marklogic · barkhachoithani · Aug 23, 2024 · Aug 12, 2024 · Aug 12, 2024 · Aug 13, 2024
diff --git a/api/v1alpha1/marklogicgroup_types.go b/api/v1alpha1/marklogicgroup_types.go
@@ -47,10 +47,12 @@ type MarklogicGroupSpec struct {
 	TerminationGracePeriodSeconds *int64                       `json:"terminationGracePeriodSeconds,omitempty"`
 	// +kubebuilder:validation:Enum=OnDelete;RollingUpdate
 	// +kubebuilder:default:="OnDelete"
-	UpdateStrategy           appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
-	NetworkPolicy            *networkingv1.NetworkPolicy          `json:"networkPolicy,omitempty"`
-	PodSecurityContext       *corev1.PodSecurityContext           `json:"securityContext,omitempty"`
-	ContainerSecurityContext *corev1.SecurityContext              `json:"containerSecurityContext,omitempty"`
+	UpdateStrategy appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
+	NetworkPolicy  *networkingv1.NetworkPolicy          `json:"networkPolicy,omitempty"`
+	// +kubebuilder:default:={fsGroup: 2, fsGroupChangePolicy: "OnRootMismatch"}
+	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+	// +kubebuilder:default:={runAsUser: 1000, runAsNonRoot: true, allowPrivilegeEscalation: false}
+	ContainerSecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 
 	Affinity                  *corev1.Affinity                  `json:"affinity,omitempty"`
 	NodeSelector              map[string]string                 `json:"nodeSelector,omitempty"`

diff --git a/bundle/manifests/database.marklogic.com_marklogicclusters.yaml b/bundle/manifests/database.marklogic.com_marklogicclusters.yaml
@@ -1176,7 +1176,7 @@ spec:
                               type: string
                           type: object
                         image:
-                          default: marklogicdb/marklogic-db:11.2.0-ubi
+                          default: progressofficial/marklogic-db:11.3.0-ubi-rootless
                           type: string
                         imagePullPolicy:
                           default: IfNotPresent

diff --git a/bundle/manifests/database.marklogic.com_marklogicgroups.yaml b/bundle/manifests/database.marklogic.com_marklogicgroups.yaml
@@ -1051,7 +1051,7 @@ spec:
                     type: string
                 type: object
               image:
-                default: marklogicdb/marklogic-db:11.2.0-ubi
+                default: progressofficial/marklogic-db:11.3.0-ubi-rootless
                 type: string
               imagePullPolicy:
                 default: IfNotPresent

diff --git a/charts/marklogic-operator/templates/marklogiccluster-crd.yaml b/charts/marklogic-operator/templates/marklogiccluster-crd.yaml
diff --git a/charts/marklogic-operator/templates/marklogicgroup-crd.yaml b/charts/marklogic-operator/templates/marklogicgroup-crd.yaml
diff --git a/config/crd/bases/database.marklogic.com_marklogicclusters.yaml b/config/crd/bases/database.marklogic.com_marklogicclusters.yaml
diff --git a/config/crd/bases/database.marklogic.com_marklogicgroups.yaml b/config/crd/bases/database.marklogic.com_marklogicgroups.yaml
diff --git a/config/samples/marklogicgroup.yaml b/config/samples/marklogicgroup.yaml
@@ -21,6 +21,16 @@ spec:
   updateStrategy: OnDelete
   groupConfig:
     name: "node"
+## Uncomment the following lines to specify the podSecurityContext and containerSecurityContext
+## Note: Below values are set to default, please update them as per your requirements
+  # podSecurityContext:
+  #   fsGroup: 2
+  #   fsGroupChangePolicy: OnRootMismatch
+  # securityContext:
+  #   runAsUser: 1000
+  #   runAsNonRoot: true
+  #   allowPrivilegeEscalation: false
+
   logCollection:
     enabled: true
     image: fluent/fluent-bit:3.1.1

diff --git a/internal/controller/marklogicgroup_controller_test.go b/internal/controller/marklogicgroup_controller_test.go
@@ -26,7 +26,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
@@ -39,19 +39,24 @@ const (
 	timeout  = time.Second * 60
 	duration = time.Second * 30
 	interval = time.Millisecond * 250
+
+	imageName = "progressofficial/marklogic-db:11.3.0-ubi-rootless"
 )
 
 var replicas = int32(2)
+var fsGroup = int64(2)
+var fsGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
+var runAsUser = int64(1000)
+var runAsNonRoot bool = true
+var allowPrivilegeEscalation bool = false
+var typeNamespaceName = types.NamespacedName{Name: Name, Namespace: Namespace}
 
 const resourceCpuValue = int64(1)
 const resourceMemoryValue = int64(268435456)
 
 // 100Mi
 const resourceHugepageValue = int64(104857600)
 
-var typeNamespaceName = types.NamespacedName{Name: Name, Namespace: Namespace}
-
-const imageName = "progressofficial/marklogic-db:11.3.0-ubi-rootless"
 const fluentBitImage = "fluent/fluent-bit:3.1.1"
 
 var groupConfig = databasev1alpha1.GroupConfig{
@@ -70,17 +75,17 @@ var _ = Describe("MarkLogicGroup controller", func() {
 		It("Should create a MarklogicGroup CR, StatefulSet and Service", func() {
 			// Create the namespace
 			ns := corev1.Namespace{
-				ObjectMeta: v1.ObjectMeta{Name: Namespace},
+				ObjectMeta: metav1.ObjectMeta{Name: Namespace},
 			}
 			Expect(k8sClient.Create(ctx, &ns)).Should(Succeed())
 
 			// Declaring the Marklogic Group object and create CR
 			mlGroup := &databasev1alpha1.MarklogicGroup{
-				TypeMeta: v1.TypeMeta{
+				TypeMeta: metav1.TypeMeta{
 					Kind:       "MarklogicGroup",
 					APIVersion: "database.marklogic.com/v1alpha1",
 				},
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Name:      Name,
 					Namespace: Namespace,
 				},
@@ -97,7 +102,16 @@ var _ = Describe("MarkLogicGroup controller", func() {
 					ClusterDomain:             "cluster.local",
 					TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{MaxSkew: 2, TopologyKey: "kubernetes.io/hostname", WhenUnsatisfiable: corev1.ScheduleAnyway}},
 					Affinity:                  &corev1.Affinity{PodAffinity: &corev1.PodAffinity{PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{PodAffinityTerm: corev1.PodAffinityTerm{TopologyKey: "kubernetes.io/hostname"}, Weight: 100}}}},
-					LogCollection:             &databasev1alpha1.LogCollection{Enabled: true, Image: "fluent/fluent-bit:3.1.1", Files: databasev1alpha1.LogFilesConfig{ErrorLogs: true, AccessLogs: true, RequestLogs: true, CrashLogs: true, AuditLogs: true}, Outputs: "stdout"},
+					PodSecurityContext: &corev1.PodSecurityContext{
+						FSGroup:             &fsGroup,
+						FSGroupChangePolicy: &fsGroupChangePolicy,
+					},
+					ContainerSecurityContext: &corev1.SecurityContext{
+						RunAsUser:                &runAsUser,
+						RunAsNonRoot:             &runAsNonRoot,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+					},
+					LogCollection: &databasev1alpha1.LogCollection{Enabled: true, Image: "fluent/fluent-bit:3.1.1", Files: databasev1alpha1.LogFilesConfig{ErrorLogs: true, AccessLogs: true, RequestLogs: true, CrashLogs: true, AuditLogs: true}, Outputs: "stdout"},
 				},
 			}
 			Expect(k8sClient.Create(ctx, mlGroup)).Should(Succeed())
@@ -130,6 +144,11 @@ var _ = Describe("MarkLogicGroup controller", func() {
 			Expect(createdCR.Spec.TopologySpreadConstraints[0].TopologyKey).Should(Equal("kubernetes.io/hostname"))
 			Expect(createdCR.Spec.TopologySpreadConstraints[0].WhenUnsatisfiable).Should(Equal(corev1.ScheduleAnyway))
 			Expect(createdCR.Spec.Affinity.PodAffinity.PreferredDuringSchedulingIgnoredDuringExecution[0].Weight).Should(Equal(int32(100)))
+			Expect(createdCR.Spec.PodSecurityContext.FSGroup).Should(Equal(&fsGroup))
+			Expect(*createdCR.Spec.PodSecurityContext.FSGroupChangePolicy).Should(Equal(corev1.FSGroupChangeOnRootMismatch))
+			Expect(*createdCR.Spec.ContainerSecurityContext.RunAsUser).Should(Equal(int64(1000)))
+			Expect(createdCR.Spec.ContainerSecurityContext.RunAsNonRoot).Should(Equal(&runAsNonRoot))
+			Expect(createdCR.Spec.ContainerSecurityContext.AllowPrivilegeEscalation).Should(Equal(&allowPrivilegeEscalation))
 			Expect(createdCR.Spec.LogCollection.Enabled).Should(Equal(true))
 			Expect(createdCR.Spec.LogCollection.Image).Should(Equal(fluentBitImage))
 

diff --git a/pkg/k8sutil/marklogicServer.go b/pkg/k8sutil/marklogicServer.go
@@ -12,6 +12,7 @@ type markLogicServerParameters struct {
 	Replicas *int32
 	Name     string
 	Image    string
+	License  *databasev1alpha1.License
 	// PersistentVolumeClaim         corev1.PersistentVolumeClaim
 	TerminationGracePeriodSeconds *int64
 	Resources                     *corev1.ResourceRequirements
@@ -22,6 +23,8 @@ type markLogicServerParameters struct {
 	Affinity                      *corev1.Affinity
 	NodeSelector                  map[string]string
 	TopologySpreadConstraints     []corev1.TopologySpreadConstraint
+	PodSecurityContext            *corev1.PodSecurityContext
+	ContainerSecurityContext      *corev1.SecurityContext
 }
 
 func MarkLogicServerLogger(namespace string, name string) logr.Logger {
@@ -46,8 +49,19 @@ func ReconcileMarkLogicCluster(cr *databasev1alpha1.MarklogicCluster, index int)
 			Replicas:                      params.Replicas,
 			Name:                          params.Name,
 			Image:                         params.Image,
+			License:                       params.License,
 			TerminationGracePeriodSeconds: params.TerminationGracePeriodSeconds,
 			BootstrapHost:                 generateBootstrapHost(cr.Spec.MarkLogicGroups[index].IsBootstrap),
+			Resources:                     params.Resources,
+			EnableConverters:              params.EnableConverters,
+			PriorityClassName:             params.PriorityClassName,
+			ClusterDomain:                 params.ClusterDomain,
+			UpdateStrategy:                params.UpdateStrategy,
+			Affinity:                      params.Affinity,
+			NodeSelector:                  params.NodeSelector,
+			TopologySpreadConstraints:     params.TopologySpreadConstraints,
+			PodSecurityContext:            params.PodSecurityContext,
+			ContainerSecurityContext:      params.ContainerSecurityContext,
 		},
 	}
 	AddOwnerRefToObject(MarkLogicServerDef, ownerDef)
@@ -67,6 +81,7 @@ func generateMarkLogicServerParams(cr *databasev1alpha1.MarklogicCluster, index
 		Replicas:                      cr.Spec.MarkLogicGroups[index].Replicas,
 		Name:                          cr.Spec.MarkLogicGroups[index].Name,
 		Image:                         cr.Spec.MarkLogicGroups[index].Image,
+		License:                       cr.Spec.MarkLogicGroups[index].License,
 		TerminationGracePeriodSeconds: cr.Spec.MarkLogicGroups[index].TerminationGracePeriodSeconds,
 		Resources:                     cr.Spec.MarkLogicGroups[index].Resources,
 		EnableConverters:              cr.Spec.MarkLogicGroups[index].EnableConverters,
@@ -76,6 +91,8 @@ func generateMarkLogicServerParams(cr *databasev1alpha1.MarklogicCluster, index
 		Affinity:                      cr.Spec.MarkLogicGroups[index].Affinity,
 		NodeSelector:                  cr.Spec.MarkLogicGroups[index].NodeSelector,
 		TopologySpreadConstraints:     cr.Spec.MarkLogicGroups[index].TopologySpreadConstraints,
+		PodSecurityContext:            cr.Spec.MarkLogicGroups[index].PodSecurityContext,
+		ContainerSecurityContext:      cr.Spec.MarkLogicGroups[index].ContainerSecurityContext,
 	}
 	// if cr.Spec.Storage != nil {
 	// 	params.PersistentVolumeClaim = generatePVCTemplate(cr.Spec.Storage.Size)

diff --git a/pkg/k8sutil/statefulset.go b/pkg/k8sutil/statefulset.go
@@ -47,6 +47,8 @@ type containerParameters struct {
 	ReadinessProbe     databasev1alpha1.ContainerProbe
 	LogCollection      *databasev1alpha1.LogCollection
 	GroupConfig        databasev1alpha1.GroupConfig
+	PodSecurityContext *corev1.PodSecurityContext
+	SecurityContext    *corev1.SecurityContext
 	EnableConverters   bool
 	HugePages          *databasev1alpha1.HugePages
 }
@@ -194,6 +196,7 @@ func generateStatefulSetsDef(stsMeta metav1.ObjectMeta, params statefulSetParame
 				Spec: corev1.PodSpec{
 					Containers:                    generateContainerDef(stsMeta.GetName(), containerParams),
 					TerminationGracePeriodSeconds: params.TerminationGracePeriodSeconds,
+					SecurityContext:               containerParams.PodSecurityContext,
 					Volumes:                       generateVolumes(stsMeta.Name, containerParams),
 					NodeSelector:                  params.NodeSelector,
 					Affinity:                      params.Affinity,
@@ -237,6 +240,7 @@ func generateContainerDef(name string, containerParams containerParameters) []co
 			ImagePullPolicy: containerParams.ImagePullPolicy,
 			Env:             getEnvironmentVariables(containerParams),
 			Lifecycle:       getLifeCycle(),
+			SecurityContext: containerParams.SecurityContext,
 			VolumeMounts:    getVolumeMount(containerParams),
 		},
 	}
@@ -289,17 +293,19 @@ func generateStatefulSetsParams(cr *databasev1alpha1.MarklogicGroup) statefulSet
 func generateContainerParams(cr *databasev1alpha1.MarklogicGroup) containerParameters {
 	trueProperty := true
 	containerParams := containerParameters{
-		Image:            cr.Spec.Image,
-		Resources:        cr.Spec.Resources,
-		Name:             cr.Spec.Name,
-		Namespace:        cr.Namespace,
-		ClusterDomain:    cr.Spec.ClusterDomain,
-		BootstrapHost:    cr.Spec.BootstrapHost,
-		LivenessProbe:    cr.Spec.LivenessProbe,
-		ReadinessProbe:   cr.Spec.ReadinessProbe,
-		LogCollection:    cr.Spec.LogCollection,
-		GroupConfig:      cr.Spec.GroupConfig,
-		EnableConverters: cr.Spec.EnableConverters,
+		Image:              cr.Spec.Image,
+		Resources:          cr.Spec.Resources,
+		Name:               cr.Spec.Name,
+		Namespace:          cr.Namespace,
+		ClusterDomain:      cr.Spec.ClusterDomain,
+		BootstrapHost:      cr.Spec.BootstrapHost,
+		LivenessProbe:      cr.Spec.LivenessProbe,
+		ReadinessProbe:     cr.Spec.ReadinessProbe,
+		GroupConfig:        cr.Spec.GroupConfig,
+		EnableConverters:   cr.Spec.EnableConverters,
+		PodSecurityContext: cr.Spec.PodSecurityContext,
+		SecurityContext:    cr.Spec.ContainerSecurityContext,
+		LogCollection:      cr.Spec.LogCollection,
 	}
 
 	if cr.Spec.Storage != nil {