Try fix for test

rwinieski · rwinieski · commit 83437ececb60 · 2025-10-28T09:48:22.000+01:00
diff --git a/pkg/k8sutil/statefulset.go b/pkg/k8sutil/statefulset.go
@@ -18,52 +18,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
-type statefulSetParameters struct {
-	Replicas                       *int32
-	Name                           string
-	PersistentVolumeClaim          corev1.PersistentVolumeClaim
-	ServiceName                    string
-	TerminationGracePeriodSeconds  *int64
-	UpdateStrategy                 appsv1.StatefulSetUpdateStrategyType
-	NodeSelector                   map[string]string
-	Affinity                       *corev1.Affinity
-	TopologySpreadConstraints      []corev1.TopologySpreadConstraint
-	PriorityClassName              string
-	ImagePullSecrets               []corev1.LocalObjectReference
-	AdditionalVolumeClaimTemplates *[]corev1.PersistentVolumeClaim
-	ServiceAccountName             string
-	AutomountServiceAccountToken   *bool
-}
-
-type containerParameters struct {
-	Name                   string
-	Namespace              string
-	ClusterDomain          string
-	Image                  string
-	ImagePullPolicy        corev1.PullPolicy
-	Resources              *corev1.ResourceRequirements
-	Persistence            *marklogicv1.Persistence
-	Volumes                []corev1.Volume
-	MountPaths             []corev1.VolumeMount
-	LicenseKey             string
-	Licensee               string
-	BootstrapHost          string
-	LivenessProbe          marklogicv1.ContainerProbe
-	ReadinessProbe         marklogicv1.ContainerProbe
-	LogCollection          *marklogicv1.LogCollection
-	GroupConfig            *marklogicv1.GroupConfig
-	PodSecurityContext     *corev1.PodSecurityContext
-	SecurityContext        *corev1.SecurityContext
-	EnableConverters       bool
-	HugePages              *marklogicv1.HugePages
-	PathBasedRouting       bool
-	Tls                    *marklogicv1.Tls
-	AdditionalVolumes      *[]corev1.Volume
-	AdditionalVolumeMounts *[]corev1.VolumeMount
-	SecretName             string
-}
-
 // getDefaultPodSecurityContext returns the default pod-level security context for MarkLogic StatefulSets
+// MarkLogic runs as user 1000 and group 2 (mlusers) - Must not be changed
 func getDefaultPodSecurityContext() *corev1.PodSecurityContext {
 	fsGroup := int64(2)
 	fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
@@ -74,8 +30,8 @@ func getDefaultPodSecurityContext() *corev1.PodSecurityContext {
 }
 
 // getDefaultContainerSecurityContext returns the default container-level security context for MarkLogic containers
-// This enforces:
-// - runAsUser: 1000 (non-root user)
+// This enforces strict security requirements:
+// - runAsUser: 1000 - MarkLogic runs as user 1000 and group 2 (mlusers) - Must not be changed
 // - runAsNonRoot: true (prevents running as root)
 // - allowPrivilegeEscalation: false (prevents privilege escalation)
 // - readOnlyRootFilesystem: true (makes root filesystem read-only)
@@ -97,7 +53,7 @@ func getDefaultContainerSecurityContext() *corev1.SecurityContext {
 }
 
 // mergeSecurityContext merges user-provided SecurityContext with defaults
-// User-provided values take precedence over defaults
+// User-provided values take precedence over defaults for flexibility
 func mergeSecurityContext(userContext, defaultContext *corev1.SecurityContext) *corev1.SecurityContext {
 	if userContext == nil {
 		return defaultContext
@@ -134,7 +90,7 @@ func mergeSecurityContext(userContext, defaultContext *corev1.SecurityContext) *
 }
 
 // mergePodSecurityContext merges user-provided PodSecurityContext with defaults
-// User-provided values take precedence over defaults
+// User-provided values take precedence over defaults for flexibility
 func mergePodSecurityContext(userContext, defaultContext *corev1.PodSecurityContext) *corev1.PodSecurityContext {
 	if userContext == nil {
 		return defaultContext
@@ -170,6 +126,51 @@ func mergePodSecurityContext(userContext, defaultContext *corev1.PodSecurityCont
 	return merged
 }
 
+type statefulSetParameters struct {
+	Replicas                       *int32
+	Name                           string
+	PersistentVolumeClaim          corev1.PersistentVolumeClaim
+	ServiceName                    string
+	TerminationGracePeriodSeconds  *int64
+	UpdateStrategy                 appsv1.StatefulSetUpdateStrategyType
+	NodeSelector                   map[string]string
+	Affinity                       *corev1.Affinity
+	TopologySpreadConstraints      []corev1.TopologySpreadConstraint
+	PriorityClassName              string
+	ImagePullSecrets               []corev1.LocalObjectReference
+	AdditionalVolumeClaimTemplates *[]corev1.PersistentVolumeClaim
+	ServiceAccountName             string
+	AutomountServiceAccountToken   *bool
+}
+
+type containerParameters struct {
+	Name                   string
+	Namespace              string
+	ClusterDomain          string
+	Image                  string
+	ImagePullPolicy        corev1.PullPolicy
+	Resources              *corev1.ResourceRequirements
+	Persistence            *marklogicv1.Persistence
+	Volumes                []corev1.Volume
+	MountPaths             []corev1.VolumeMount
+	LicenseKey             string
+	Licensee               string
+	BootstrapHost          string
+	LivenessProbe          marklogicv1.ContainerProbe
+	ReadinessProbe         marklogicv1.ContainerProbe
+	LogCollection          *marklogicv1.LogCollection
+	GroupConfig            *marklogicv1.GroupConfig
+	PodSecurityContext     *corev1.PodSecurityContext
+	SecurityContext        *corev1.SecurityContext
+	EnableConverters       bool
+	HugePages              *marklogicv1.HugePages
+	PathBasedRouting       bool
+	Tls                    *marklogicv1.Tls
+	AdditionalVolumes      *[]corev1.Volume
+	AdditionalVolumeMounts *[]corev1.VolumeMount
+	SecretName             string
+}
+
 func (oc *OperatorContext) ReconcileStatefulset() (reconcile.Result, error) {
 	cr := oc.GetMarkLogicServer()
 	logger := oc.ReqLogger
@@ -195,15 +196,44 @@ func (oc *OperatorContext) ReconcileStatefulset() (reconcile.Result, error) {
 			oc.Recorder.Event(oc.MarklogicGroup, "Normal", "StatefulSetCreated", "MarkLogic statefulSet created successfully")
 			return result.Done().Output()
 		}
-		_, outputErr := result.Error(err).Output()
-		if outputErr != nil {
-			logger.Error(outputErr, "Failed to process result error")
-		}
+		logger.Error(err, "Cannot get statefulSet for MarkLogic")
+		return result.Error(err).Output()
 	}
+
+	patchDiff, err := patch.DefaultPatchMaker.Calculate(currentSts, statefulSetDef,
+		patch.IgnoreStatusFields(),
+		patch.IgnoreVolumeClaimTemplateTypeMetaAndStatus(),
+		patch.IgnoreField("kind"))
+	logger.Info("Patch Diff:", "Diff", patchDiff.String())
+	logger.Info("statefulSetDef Spec:", "Spec", statefulSetDef.Spec.Replicas)
 	if err != nil {
-		logger.Error(err, "Cannot create standalone statefulSet for MarkLogic")
+		logger.Error(err, "Error calculating patch")
 		return result.Error(err).Output()
 	}
+
+	if !patchDiff.IsEmpty() {
+		logger.Info("MarkLogic statefulSet spec is different from the MarkLogicGroup spec, updating the statefulSet")
+		currentSts.Spec = statefulSetDef.Spec
+		currentSts.ObjectMeta.Annotations = statefulSetDef.ObjectMeta.Annotations
+		currentSts.ObjectMeta.Labels = statefulSetDef.ObjectMeta.Labels
+		err := oc.Client.Update(oc.Ctx, currentSts)
+		if err != nil {
+			logger.Error(err, "Error updating statefulSet")
+			return result.Error(err).Output()
+		}
+	} else {
+		logger.Info("MarkLogic statefulSet spec is the same as the current spec, no update needed")
+	}
+	logger.Info("Operator Status:", "Stage", cr.Status.Stage)
+	if cr.Status.Stage == "STS_CREATED" {
+		logger.Info("MarkLogic statefulSet created successfully, waiting for pods to be ready")
+		pods, err := GetPodsForStatefulSet(oc.Ctx, cr.Namespace, cr.Spec.Name)
+		if err != nil {
+			logger.Error(err, "Error getting pods for statefulset")
+		}
+		logger.Info("Pods in statefulSet: ", "Pods", pods)
+	}
+
 	patchClient := client.MergeFrom(oc.MarklogicGroup.DeepCopy())
 	updated := false
 	if currentSts.Status.ReadyReplicas == 0 || currentSts.Status.ReadyReplicas != currentSts.Status.Replicas {
@@ -239,37 +269,6 @@ func (oc *OperatorContext) ReconcileStatefulset() (reconcile.Result, error) {
 		}
 	}
 
-	patchDiff, err := patch.DefaultPatchMaker.Calculate(currentSts, statefulSetDef,
-		patch.IgnoreStatusFields(),
-		patch.IgnoreVolumeClaimTemplateTypeMetaAndStatus(),
-		patch.IgnoreField("kind"))
-	if err != nil {
-		logger.Error(err, "Error calculating patch")
-		return result.Error(err).Output()
-	}
-	if !patchDiff.IsEmpty() {
-		logger.Info("MarkLogic statefulSet spec is different from the MarkLogicGroup spec, updating the statefulSet")
-		currentSts.Spec = statefulSetDef.Spec
-		currentSts.ObjectMeta.Annotations = statefulSetDef.ObjectMeta.Annotations
-		currentSts.ObjectMeta.Labels = statefulSetDef.ObjectMeta.Labels
-		err := oc.Client.Update(oc.Ctx, currentSts)
-		if err != nil {
-			logger.Error(err, "Error updating statefulSet")
-			return result.Error(err).Output()
-		}
-	} else {
-		logger.Info("MarkLogic statefulSet spec is the same as the current spec, no update needed")
-	}
-	logger.Info("Operator Status:", "Stage", cr.Status.Stage)
-	if cr.Status.Stage == "STS_CREATED" {
-		logger.Info("MarkLogic statefulSet created successfully, waiting for pods to be ready")
-		pods, err := GetPodsForStatefulSet(cr.Namespace, cr.Spec.Name)
-		if err != nil {
-			logger.Error(err, "Error getting pods for statefulset")
-		}
-		logger.Info("Pods in statefulSet: ", "Pods", pods)
-	}
-
 	return result.Done().Output()
 }
 
@@ -287,7 +286,7 @@ func (oc *OperatorContext) setCondition(condition *metav1.Condition) bool {
 func (oc *OperatorContext) GetStatefulSet(namespace string, stateful string) (*appsv1.StatefulSet, error) {
 	logger := oc.ReqLogger
 	statefulInfo := &appsv1.StatefulSet{}
-	err := oc.Client.Get(context.TODO(), client.ObjectKey{Namespace: namespace, Name: stateful}, statefulInfo)
+	err := oc.Client.Get(oc.Ctx, client.ObjectKey{Namespace: namespace, Name: stateful}, statefulInfo)
 	if err != nil {
 		logger.Info("MarkLogic statefulSet get action failed")
 		return nil, err
@@ -298,7 +297,7 @@ func (oc *OperatorContext) GetStatefulSet(namespace string, stateful string) (*a
 
 func (oc *OperatorContext) createStatefulSet(statefulset *appsv1.StatefulSet, cr *marklogicv1.MarklogicGroup) error {
 	logger := oc.ReqLogger
-	err := oc.Client.Create(context.TODO(), statefulset)
+	err := oc.Client.Create(oc.Ctx, statefulset)
 	if err != nil {
 		logger.Error(err, "MarkLogic stateful creation failed")
 		return err
@@ -309,8 +308,8 @@ func (oc *OperatorContext) createStatefulSet(statefulset *appsv1.StatefulSet, cr
 }
 
 func generateStatefulSetsDef(stsMeta metav1.ObjectMeta, params statefulSetParameters, ownerDef metav1.OwnerReference, containerParams containerParameters) *appsv1.StatefulSet {
-	// Enforce default security contexts, merging with user-provided values
-	// User values take precedence, but defaults ensure minimum security standards
+	// Enforce default pod security context, merging with user-provided values
+	// This ensures all MarkLogic pods run with secure defaults
 	podSecurityContext := mergePodSecurityContext(containerParams.PodSecurityContext, getDefaultPodSecurityContext())
 
 	statefulSet := &appsv1.StatefulSet{
@@ -417,11 +416,11 @@ func generateStatefulSetsDef(stsMeta metav1.ObjectMeta, params statefulSetParame
 	return statefulSet
 }
 
-func GetPodsForStatefulSet(namespace, name string) ([]corev1.Pod, error) {
+func GetPodsForStatefulSet(ctx context.Context, namespace, name string) ([]corev1.Pod, error) {
 	selector := fmt.Sprintf("app.kubernetes.io/name=marklogic,app.kubernetes.io/instance=%s", name)
 	// List Pods with the label selector
 	listOptions := metav1.ListOptions{LabelSelector: selector}
-	pods, err := GenerateK8sClient().CoreV1().Pods(namespace).List(context.TODO(), listOptions)
+	pods, err := GenerateK8sClient().CoreV1().Pods(namespace).List(ctx, listOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -431,7 +430,7 @@ func GetPodsForStatefulSet(namespace, name string) ([]corev1.Pod, error) {
 
 func generateContainerDef(name string, containerParams containerParameters) []corev1.Container {
 	// Enforce default container security context, merging with user-provided values
-	// This ensures minimum security standards are always applied
+	// This ensures all MarkLogic containers run with strict security settings
 	securityContext := mergeSecurityContext(containerParams.SecurityContext, getDefaultContainerSecurityContext())
 
 	containerDef := []corev1.Container{
