Add tests and documentation

Author: tomach

.github/workflows/docker_image.yaml

@@ -20,7 +20,17 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: crate/crate-operator
-          tags: type=semver,pattern={{major}}.{{minor}}.{{patch}}
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=raw,value={{tag}}
+      - name: Docker meta (sidecar)
+        id: meta_sidecar
+        uses: docker/metadata-action@v5
+        with:
+          images: crate/crate-control
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=raw,value={{tag}}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
@@ -36,3 +46,11 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+      - name: Build and publish sidecar
+        uses: docker/build-push-action@v6
+        with:
+          context: ./sidecars/cratecontrol
+          file: ./sidecars/cratecontrol/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta_sidecar.outputs.tags }}

CHANGES.rst

@@ -5,6 +5,24 @@ Changelog
 Unreleased
 ----------
 
+* Added support for running CrateDB on Red Hat OpenShift Container Platform.
+  When ``CLOUD_PROVIDER`` is set to ``openshift``, the operator will:
+
+  - Use a lightweight ``crate-control`` sidecar for SQL execution instead of
+    ``pod_exec`` to comply with OpenShift's restricted security policies.
+  - Create OpenShift-specific SecurityContextConstraints (SCC) and ServiceAccounts
+    to allow CrateDB to run with the required ``SYS_CHROOT`` capability.
+  - Skip privileged init containers and adjust security contexts for compatibility
+    with OpenShift's security model.
+  - Disable ``blockOwnerDeletion`` on PVC owner references to work with OpenShift's
+    restricted RBAC permissions.
+
+* Refactored SQL execution logic to support both traditional ``pod_exec`` and
+  sidecar-based approaches, with automatic fallback based on available resources.
+
+* Updated RBAC permissions to include ``serviceaccounts`` and OpenShift
+  ``securitycontextconstraints`` resources.
+
 2.57.1 (2026-01-28)
 -------------------
 

README.rst

@@ -79,7 +79,7 @@ Previous versions might work, but the operator will not attempt to set a license
 
 
 🎉 Features
-==========
+===========
 
 - "all equal nodes" cluster setup
 - "master + data nodes" cluster setup
@@ -90,6 +90,7 @@ Previous versions might work, but the operator will not attempt to set a license
 - custom cluster settings
 - custom storage classes
 - region/zone awareness for AWS and Azure
+- OpenShift support (Red Hat OpenShift Container Platform 4.x)
 
 💽 Installation
 ===============
@@ -110,6 +111,23 @@ dependency of the `Operator Helm Chart`_.
 To override the environment variables from values.yaml, please refer to
 the `configuration documentation`_.
 
+Installation on OpenShift
+-------------------------
+
+When installing on Red Hat OpenShift Container Platform, additional configuration
+is required, after adding the Helm repo:
+
+.. code-block:: console
+
+   helm install crate-operator crate-operator/crate-operator \
+      --set env.CRATEDB_OPERATOR_CLOUD_PROVIDER=openshift \
+      --set env.CRATEDB_OPERATOR_CRATE_CONTROL_IMAGE=your-registry/crate-control:latest \
+      --namespace crate-operator \
+      --create-namespace
+
+Replace ``your-registry/crate-control:latest`` with the location of your built
+crate-control sidecar image. See the `OpenShift documentation`_ for details.
+
 Installation with kubectl
 -------------------------
 
@@ -151,3 +169,4 @@ Please refer to the `Working on the operator`_ section of the documentation.
 .. _Working on the operator: ./docs/source/development.rst
 .. _CRD Helm Chart: ./deploy/charts/crate-operator-crds/README.md
 .. _Operator Helm Chart: ./deploy/charts/crate-operator/README.md
+.. _OpenShift documentation: ./docs/source/openshift.rst

crate/operator/bootstrap.py

@@ -99,7 +99,6 @@ async def bootstrap_system_user(
 
     exception_logger = logger.exception if config.TESTING else logger.error
 
-    # Conditional execution based on cloud provider
     if config.CLOUD_PROVIDER == CloudProvider.OPENSHIFT:
         logger.info("Using sidecar approach for OpenShift")
         await _bootstrap_user_via_sidecar(

crate/operator/create.py

@@ -957,6 +957,10 @@ async def create_crate_scc(
     Create a SecurityContextConstraint for CrateDB on OpenShift.
 
     This SCC allows running as any UID (including root) and the SYS_CHROOT capability.
+
+    Security Note: While this allows starting as root, the CrateDB entrypoint
+    immediately uses chroot to drop privileges to UID 1000 (crate user). This
+    maintains security while being compatible with OpenShift's restricted environment.
     """
     scc_name = f"crate-anyuid-{namespace}-{name}"
 

crate/operator/handlers/handle_create_cratedb.py

@@ -98,21 +98,18 @@ async def create_cratedb(
     )
 
     if config.CLOUD_PROVIDER == CloudProvider.OPENSHIFT:
-        # Create SCC first (cluster-scoped, no owner reference)
         kopf.register(
             fn=CreateCrateSCCSubHandler(namespace, name, hash, context)(),
             id="crate_scc",
         )
 
-        # Create ServiceAccount (namespaced, with owner reference)
         kopf.register(
             fn=CreateCrateServiceAccountSubHandler(namespace, name, hash, context)(
                 cratedb_labels=cratedb_labels, owner_references=owner_references
             ),
             id="crate_service_account",
         )
 
-        # Create crate-control resources
         kopf.register(
             fn=CreateCrateControlSubHandler(namespace, name, hash, context)(
                 cratedb_labels=cratedb_labels, owner_references=owner_references

crate/operator/sql.py

@@ -24,7 +24,7 @@ class SQLResult:
 
     @property
     def ok(self) -> bool:
-        return self.error_code is None
+        return self.error_code is None and self.error_message is None
 
 
 def normalize_crate_control(resp: dict) -> SQLResult:

deploy/charts/crate-operator/templates/deployment.yaml

@@ -40,9 +40,11 @@ spec:
                   key: {{ $value.key }}
             {{- end }}
             {{- range $name, $value := .Values.env }}
+            {{- if $value }}
             - name: {{ $name }}
               value: "{{ $value }}"
             {{- end }}
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

deploy/charts/crate-operator/templates/rbac.yaml

@@ -44,6 +44,7 @@ rules:
   - persistentvolumes
   - pods
   - secrets
+  - serviceaccounts
   - services
   - statefulsets
   - poddisruptionbudgets
@@ -71,6 +72,18 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

deploy/charts/crate-operator/values.yaml

@@ -32,6 +32,8 @@ env:
   CRATEDB_OPERATOR_LOG_LEVEL: "INFO"
   CRATEDB_OPERATOR_ROLLING_RESTART_TIMEOUT: "3600"
   CRATEDB_OPERATOR_SCALING_TIMEOUT: "3600"
+  CRATEDB_OPERATOR_CLOUD_PROVIDER: ""
+  CRATEDB_OPERATOR_CRATE_CONTROL_IMAGE: ""
 
 envFromSecret: {}
 
@@ -53,10 +55,10 @@ podAnnotations: {}
 resources:
   limits:
     cpu: 250m
-    memory: 128Mi
+    memory: 512Mi
   requests:
     cpu: 250m
-    memory: 128Mi
+    memory: 512Mi
 
 nodeSelector: {}