feat: Add SecurityContext to init-config when behind GenerateConfigInInitContainer feature flag

feat: Add SecurityContext to Redis init containers in tests and configurations when behind GenerateConfigInInitContainer feature flag

Signed-off-by: Jeffrey Böhm <[email protected]>

Author: jeboehm

README.md

@@ -23,13 +23,13 @@
   </a>
 </p>
 
-A Golang based redis operator that will make/oversee Redis standalone and cluster mode setup on top of the Kubernetes. It can create a redis cluster setup with best practices on Cloud as well as the Bare metal environment. Also, it provides an in-built monitoring capability using redis-exporter.
+A Golang-based Redis operator that will make/oversee Redis standalone and cluster mode setup on top of Kubernetes. It can create a Redis cluster setup with best practices on Cloud as well as the bare metal environment. Also, it provides an in-built monitoring capability using redis-exporter.
 
 For documentation, please refer to <https://redis-operator.opstree.dev/>
 
-Organizations that are using Redis Operator to manage their redis workload can be found [here](./USED_BY_ORGANIZATIONS.md). If your organization is also using Redis Operator, please free to add by creating a [pull request](https://github.com/OT-CONTAINER-KIT/redis-operator/pulls)
+Organizations that are using Redis Operator to manage their Redis workload can be found [here](./USED_BY_ORGANIZATIONS.md). If your organization is also using Redis Operator, please feel free to add by creating a [pull request](https://github.com/OT-CONTAINER-KIT/redis-operator/pulls)
 
-This operator only supports versions of redis `=>6`.
+This operator only supports versions of Redis `>=6`.
 
 ## Architecture
 
@@ -39,23 +39,23 @@ This operator only supports versions of redis `=>6`.
 
 ## Purpose
 
-There are multiple problems that people face while setting up redis setup on Kubernetes, specially cluster type setup. The purpose of creating this opperator is to provide an easy and production ready interface for redis setup that include best-practices, security controls, monitoring, and management.
+There are multiple problems that people face while setting up Redis setup on Kubernetes, especially cluster type setup. The purpose of creating this operator is to provide an easy and production-ready interface for Redis setup that includes best-practices, security controls, monitoring, and management.
 
 ## Supported Features
 
-Here the features which are supported by this operator:-
+Here are the features which are supported by this operator:
 
 - Redis cluster and standalone mode setup
 - Redis cluster failover and recovery
 - Inbuilt monitoring with redis exporter
-- Password and password-less setup of redis
+- Password and password-less setup of Redis
 - TLS support for additional security layer
-- Ipv4 and Ipv6 support for redis setup
-- Detailed monitoring grafana dashboard
+- IPv4 and IPv6 support for Redis setup
+- Detailed monitoring Grafana dashboard
 
 ## Prerequisites
 
-Redis operator requires a Kubernetes cluster of version `>=1.18.0`. If you have just started with Operators, it's highly recommended using the latest version of Kubernetes.
+Redis Operator requires a Kubernetes cluster of version `>=1.18.0`. If you have just started with Operators, it's highly recommended using the latest version of Kubernetes.
 
 ## Image Compatibility
 
@@ -74,59 +74,59 @@ The following table shows the compatibility between the Operator Version, Redis
 
 ## Quickstart
 
-The setup can be done by using helm. If you want to see more example, please go through the [example](./example) folder.
+The setup can be done by using Helm. If you want to see more examples, please go through the [example](./example) folder.
 
-But you can simply use the helm chart for installation.
+But you can simply use the Helm chart for installation.
 
 ```shell
-# Add the helm chart
+# Add the Helm chart
 $ helm repo add ot-helm https://ot-container-kit.github.io/helm-charts/
 ```
 
 ```shell
-# Deploy the redis-operator
+# Deploy the Redis operator
 $ helm upgrade redis-operator ot-helm/redis-operator \
   --install --create-namespace --namespace ot-operators
 ```
 
-After deployment, verify the installation of operator
+After deployment, verify the installation of the operator
 
 ```shell
 helm test redis-operator --namespace ot-operators
 ```
 
-Creating redis cluster, standalone, replication and sentinel setup.
+Creating Redis cluster, standalone, replication and sentinel setup.
 
 ```shell
-# Create redis cluster setup
+# Create Redis cluster setup
 $ helm upgrade redis-cluster ot-helm/redis-cluster \
   --set redisCluster.clusterSize=3 --install \
   --namespace ot-operators
 ```
 
 ```shell
-# Create redis standalone setup
+# Create Redis standalone setup
 $ helm upgrade redis ot-helm/redis \
   --install --namespace ot-operators
 ```
 
 ```shell
-# Create redis replication setup
+# Create Redis replication setup
 $ helm upgrade redis-replication ot-helm/replication \
   --install --namespace ot-operators
 ```
 
 ```shell
-# Create redis sentinel setup
+# Create Redis sentinel setup
 $ helm upgrade redis-sentinel ot-helm/sentinel \
   --install --namespace ot-operators
 ```
 
-If you want to customize the value file by yourself while initializing the helm command, the values files for reference are present [here](https://github.com/OT-CONTAINER-KIT/helm-charts/tree/main/charts/redis-setup).
+If you want to customize the values file by yourself while initializing the Helm command, the values files for reference are present [here](https://github.com/OT-CONTAINER-KIT/helm-charts/tree/main/charts/redis-setup).
 
 ## Monitoring with Prometheus
 
-To monitor redis performance we will be using prometheus. In any case, extra prometheus configuration will not be required because we will be using the Prometheus service discover pattern. For that we already have set these annotations:-
+To monitor Redis performance we will be using Prometheus. In any case, extra Prometheus configuration will not be required because we will be using the Prometheus service discovery pattern. For that we already have set these annotations:
 
 ```yaml
   annotations:

internal/k8sutils/redis-cluster_test.go

@@ -498,6 +498,16 @@ func Test_generateRedisClusterInitContainerParams(t *testing.T) {
 				Name:      "example-config",
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:                ptr.To(int64(1000)),
+			RunAsGroup:               ptr.To(int64(1000)),
+			AllowPrivilegeEscalation: ptr.To(false),
+			ReadOnlyRootFilesystem:   ptr.To(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"NET_BIND_SERVICE"},
+			},
+		},
 	}
 
 	data, err := os.ReadFile(path)

internal/k8sutils/redis-sentinel_test.go

@@ -281,6 +281,16 @@ func Test_generateRedisSentinelInitContainerParams(t *testing.T) {
 				SubPathExpr: "",
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:                ptr.To(int64(1000)),
+			RunAsGroup:               ptr.To(int64(1000)),
+			AllowPrivilegeEscalation: ptr.To(false),
+			ReadOnlyRootFilesystem:   ptr.To(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"NET_BIND_SERVICE"},
+			},
+		},
 	}
 
 	data, err := os.ReadFile(path)

internal/k8sutils/redis-standalone_test.go

@@ -291,6 +291,16 @@ func Test_generateRedisStandaloneInitContainerParams(t *testing.T) {
 				Name:      "example-config",
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:                ptr.To(int64(1000)),
+			RunAsGroup:               ptr.To(int64(1000)),
+			AllowPrivilegeEscalation: ptr.To(false),
+			ReadOnlyRootFilesystem:   ptr.To(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"NET_BIND_SERVICE"},
+			},
+		},
 	}
 
 	data, err := os.ReadFile(path)

internal/k8sutils/statefulset.go

@@ -596,6 +596,7 @@ func generateInitContainerDef(role, name string, initcontainerParams initContain
 			Image:           image,
 			ImagePullPolicy: corev1.PullIfNotPresent,
 			Command:         []string{"/operator", "agent"},
+			SecurityContext: initcontainerParams.SecurityContext,
 			Env: getEnvironmentVariables(
 				containerParams.Role,
 				containerParams.EnabledPassword,