Skip to content

Commit f1f3854

Browse files
committed
Add tests and documentation
1 parent 96e8dc4 commit f1f3854

File tree

20 files changed

+908
-10
lines changed

20 files changed

+908
-10
lines changed

.github/workflows/docker_image.yaml

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,17 @@ jobs:
2020
uses: docker/metadata-action@v5
2121
with:
2222
images: crate/crate-operator
23-
tags: type=semver,pattern={{major}}.{{minor}}.{{patch}}
23+
tags: |
24+
type=semver,pattern={{major}}.{{minor}}.{{patch}}
25+
type=raw,value={{tag}}
26+
- name: Docker meta (sidecar)
27+
id: meta_sidecar
28+
uses: docker/metadata-action@v5
29+
with:
30+
images: crate/crate-control
31+
tags: |
32+
type=semver,pattern={{major}}.{{minor}}.{{patch}}
33+
type=raw,value={{tag}}
2434
- name: Set up Docker Buildx
2535
uses: docker/setup-buildx-action@v3
2636
- name: Login to DockerHub
@@ -36,3 +46,11 @@ jobs:
3646
platforms: linux/amd64,linux/arm64
3747
push: true
3848
tags: ${{ steps.meta.outputs.tags }}
49+
- name: Build and publish sidecar
50+
uses: docker/build-push-action@v6
51+
with:
52+
context: ./sidecars/cratecontrol
53+
file: ./sidecars/cratecontrol/Dockerfile
54+
platforms: linux/amd64,linux/arm64
55+
push: true
56+
tags: ${{ steps.meta_sidecar.outputs.tags }}

CHANGES.rst

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,24 @@ Changelog
55
Unreleased
66
----------
77

8+
* Added support for running CrateDB on Red Hat OpenShift Container Platform.
9+
When ``CLOUD_PROVIDER`` is set to ``openshift``, the operator will:
10+
11+
- Use a lightweight ``crate-control`` sidecar for SQL execution instead of
12+
``pod_exec`` to comply with OpenShift's restricted security policies.
13+
- Create OpenShift-specific SecurityContextConstraints (SCC) and ServiceAccounts
14+
to allow CrateDB to run with the required ``SYS_CHROOT`` capability.
15+
- Skip privileged init containers and adjust security contexts for compatibility
16+
with OpenShift's security model.
17+
- Disable ``blockOwnerDeletion`` on PVC owner references to work with OpenShift's
18+
restricted RBAC permissions.
19+
20+
* Refactored SQL execution logic to support both traditional ``pod_exec`` and
21+
sidecar-based approaches, with automatic fallback based on available resources.
22+
23+
* Updated RBAC permissions to include ``serviceaccounts`` and OpenShift
24+
``securitycontextconstraints`` resources.
25+
826
2.57.1 (2026-01-28)
927
-------------------
1028

README.rst

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ Previous versions might work, but the operator will not attempt to set a license
7979

8080

8181
🎉 Features
82-
==========
82+
===========
8383

8484
- "all equal nodes" cluster setup
8585
- "master + data nodes" cluster setup
@@ -90,6 +90,7 @@ Previous versions might work, but the operator will not attempt to set a license
9090
- custom cluster settings
9191
- custom storage classes
9292
- region/zone awareness for AWS and Azure
93+
- OpenShift support (Red Hat OpenShift Container Platform 4.x)
9394

9495
💽 Installation
9596
===============
@@ -110,6 +111,23 @@ dependency of the `Operator Helm Chart`_.
110111
To override the environment variables from values.yaml, please refer to
111112
the `configuration documentation`_.
112113

114+
Installation on OpenShift
115+
-------------------------
116+
117+
When installing on Red Hat OpenShift Container Platform, additional configuration
118+
is required, after adding the Helm repo:
119+
120+
.. code-block:: console
121+
122+
helm install crate-operator crate-operator/crate-operator \
123+
--set env.CRATEDB_OPERATOR_CLOUD_PROVIDER=openshift \
124+
--set env.CRATEDB_OPERATOR_CRATE_CONTROL_IMAGE=your-registry/crate-control:latest \
125+
--namespace crate-operator \
126+
--create-namespace
127+
128+
Replace ``your-registry/crate-control:latest`` with the location of your built
129+
crate-control sidecar image. See the `OpenShift documentation`_ for details.
130+
113131
Installation with kubectl
114132
-------------------------
115133

@@ -151,3 +169,4 @@ Please refer to the `Working on the operator`_ section of the documentation.
151169
.. _Working on the operator: ./docs/source/development.rst
152170
.. _CRD Helm Chart: ./deploy/charts/crate-operator-crds/README.md
153171
.. _Operator Helm Chart: ./deploy/charts/crate-operator/README.md
172+
.. _OpenShift documentation: ./docs/source/openshift.rst

crate/operator/bootstrap.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,6 @@ async def bootstrap_system_user(
9999

100100
exception_logger = logger.exception if config.TESTING else logger.error
101101

102-
# Conditional execution based on cloud provider
103102
if config.CLOUD_PROVIDER == CloudProvider.OPENSHIFT:
104103
logger.info("Using sidecar approach for OpenShift")
105104
await _bootstrap_user_via_sidecar(

crate/operator/create.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -957,6 +957,10 @@ async def create_crate_scc(
957957
Create a SecurityContextConstraint for CrateDB on OpenShift.
958958
959959
This SCC allows running as any UID (including root) and the SYS_CHROOT capability.
960+
961+
Security Note: While this allows starting as root, the CrateDB entrypoint
962+
immediately uses chroot to drop privileges to UID 1000 (crate user). This
963+
maintains security while being compatible with OpenShift's restricted environment.
960964
"""
961965
scc_name = f"crate-anyuid-{namespace}-{name}"
962966

crate/operator/handlers/handle_create_cratedb.py

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -98,21 +98,18 @@ async def create_cratedb(
9898
)
9999

100100
if config.CLOUD_PROVIDER == CloudProvider.OPENSHIFT:
101-
# Create SCC first (cluster-scoped, no owner reference)
102101
kopf.register(
103102
fn=CreateCrateSCCSubHandler(namespace, name, hash, context)(),
104103
id="crate_scc",
105104
)
106105

107-
# Create ServiceAccount (namespaced, with owner reference)
108106
kopf.register(
109107
fn=CreateCrateServiceAccountSubHandler(namespace, name, hash, context)(
110108
cratedb_labels=cratedb_labels, owner_references=owner_references
111109
),
112110
id="crate_service_account",
113111
)
114112

115-
# Create crate-control resources
116113
kopf.register(
117114
fn=CreateCrateControlSubHandler(namespace, name, hash, context)(
118115
cratedb_labels=cratedb_labels, owner_references=owner_references

crate/operator/sql.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ class SQLResult:
2424

2525
@property
2626
def ok(self) -> bool:
27-
return self.error_code is None
27+
return self.error_code is None and self.error_message is None
2828

2929

3030
def normalize_crate_control(resp: dict) -> SQLResult:

deploy/charts/crate-operator/templates/deployment.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,11 @@ spec:
4040
key: {{ $value.key }}
4141
{{- end }}
4242
{{- range $name, $value := .Values.env }}
43+
{{- if $value }}
4344
- name: {{ $name }}
4445
value: "{{ $value }}"
4546
{{- end }}
47+
{{- end }}
4648
resources:
4749
{{- toYaml .Values.resources | nindent 12 }}
4850
{{- with .Values.nodeSelector }}

deploy/charts/crate-operator/templates/rbac.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ rules:
4444
- persistentvolumes
4545
- pods
4646
- secrets
47+
- serviceaccounts
4748
- services
4849
- statefulsets
4950
- poddisruptionbudgets
@@ -71,6 +72,18 @@ rules:
7172
verbs:
7273
- list
7374
- watch
75+
- apiGroups:
76+
- security.openshift.io
77+
resources:
78+
- securitycontextconstraints
79+
verbs:
80+
- create
81+
- delete
82+
- get
83+
- list
84+
- patch
85+
- update
86+
- watch
7487

7588
---
7689
apiVersion: rbac.authorization.k8s.io/v1

deploy/charts/crate-operator/values.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@ env:
3232
CRATEDB_OPERATOR_LOG_LEVEL: "INFO"
3333
CRATEDB_OPERATOR_ROLLING_RESTART_TIMEOUT: "3600"
3434
CRATEDB_OPERATOR_SCALING_TIMEOUT: "3600"
35+
CRATEDB_OPERATOR_CLOUD_PROVIDER: ""
36+
CRATEDB_OPERATOR_CRATE_CONTROL_IMAGE: ""
3537

3638
envFromSecret: {}
3739

@@ -53,10 +55,10 @@ podAnnotations: {}
5355
resources:
5456
limits:
5557
cpu: 250m
56-
memory: 128Mi
58+
memory: 512Mi
5759
requests:
5860
cpu: 250m
59-
memory: 128Mi
61+
memory: 512Mi
6062

6163
nodeSelector: {}
6264

0 commit comments

Comments
 (0)