Merge pull request #763 from ricardomaraschini/overrides

openshift-merge-robot · web-flow · commit 5287de0e5d9d · 2022-04-01T09:03:27.000-04:00
Bug 2067995: Deployment annotations, runtimeClassName override and fs policy change
diff --git a/pkg/resource/configoverrides.go b/pkg/resource/configoverrides.go
@@ -0,0 +1,13 @@
+package resource
+
+// ConfigOverrides holds data users can set to override default object configurations created
+// by this operator. This is stored in the registry Config.Spec.UnsupportedConfigOverrides.
+type ConfigOverrides struct {
+	Deployment *DeploymentOverrides `json:"deployment,omitempty"`
+}
+
+// DeploymentOverrides holds items that can be overwriten in the image registry deployment.
+type DeploymentOverrides struct {
+	Annotations      map[string]string `json:"annotations,omitempty"`
+	RuntimeClassName *string           `json:"runtimeClassName,omitempty"`
+}
diff --git a/pkg/resource/deployment.go b/pkg/resource/deployment.go
@@ -2,6 +2,7 @@ package resource
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -155,6 +156,23 @@ func (gd *generatorDeployment) expected() (runtime.Object, error) {
 		},
 	}
 
+	rawoverrides := gd.cr.Spec.UnsupportedConfigOverrides.Raw
+	if len(rawoverrides) > 0 {
+		var overrides ConfigOverrides
+		if err := json.Unmarshal(rawoverrides, &overrides); err != nil {
+			return nil, fmt.Errorf("invalid unsupportedConfigOverrides: %w", err)
+		}
+
+		depoverrides := overrides.Deployment
+		if depoverrides != nil {
+			deploy.Spec.Template.Spec.RuntimeClassName = depoverrides.RuntimeClassName
+			for key, val := range depoverrides.Annotations {
+				deploy.Annotations[key] = val
+				deploy.Spec.Template.Annotations[key] = val
+			}
+		}
+	}
+
 	dgst, err := strategy.Checksum(deploy)
 	if err != nil {
 		return nil, err
diff --git a/pkg/resource/podtemplatespec.go b/pkg/resource/podtemplatespec.go
@@ -95,8 +95,10 @@ func generateSecurityContext(coreClient coreset.CoreV1Interface, namespace strin
 		return nil, fmt.Errorf("unable to parse annotation %s in namespace %q: %s", defaults.SupplementalGroupsAnnotation, namespace, err)
 	}
 
+	fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
 	return &corev1.PodSecurityContext{
-		FSGroup: &gid,
+		FSGroup:             &gid,
+		FSGroupChangePolicy: &fsGroupChangePolicy,
 	}, nil
 }
 
diff --git a/pkg/resource/podtemplatespec_test.go b/pkg/resource/podtemplatespec_test.go
@@ -173,6 +173,10 @@ func TestMakePodTemplateSpec(t *testing.T) {
 		}
 	}
 
+	fsGroupChangePolicy := pod.Spec.SecurityContext.FSGroupChangePolicy
+	if fsGroupChangePolicy == nil || *fsGroupChangePolicy != corev1.FSGroupChangeOnRootMismatch {
+		t.Errorf("expected FSGroupChangePolicy to be set to OnRootMismatch")
+	}
 }
 
 func verifyVolume(volume corev1.Volume, expected *volumeMount, t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -95,8 +95,10 @@ func generateSecurityContext(coreClient coreset.CoreV1Interface, namespace strin`
`95`	`95`	`return nil, fmt.Errorf("unable to parse annotation %s in namespace %q: %s", defaults.SupplementalGroupsAnnotation, namespace, err)`
`96`	`96`	`}`
`97`	`97`
	`98`	`+ fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch`
`98`	`99`	`return &corev1.PodSecurityContext{`
`99`		`- FSGroup: &gid,`
	`100`	`+ FSGroup: &gid,`
	`101`	`+ FSGroupChangePolicy: &fsGroupChangePolicy,`
`100`	`102`	`}, nil`
`101`	`103`	`}`
`102`	`104`
Original file line number	Diff line number	Diff line change
`@@ -173,6 +173,10 @@ func TestMakePodTemplateSpec(t *testing.T) {`
`173`	`173`	`}`
`174`	`174`	`}`
`175`	`175`
	`176`	`+ fsGroupChangePolicy := pod.Spec.SecurityContext.FSGroupChangePolicy`
	`177`	`+ if fsGroupChangePolicy == nil \|\| *fsGroupChangePolicy != corev1.FSGroupChangeOnRootMismatch {`
	`178`	`+ t.Errorf("expected FSGroupChangePolicy to be set to OnRootMismatch")`
	`179`	`+ }`
`176`	`180`	`}`
`177`	`181`
`178`	`182`	`func verifyVolume(volume corev1.Volume, expected volumeMount, t testing.T) {`