MLE-24592: Fix security issues raised by Polaris (#110)

Co-authored-by: Peng Zhou <[email protected]>

Author: pengzhouml

config/default/manager_auth_proxy_patch.yaml

@@ -17,6 +17,7 @@ spec:
           capabilities:
             drop:
             - "ALL"
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
         args:

config/default/manager_config_patch.yaml

@@ -15,4 +15,5 @@ spec:
           capabilities:
             drop:
             - "ALL"
+          readOnlyRootFilesystem: true
           runAsNonRoot: true

config/manager/manager.yaml

@@ -79,6 +79,7 @@ spec:
           capabilities:
             drop:
             - "ALL"
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
         livenessProbe:
           httpGet:

pkg/k8sutil/haProxy.go

@@ -434,8 +434,8 @@ func calculateHash(data map[string]string) string {
 
 	// Iterate over the sorted keys and write key-value pairs to the hash
 	for _, k := range keys {
-		hash.Write([]byte(k))
-		hash.Write([]byte(data[k]))
+		_, _ = hash.Write([]byte(k))
+		_, _ = hash.Write([]byte(data[k]))
 	}
 
 	// Get the final hash and convert to hexadecimal string

pkg/k8sutil/marklogicServer.go

@@ -187,12 +187,13 @@ func (cc *ClusterContext) ReconsileMarklogicCluster() (reconcile.Result, error)
 				err = cc.Client.Create(ctx, markLogicGroupDef)
 				if err != nil {
 					logger.Error(err, "Failed to create markLogicCluster")
+					return result.Error(err).Output()
 				}
 
 				logger.Info("Created new MarkLogic Server resource")
-				_, _ = result.Done().Output()
 			} else {
 				logger.Error(err, "Failed to get MarkLogicGroup resource")
+				return result.Error(err).Output()
 			}
 		} else {
 			patchDiff, err := patch.DefaultPatchMaker.Calculate(currentMlg, markLogicGroupDef,

pkg/k8sutil/statefulset.go

@@ -543,7 +543,12 @@ func generatePVCTemplate(persistence *marklogicv1.Persistence) corev1.Persistent
 	pvcTemplate := corev1.PersistentVolumeClaim{}
 	pvcTemplate.CreationTimestamp = metav1.Time{}
 	pvcTemplate.ObjectMeta.Name = "datadir"
-	if persistence != nil && persistence.StorageClassName != "" {
+
+	if persistence == nil {
+		return pvcTemplate
+	}
+
+	if persistence.StorageClassName != "" {
 		pvcTemplate.Spec.StorageClassName = &persistence.StorageClassName
 	}
 	pvcTemplate.Spec.AccessModes = persistence.AccessModes
@@ -557,8 +562,12 @@ func generatePVCTemplate(persistence *marklogicv1.Persistence) corev1.Persistent
 func getEnvironmentVariables(containerParams containerParameters) []corev1.EnvVar {
 	envVars := []corev1.EnvVar{}
 	groupName := "Default"
-	if containerParams.GroupConfig != nil && containerParams.GroupConfig.Name != "" {
-		groupName = containerParams.GroupConfig.Name
+	enableXdqpSsl := false
+	if containerParams.GroupConfig != nil {
+		if containerParams.GroupConfig.Name != "" {
+			groupName = containerParams.GroupConfig.Name
+		}
+		enableXdqpSsl = containerParams.GroupConfig.EnableXdqpSsl
 	}
 	envVars = append(envVars, corev1.EnvVar{
 		Name:  "MARKLOGIC_ADMIN_USERNAME_FILE",
@@ -580,7 +589,7 @@ func getEnvironmentVariables(containerParams containerParameters) []corev1.EnvVa
 		Value: groupName,
 	}, corev1.EnvVar{
 		Name:  "XDQP_SSL_ENABLED",
-		Value: strconv.FormatBool(containerParams.GroupConfig.EnableXdqpSsl),
+		Value: strconv.FormatBool(enableXdqpSsl),
 	}, corev1.EnvVar{
 		Name:  "MARKLOGIC_CLUSTER_TYPE",
 		Value: "bootstrap",