffic/cmd/agent/agent.go
+25-5 b/‎cmd/traffic/cmd/agent/agent.go
+25-5
diff --git a/‎cmd/traffic/cmd/agent/agent_test.go
+15-3 b/‎cmd/traffic/cmd/agent/agent_test.go
+15-3
@@ -91,6 +91,14 @@ items:
                values: <namespaces>`.
           ```
         docs: install/manager#static-versus-dynamic-namespace-selection
+      - type: feature
+        title: Improved control over how remote volumes are mounted using mount policies
+        body: |-
+          Mount policies, that affects how the telepresence traffic-agent shares the pod's volumes, and also how the
+          client will mount them, can now be provided using the Helm chart value `agent.mountPolicies` or as JSON
+          object in the workload annotation `telepresence.io/mount-policies`. A mount policy is applied to a volume
+          or to all paths matching a path-prefix (distinguished by checking if first character is a '/'), and can
+          be one of `Ignore`, `Local`, `Remote`, or `RemoteReadOnly`.
       - type: feature
         title: List output includes workload kind.
         body: >-
 
@@ -129,8 +129,8 @@ following Free and Open Source software:
     github.com/spf13/cobra                                         v1.8.1                                Apache License 2.0
     github.com/spf13/pflag                                         v1.0.6                                3-clause BSD license
     github.com/stretchr/testify                                    v1.10.0                               MIT license
-    github.com/telepresenceio/go-fuseftp                           v0.6.1                                Apache License 2.0
-    github.com/telepresenceio/go-fuseftp/rpc                       v0.6.1                                Apache License 2.0
+    github.com/telepresenceio/go-fuseftp                           v0.6.2                                Apache License 2.0
+    github.com/telepresenceio/go-fuseftp/rpc                       v0.6.2                                Apache License 2.0
     github.com/telepresenceio/telepresence/rpc/v2                  (modified)                            Apache License 2.0
     github.com/vishvananda/netlink                                 v1.3.0                                Apache License 2.0
     github.com/vishvananda/netns                                   v0.0.5                                Apache License 2.0
 
@@ -30,6 +30,7 @@ The following tables lists the configurable parameters of the Telepresence chart
 | agent.image.registry                                 | The registry for the injected agent image                                                                                                                           | `ghcr.io/telepresenceio`                                                    |
 | agent.initResources                                  | The resources for the injected init container                                                                                                                       |                                                                             |
 | agent.logLevel                                       | The logging level for the traffic-agent                                                                                                                             | defaults to logLevel                                                        |
+| agent.mountPolicies                                  | The policies for the agents. Key is either volume name or path prefix starting with '/'                                                                             | `/tmp`: Local                                                               |
 | agent.resources                                      | The resources for the injected agent container                                                                                                                      |                                                                             |
 | agent.securityContext                                | The security context to use for the injected agent container                                                                                                        | defaults to the securityContext of the first container of the app           |
 | agent.initSecurityContext                            | The security context to use for the injected init container                                                                                                         | `{}`                                                                        |
 
@@ -135,6 +135,10 @@ spec:
           - name: AGENT_INIT_RESOURCES
             value: '{{ toJson .initResources }}'
           {{- end }}
+          {{- if .mountPolicies }}
+          - name: AGENT_MOUNT_POLICIES
+            value: '{{ toJson .mountPolicies }}'
+          {{- end }}
           {{- with .image }}
           {{- if .name }}
           - name: AGENT_IMAGE_NAME
 
@@ -22,6 +22,17 @@ properties:
           - portName
           - http
           - http2
+      mountPolicies:
+        description: 'List of volume mount policies. Defaults to {"/tmp" : "Ignore"}'
+        type: object
+        additionalProperties:
+          description: The name or path prefix match of the volume that the policy applies to
+          type: string
+          enum:
+            - Remote
+            - RemoteReadOnly
+            - Local
+            - Ignore
       image:
         type: object
         additionalProperties: false
 
@@ -127,6 +127,8 @@ agentInjector:
 agent:
   appProtocolStrategy: http2Probe
   port: 9900
+  mountPolicies:
+    "/tmp": Local
   image:
     pullPolicy: IfNotPresent
 
 
@@ -11,6 +11,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime/debug"
+	"sort"
 	"strings"
 	"time"
 
@@ -40,7 +41,7 @@ var DisplayName = "OSS Traffic Agent" //nolint:gochecknoglobals // extension poi
 // AppEnvironment returns the environment visible to this agent together with environment variables
 // explicitly declared for the app container and minus the environment variables provided by this
 // config.
-func AppEnvironment(ctx context.Context, ag *agentconfig.Container) (map[string]string, error) {
+func AppEnvironment(ctx context.Context, mounts agentconfig.MountPolicies, ag *agentconfig.Container) (map[string]string, error) {
 	osEnv := dos.Environ(ctx)
 	prefix := agentconfig.EnvPrefixApp + ag.EnvPrefix
 	fullEnv := make(map[string]string, len(osEnv))
@@ -76,8 +77,25 @@ func AppEnvironment(ctx context.Context, ag *agentconfig.Container) (map[string]
 		}
 	}
 	fullEnv[agentconfig.EnvInterceptContainer] = ag.Name
-	if len(ag.Mounts) > 0 {
-		fullEnv[agentconfig.EnvInterceptMounts] = strings.Join(ag.Mounts, ":")
+	if len(mounts) > 0 {
+		var localMounts, remoteMounts []string
+		for path, policy := range mounts {
+			switch policy {
+			case agentconfig.MountPolicyIgnore:
+			case agentconfig.MountPolicyRemote, agentconfig.MountPolicyRemoteReadOnly:
+				remoteMounts = append(remoteMounts, path)
+			case agentconfig.MountPolicyLocal:
+				localMounts = append(localMounts, path)
+			}
+		}
+		if len(localMounts) > 0 {
+			sort.Strings(localMounts)
+			fullEnv[agentconfig.EnvLocalMounts] = strings.Join(localMounts, ":")
+		}
+		if len(remoteMounts) > 0 {
+			sort.Strings(remoteMounts)
+			fullEnv[agentconfig.EnvInterceptMounts] = strings.Join(remoteMounts, ":")
+		}
 	}
 	return fullEnv, nil
 }
@@ -278,7 +296,7 @@ func StartServices(ctx context.Context, g *dgroup.Group, config Config, srv Stat
 
 	sftpPortCh := make(chan uint16)
 	ftpPortCh := make(chan uint16)
-	if config.HasMounts(ctx) {
+	if config.HasRemoteMounts() {
 		g.Go("sftp-server", func(ctx context.Context) error {
 			return sftpServer(ctx, sftpPortCh)
 		})
@@ -316,13 +334,15 @@ func StartServices(ctx context.Context, g *dgroup.Group, config Config, srv Stat
 
 	containers := make(map[string]*rpc.AgentInfo_ContainerInfo, len(ac.Containers))
 	for _, cn := range ac.Containers {
-		env, err := AppEnvironment(ctx, cn)
+		appMounts := cn.Mounts
+		env, err := AppEnvironment(ctx, appMounts, cn)
 		if err != nil {
 			return nil, err
 		}
 		containers[cn.Name] = &rpc.AgentInfo_ContainerInfo{
 			Environment: env,
 			MountPoint:  filepath.Join(agentconfig.ExportsMountPoint, filepath.Base(cn.MountPoint)),
+			Mounts:      appMounts.ToRPC(),
 		}
 	}
 
 
@@ -2,6 +2,7 @@ package agent_test
 
 import (
 	"context"
+	"path/filepath"
 	"runtime"
 	"testing"
 
@@ -39,7 +40,12 @@ var testConfig = agentconfig.Sidecar{
 		Name:       "test-echo",
 		EnvPrefix:  "A_",
 		MountPoint: "/tel_app_mounts/test-echo",
-		Mounts:     []string{"/home/bob"},
+		MountPaths: []string{"/home/bob"},
+		Mounts: map[string]agentconfig.MountPolicy{
+			"/tmp":          agentconfig.MountPolicyLocal,
+			"/home/bob":     agentconfig.MountPolicyRemote,
+			"/home/brianna": agentconfig.MountPolicyRemoteReadOnly,
+		},
 		Intercepts: []*agentconfig.Intercept{
 			{
 				ContainerPortName: "http",
@@ -60,8 +66,13 @@ func testContext(t *testing.T, env dos.MapEnv) context.Context {
 	if env == nil {
 		env = make(dos.MapEnv)
 	}
+
 	require.NoError(t, fs.MkdirAll(agentconfig.ExportsMountPoint, 0o700))
 
+	home := filepath.Join("/tel_app_mounts/test-echo", "home")
+	require.NoError(t, fs.MkdirAll(filepath.Join(home, "bob"), 0o700))
+	require.NoError(t, fs.MkdirAll(filepath.Join(home, "brianna"), 0o700))
+
 	cfgJSON, err := agentconfig.MarshalTight(&testConfig)
 	require.NoError(t, err)
 
@@ -101,12 +112,13 @@ func Test_AppEnvironment(t *testing.T) {
 	require.NoError(t, err)
 
 	cn := config.AgentConfig().Containers[0]
-	env, err := agent.AppEnvironment(ctx, cn)
+	env, err := agent.AppEnvironment(ctx, cn.Mounts, cn)
 	require.NoError(t, err)
 	require.Equal(t, map[string]string{
 		"ALPHA":                           "alpha",
 		"ZULU":                            "zulu",
 		agentconfig.EnvInterceptContainer: "test-echo",
-		agentconfig.EnvInterceptMounts:    "/home/bob",
+		agentconfig.EnvInterceptMounts:    "/home/bob:/home/brianna",
+		agentconfig.EnvLocalMounts:        "/tmp",
 	}, env)
 }