Unset runAsUser and fsGroup for openshift spokes (#47)

Signed-off-by: Tamal Saha <tamal@appscode.com>

Author: tamalsaha

go.mod

@@ -25,7 +25,7 @@ require (
 	k8s.io/kube-aggregator v0.32.3
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
-	kmodules.xyz/client-go v0.32.2
+	kmodules.xyz/client-go v0.32.4
 	open-cluster-management.io/addon-framework v0.11.0
 	open-cluster-management.io/api v0.15.0
 	sigs.k8s.io/controller-runtime v0.20.4

go.sum

@@ -871,8 +871,8 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-kmodules.xyz/client-go v0.32.2 h1:Y0B/26wa8HVL7Vn0HrlALwuuUSqZuj99qkjXWINdous=
-kmodules.xyz/client-go v0.32.2/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
+kmodules.xyz/client-go v0.32.4 h1:eB5I18rLptkx0vsDcqIr62I23sX16K3BBs29RoOxrFk=
+kmodules.xyz/client-go v0.32.4/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
 moul.io/http2curl/v2 v2.3.1-0.20221024080105-10c404f653f7 h1:NykkTlRB+X40z86cLHdEmuoTxhNKhQebLT379b1EumA=
 moul.io/http2curl/v2 v2.3.1-0.20221024080105-10c404f653f7/go.mod h1:RW4hyBjTWSYDOxapodpNEtX0g5Eb16sxklBqmd2RHcE=
 open-cluster-management.io/api v0.15.0 h1:lRee1KOlGHZb2scTA7ff9E9Fxt2hJc7jpkHnaCbvkOU=

pkg/manager/agent-manifests/license-proxyserver/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: Kubernetes license-proxyserver by AppsCode
 name: license-proxyserver
-version: v2025.4.30
-appVersion: v0.0.22
+version: v2025.5.16
+appVersion: v0.0.23
 home: https://github.com/appscode-cloud/license-proxyserver
 icon: https://cdn.appscode.com/images/products/searchlight/icons/android-icon-192x192.png
 sources:

pkg/manager/agent-manifests/license-proxyserver/README.md

@@ -7,8 +7,8 @@
 ```bash
 $ helm repo add appscode https://charts.appscode.com/stable/
 $ helm repo update
-$ helm search repo appscode/license-proxyserver --version=v2025.4.30
-$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.4.30
+$ helm search repo appscode/license-proxyserver --version=v2025.5.16
+$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.5.16
 ```
 
 ## Introduction
@@ -24,7 +24,7 @@ This chart deploys a Kubernetes license proxyserver on a [Kubernetes](http://kub
 To install/upgrade the chart with the release name `license-proxyserver`:
 
 ```bash
-$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.4.30
+$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.5.16
 ```
 
 The command deploys a Kubernetes license proxyserver on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -95,12 +95,12 @@ The following table lists the configurable parameters of the `license-proxyserve
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
 
 ```bash
-$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.4.30 --set replicaCount=1
+$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.5.16 --set replicaCount=1
 ```
 
 Alternatively, a YAML file that specifies the values for the parameters can be provided while
 installing the chart. For example:
 
 ```bash
-$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.4.30 --values values.yaml
+$ helm upgrade -i license-proxyserver appscode/license-proxyserver -n kubeops --create-namespace --version=v2025.5.16 --values values.yaml
 ```

pkg/manager/agent-manifests/license-proxyserver/crds/monitoring.coreos.com_servicemonitors.yaml

@@ -21,6 +21,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"os"
+	"slices"
 
 	"go.bytebuilders.dev/license-proxyserver/pkg/common"
 
@@ -34,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	kmapi "kmodules.xyz/client-go/api/v1"
 	"open-cluster-management.io/addon-framework/pkg/addonfactory"
 	agentapi "open-cluster-management.io/addon-framework/pkg/agent"
 	"open-cluster-management.io/api/addon/v1alpha1"
@@ -156,6 +158,20 @@ func GetConfigValues(kc client.Client, opts *ManagerOptions, cs *certstore.CertS
 			}
 		}
 
+		for _, cc := range cluster.Status.ClusterClaims {
+			if cc.Name == kmapi.ClusterClaimKeyInfo {
+				var info kmapi.ClusterInfo
+				if err := yaml.Unmarshal([]byte(cc.Value), &info); err != nil {
+					return nil, err
+				}
+				if slices.Contains(info.ClusterManagers, kmapi.ClusterManagerOpenShift.Name()) {
+					unstructured.RemoveNestedField(values, "image", "securityContext", "runAsUser")
+					unstructured.RemoveNestedField(values, "podSecurityContext", "fsGroup")
+				}
+				break
+			}
+		}
+
 		return vals, nil
 	}
 }

pkg/manager/config.go

@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"math/bits"
 	"strings"
 )
 
@@ -59,27 +60,29 @@ const (
 	ClusterProviderNameKey string = "cluster.appscode.com/provider"
 	ClusterProfileLabel    string = "cluster.appscode.com/profile"
 
-	AceOrgIDKey            string = "ace.appscode.com/org-id"
-	ClientOrgKey           string = "ace.appscode.com/client-org"
-	ClientOrgMonitoringKey string = "ace.appscode.com/client-org-monitoring"
-	ClientKeyPrefix        string = "client.ace.appscode.com/"
+	AceOrgIDKey               string = "ace.appscode.com/org-id"
+	AceEnableResourceTrialKey string = "ace.appscode.com/enable-resource-trial"
+	ClientOrgKey              string = "ace.appscode.com/client-org"
+	ClientOrgMonitoringKey    string = "ace.appscode.com/client-org-monitoring"
+	ClientKeyPrefix           string = "client.ace.appscode.com/"
 
 	ClusterClaimKeyID       string = "id.k8s.io"
 	ClusterClaimKeyInfo     string = "cluster.ace.info"
 	ClusterClaimKeyFeatures string = "features.ace.info"
 )
 
 type ClusterMetadata struct {
-	UID          string          `json:"uid" protobuf:"bytes,1,opt,name=uid"`
-	Name         string          `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"`
-	DisplayName  string          `json:"displayName,omitempty" protobuf:"bytes,3,opt,name=displayName"`
-	Provider     HostingProvider `json:"provider,omitempty" protobuf:"bytes,4,opt,name=provider,casttype=HostingProvider"`
-	OwnerID      string          `json:"ownerID,omitempty" protobuf:"bytes,5,opt,name=ownerID"`
-	OwnerType    string          `json:"ownerType,omitempty" protobuf:"bytes,6,opt,name=ownerType"`
-	APIEndpoint  string          `json:"apiEndpoint,omitempty" protobuf:"bytes,7,opt,name=apiEndpoint"`
-	CABundle     string          `json:"caBundle,omitempty" protobuf:"bytes,8,opt,name=caBundle"`
-	ManagerID    string          `json:"managerID,omitempty" protobuf:"bytes,9,opt,name=managerID"`
-	HubClusterID string          `json:"hubClusterID,omitempty" protobuf:"bytes,10,opt,name=hubClusterID"`
+	UID                  string          `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+	Name                 string          `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"`
+	DisplayName          string          `json:"displayName,omitempty" protobuf:"bytes,3,opt,name=displayName"`
+	Provider             HostingProvider `json:"provider,omitempty" protobuf:"bytes,4,opt,name=provider,casttype=HostingProvider"`
+	OwnerID              string          `json:"ownerID,omitempty" protobuf:"bytes,5,opt,name=ownerID"`
+	OwnerType            string          `json:"ownerType,omitempty" protobuf:"bytes,6,opt,name=ownerType"`
+	APIEndpoint          string          `json:"apiEndpoint,omitempty" protobuf:"bytes,7,opt,name=apiEndpoint"`
+	CABundle             string          `json:"caBundle,omitempty" protobuf:"bytes,8,opt,name=caBundle"`
+	ManagerID            string          `json:"managerID,omitempty" protobuf:"bytes,9,opt,name=managerID"`
+	HubClusterID         string          `json:"hubClusterID,omitempty" protobuf:"bytes,10,opt,name=hubClusterID"`
+	CloudServiceAuthMode string          `json:"cloudServiceAuthMode,omitempty" protobuf:"bytes,11,opt,name=cloudServiceAuthMode"`
 }
 
 func (md ClusterMetadata) Manager() string {
@@ -175,6 +178,18 @@ func (cm ClusterManager) Strings() []string {
 	return out
 }
 
+func isPowerOfTwo(n int) bool {
+	return n > 0 && (n&(n-1)) == 0
+}
+
+func (cm ClusterManager) Name() string {
+	if !isPowerOfTwo(int(cm)) {
+		return cm.String()
+	}
+	idx := bits.TrailingZeros(uint(cm))
+	return _ClusterManagerNames[idx]
+}
+
 func (cm ClusterManager) String() string {
 	return strings.Join(cm.Strings(), ",")
 }

vendor/kmodules.xyz/client-go/api/v1/cluster.go

@@ -90,14 +90,15 @@ func ClusterMetadataFromConfigMap(cm *core.ConfigMap, clusterUIDVerifier string)
 	}
 
 	md := &kmapi.ClusterMetadata{
-		UID:         cm.Data["uid"],
-		Name:        cm.Data["name"],
-		DisplayName: cm.Data["displayName"],
-		Provider:    kmapi.HostingProvider(cm.Data["provider"]),
-		OwnerID:     cm.Data["ownerID"],
-		OwnerType:   cm.Data["ownerType"],
-		APIEndpoint: cm.Data["apiEndpoint"],
-		CABundle:    cm.Data["ca.crt"],
+		UID:                  cm.Data["uid"],
+		Name:                 cm.Data["name"],
+		DisplayName:          cm.Data["displayName"],
+		Provider:             kmapi.HostingProvider(cm.Data["provider"]),
+		OwnerID:              cm.Data["ownerID"],
+		OwnerType:            cm.Data["ownerType"],
+		APIEndpoint:          cm.Data["apiEndpoint"],
+		CABundle:             cm.Data["ca.crt"],
+		CloudServiceAuthMode: cm.Data["cloudServiceAuthMode"],
 	}
 
 	data, err := json.Marshal(md)
@@ -148,6 +149,7 @@ func UpsertClusterMetadata(kc client.Client, md *kmapi.ClusterMetadata) error {
 		cm.Data["ownerType"] = md.OwnerType
 		cm.Data["apiEndpoint"] = md.APIEndpoint
 		cm.Data["ca.crt"] = md.CABundle
+		cm.Data["cloudServiceAuthMode"] = md.CloudServiceAuthMode
 
 		cm.BinaryData = map[string][]byte{
 			"mac": messageMAC,

vendor/kmodules.xyz/client-go/cluster/lib.go

@@ -1675,7 +1675,7 @@ k8s.io/utils/path
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# kmodules.xyz/client-go v0.32.2
+# kmodules.xyz/client-go v0.32.4
 ## explicit; go 1.23.0
 kmodules.xyz/client-go
 kmodules.xyz/client-go/api/v1