Deployment annotations, runtimeClassName override and fs policy change

We are using config.spec.unsupportedConfigOverrides to allow users to
override image registry runtimeClass and annotations.

This commit also uses OnRootMismatch for fsGroupChangePolicy in the
registry deployment.

Author: ricardomaraschini

pkg/resource/configoverrides.go

@@ -0,0 +1,13 @@
+package resource
+
+// ConfigOverrides holds data users can set to override default object configurations created
+// by this operator. This is stored in the registry Config.Spec.UnsupportedConfigOverrides.
+type ConfigOverrides struct {
+	Deployment *DeploymentOverrides `json:"deployment,omitempty"`
+}
+
+// DeploymentOverrides holds items that can be overwriten in the image registry deployment.
+type DeploymentOverrides struct {
+	Annotations      map[string]string `json:"annotations,omitempty"`
+	RuntimeClassName *string           `json:"runtimeClassName,omitempty"`
+}

pkg/resource/deployment.go

@@ -2,6 +2,7 @@ package resource
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -155,6 +156,23 @@ func (gd *generatorDeployment) expected() (runtime.Object, error) {
 		},
 	}
 
+	rawoverrides := gd.cr.Spec.UnsupportedConfigOverrides.Raw
+	if len(rawoverrides) > 0 {
+		var overrides ConfigOverrides
+		if err := json.Unmarshal(rawoverrides, &overrides); err != nil {
+			return nil, fmt.Errorf("invalid unsupportedConfigOverrides: %w", err)
+		}
+
+		depoverrides := overrides.Deployment
+		if depoverrides != nil {
+			deploy.Spec.Template.Spec.RuntimeClassName = depoverrides.RuntimeClassName
+			for key, val := range depoverrides.Annotations {
+				deploy.Annotations[key] = val
+				deploy.Spec.Template.Annotations[key] = val
+			}
+		}
+	}
+
 	dgst, err := strategy.Checksum(deploy)
 	if err != nil {
 		return nil, err

pkg/resource/podtemplatespec.go

@@ -95,8 +95,10 @@ func generateSecurityContext(coreClient coreset.CoreV1Interface, namespace strin
 		return nil, fmt.Errorf("unable to parse annotation %s in namespace %q: %s", defaults.SupplementalGroupsAnnotation, namespace, err)
 	}
 
+	fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
 	return &corev1.PodSecurityContext{
-		FSGroup: &gid,
+		FSGroup:             &gid,
+		FSGroupChangePolicy: &fsGroupChangePolicy,
 	}, nil
 }
 

pkg/resource/podtemplatespec_test.go

@@ -173,6 +173,10 @@ func TestMakePodTemplateSpec(t *testing.T) {
 		}
 	}
 
+	fsGroupChangePolicy := pod.Spec.SecurityContext.FSGroupChangePolicy
+	if fsGroupChangePolicy == nil || *fsGroupChangePolicy != corev1.FSGroupChangeOnRootMismatch {
+		t.Errorf("expected FSGroupChangePolicy to be set to OnRootMismatch")
+	}
 }
 
 func verifyVolume(volume corev1.Volume, expected *volumeMount, t *testing.T) {