From c37cc18e9ba95d3784f5f9061f4e3f5aaed95119 Mon Sep 17 00:00:00 2001 From: Christopher Tate Date: Fri, 24 May 2024 20:34:53 -0600 Subject: [PATCH] Adding support for OpenShift securityContext Adding an openshift boolean field to the operator to remove the default Solr fsGroup in Kubernetes. Fixes #466 --- api/v1beta1/common_types.go | 5 +++++ .../crd/bases/solr.apache.org_solrclouds.yaml | 4 ++++ ...lr.apache.org_solrprometheusexporters.yaml | 4 ++++ controllers/util/solr_util.go | 19 ++++++++++--------- helm/solr-operator/crds/crds.yaml | 8 ++++++++ 5 files changed, 31 insertions(+), 9 deletions(-) diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index b440b900..3601f82e 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -122,6 +122,11 @@ type PodOptions struct { // +optional InitContainers []corev1.Container `json:"initContainers,omitempty"` + // Removes the fsGroup securityContext from + // the StatefulSet for compatibility with OpenShift. + // +optional + Openshift bool `json:"openshift,omitempty"` + // ImagePullSecrets to apply to the pod. // These are for init/sidecarContainers in addition to the imagePullSecret defined for the // solr image. diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml b/config/crd/bases/solr.apache.org_solrclouds.yaml index 90c7313e..998041de 100644 --- a/config/crd/bases/solr.apache.org_solrclouds.yaml +++ b/config/crd/bases/solr.apache.org_solrclouds.yaml @@ -4943,6 +4943,10 @@ spec: type: string description: Node Selector to be added for the StatefulSet. type: object + openshift: + description: Removes the fsGroup securityContext from the + StatefulSet for compatibility with OpenShift. + type: boolean podSecurityContext: description: PodSecurityContext is the security context for the pod. diff --git a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml index 478381b6..ed670945 100644 --- a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml +++ b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml @@ -2955,6 +2955,10 @@ spec: type: string description: Node Selector to be added for the StatefulSet. type: object + openshift: + description: Removes the fsGroup securityContext from the + StatefulSet for compatibility with OpenShift. + type: boolean podSecurityContext: description: PodSecurityContext is the security context for the pod. diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go index de44d7c1..56a64ed0 100644 --- a/controllers/util/solr_util.go +++ b/controllers/util/solr_util.go @@ -543,19 +543,20 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl Spec: corev1.PodSpec{ TerminationGracePeriodSeconds: &terminationGracePeriod, - SecurityContext: &corev1.PodSecurityContext{ - FSGroup: &defaultFSGroup, - }, - Volumes: solrVolumes, - InitContainers: initContainers, - HostAliases: hostAliases, - Containers: containers, - ReadinessGates: podReadinessGates, + SecurityContext: &corev1.PodSecurityContext{}, + Volumes: solrVolumes, + InitContainers: initContainers, + HostAliases: hostAliases, + Containers: containers, + ReadinessGates: podReadinessGates, }, }, VolumeClaimTemplates: pvcs, }, } + if customPodOptions.Openshift != true { + stateful.Spec.Template.Spec.SecurityContext.FSGroup = &defaultFSGroup + } if solrCloud.UsesHeadlessService() { stateful.Spec.Template.Spec.Subdomain = solrCloud.HeadlessServiceName() } @@ -592,7 +593,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl if customPodOptions.PodSecurityContext != nil { stateful.Spec.Template.Spec.SecurityContext = customPodOptions.PodSecurityContext - if stateful.Spec.Template.Spec.SecurityContext.FSGroup == nil { + if stateful.Spec.Template.Spec.SecurityContext.FSGroup == nil && customPodOptions.Openshift != true { stateful.Spec.Template.Spec.SecurityContext.FSGroup = &defaultFSGroup } } diff --git a/helm/solr-operator/crds/crds.yaml b/helm/solr-operator/crds/crds.yaml index e94093ef..b06586d1 100644 --- a/helm/solr-operator/crds/crds.yaml +++ b/helm/solr-operator/crds/crds.yaml @@ -5192,6 +5192,10 @@ spec: type: string description: Node Selector to be added for the StatefulSet. type: object + openshift: + description: Removes the fsGroup securityContext from the + StatefulSet for compatibility with OpenShift. + type: boolean podSecurityContext: description: PodSecurityContext is the security context for the pod. @@ -20022,6 +20026,10 @@ spec: type: string description: Node Selector to be added for the StatefulSet. type: object + openshift: + description: Removes the fsGroup securityContext from the + StatefulSet for compatibility with OpenShift. + type: boolean podSecurityContext: description: PodSecurityContext is the security context for the pod.