modifications for ReadOnlyRootFilesystem

Author: Schmaetz

pkg/apis/cpo.opensource.cybertec.at/v1/operator_configuration_type.go

@@ -62,7 +62,7 @@ type KubernetesMetaConfiguration struct {
 	PodTerminateGracePeriod                Duration                     `json:"pod_terminate_grace_period,omitempty"`
 	SpiloPrivileged                        bool                         `json:"spilo_privileged,omitempty"`
 	SpiloAllowPrivilegeEscalation          *bool                        `json:"spilo_allow_privilege_escalation,omitempty"`
-	ReadOnlyRootFilesystem                 bool                         `json:"container_readonly_root_filesystem" default:"true"`
+	ReadOnlyRootFilesystem                 *bool                        `json:"container_readonly_root_filesystem" default:"true"`
 	SpiloRunAsUser                         *int64                       `json:"spilo_runasuser,omitempty"`
 	SpiloRunAsGroup                        *int64                       `json:"spilo_runasgroup,omitempty"`
 	SpiloFSGroup                           *int64                       `json:"spilo_fsgroup,omitempty"`

pkg/apis/cpo.opensource.cybertec.at/v1/zz_generated.deepcopy.go

@@ -878,7 +878,12 @@ func (c *Cluster) generatePodTemplate(
 		addEmptyDirVolume(&podSpec, "exporter-tmp", "postgres-exporter", "/tmp")
 	}
 
-	if sharePgSocketWithSidecars != nil && *sharePgSocketWithSidecars || c.OpConfig.ReadOnlyRootFilesystem {
+	var readOnly bool
+	if c.OpConfig.ReadOnlyRootFilesystem != nil {
+		readOnly = *c.OpConfig.ReadOnlyRootFilesystem
+	}
+
+	if sharePgSocketWithSidecars != nil && *sharePgSocketWithSidecars || readOnly {
 		addVarRunVolume(&podSpec)
 
 	}

pkg/cluster/k8sres.go

@@ -75,6 +75,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *cpov1.OperatorConfigura
 	result.PodTerminateGracePeriod = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod), "5m")
 	result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged
 	result.SpiloAllowPrivilegeEscalation = util.CoalesceBool(fromCRD.Kubernetes.SpiloAllowPrivilegeEscalation, util.True())
+	result.ReadOnlyRootFilesystem = util.CoalesceBool(fromCRD.Kubernetes.ReadOnlyRootFilesystem, util.True())
 	result.SpiloRunAsUser = fromCRD.Kubernetes.SpiloRunAsUser
 	result.SpiloRunAsGroup = fromCRD.Kubernetes.SpiloRunAsGroup
 	result.SpiloFSGroup = fromCRD.Kubernetes.SpiloFSGroup

pkg/controller/operator_config.go

@@ -38,7 +38,7 @@ type Resources struct {
 	SpiloPrivileged               bool                `name:"spilo_privileged" default:"false"`
 	SpiloAllowPrivilegeEscalation *bool               `name:"spilo_allow_privilege_escalation" default:"true"`
 	AdditionalPodCapabilities     []string            `name:"additional_pod_capabilities" default:""`
-	ReadOnlyRootFilesystem        bool                `name:"container_readonly_root_filesystem" default:"true"`
+	ReadOnlyRootFilesystem        *bool               `name:"container_readonly_root_filesystem" default:"true"`
 	ClusterLabels                 map[string]string   `name:"cluster_labels" default:"application:cpo"`
 	InheritedLabels               []string            `name:"inherited_labels" default:""`
 	InheritedAnnotations          []string            `name:"inherited_annotations" default:""`