Add httpdSecurityContext for keystone deployment

fmount · fmount · commit cad784fa13d8 · 2025-03-28T13:17:11.000+01:00
This patch updates the current deployment to pass an httpd
securityContext through the common httpdSyncSecurityContext.

Signed-off-by: Francesco Pantano &lt;fpantano@redhat.com&gt;
diff --git a/pkg/keystone/deployment.go b/pkg/keystone/deployment.go
@@ -43,7 +43,6 @@ func Deployment(
 	annotations map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.Deployment, error) {
-	runAsUser := int64(KeystoneUID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -134,16 +133,14 @@ func Deployment(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   volumeMounts,
-							Resources:      instance.Spec.Resources,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: httpdSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+							Resources:       instance.Spec.Resources,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
 						},
 					},
 				},
diff --git a/pkg/keystone/funcs.go b/pkg/keystone/funcs.go
@@ -34,3 +34,16 @@ func dbSyncSecurityContext() *corev1.SecurityContext {
 		},
 	}
 }
+
+// httpdSecurityContext -
+func httpdSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+		RunAsUser:  ptr.To(KeystoneUID),
+		RunAsGroup: ptr.To(KeystoneUID),
+	}
+}
diff --git a/pkg/keystone/volumes.go b/pkg/keystone/volumes.go
@@ -25,7 +25,7 @@ import (
 func getVolumes(instance *keystonev1.KeystoneAPI) []corev1.Volume {
 	name := instance.Name
 	var scriptsVolumeDefaultMode int32 = 0755
-	var config0640AccessMode int32 = 0640
+	var config0640AccessMode int32 = 0644
 
 	fernetKeys := []corev1.KeyToPath{}
 	numberKeys := int(*instance.Spec.FernetMaxActiveKeys)
diff --git a/tests/kuttl/tests/keystone_tls/01-assert.yaml b/tests/kuttl/tests/keystone_tls/01-assert.yaml
@@ -78,7 +78,7 @@ spec:
           secretName: keystone-scripts
       - name: config-data
         secret:
-          defaultMode: 416
+          defaultMode: 420
           secretName: keystone-config-data
       - name: fernet-keys
         secret:
