Merge pull request #765 from openshift-cherrypick-robot/cherry-pick-7…

…63-to-release-4.10 [release-4.10] Bug 2074050: Deployment annotations, runtimeClassName override and fs policy change
openshift · Apr 13, 2022 · 87e605a · 87e605a
2 parents 0924977 + 6fe8e7b
commit 87e605a
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/pkg/resource/configoverrides.go b/pkg/resource/configoverrides.go
@@ -0,0 +1,13 @@
+package resource
+
+// ConfigOverrides holds data users can set to override default object configurations created
+// by this operator. This is stored in the registry Config.Spec.UnsupportedConfigOverrides.
+type ConfigOverrides struct {
+	Deployment *DeploymentOverrides `json:"deployment,omitempty"`
+}
+
+// DeploymentOverrides holds items that can be overwriten in the image registry deployment.
+type DeploymentOverrides struct {
+	Annotations      map[string]string `json:"annotations,omitempty"`
+	RuntimeClassName *string           `json:"runtimeClassName,omitempty"`
+}
diff --git a/pkg/resource/deployment.go b/pkg/resource/deployment.go
@@ -2,6 +2,7 @@ package resource
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -155,6 +156,23 @@ func (gd *generatorDeployment) expected() (runtime.Object, error) {
 		},
 	}
 
+	rawoverrides := gd.cr.Spec.UnsupportedConfigOverrides.Raw
+	if len(rawoverrides) > 0 {
+		var overrides ConfigOverrides
+		if err := json.Unmarshal(rawoverrides, &overrides); err != nil {
+			return nil, fmt.Errorf("invalid unsupportedConfigOverrides: %w", err)
+		}
+
+		depoverrides := overrides.Deployment
+		if depoverrides != nil {
+			deploy.Spec.Template.Spec.RuntimeClassName = depoverrides.RuntimeClassName
+			for key, val := range depoverrides.Annotations {
+				deploy.Annotations[key] = val
+				deploy.Spec.Template.Annotations[key] = val
+			}
+		}
+	}
+
 	dgst, err := strategy.Checksum(deploy)
 	if err != nil {
 		return nil, err

diff --git a/pkg/resource/podtemplatespec.go b/pkg/resource/podtemplatespec.go
@@ -87,8 +87,10 @@ func generateSecurityContext(coreClient coreset.CoreV1Interface, namespace strin
 		return nil, fmt.Errorf("unable to parse annotation %s in namespace %q: %s", defaults.SupplementalGroupsAnnotation, namespace, err)
 	}
 
+	fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
 	return &corev1.PodSecurityContext{
-		FSGroup: &gid,
+		FSGroup:             &gid,
+		FSGroupChangePolicy: &fsGroupChangePolicy,
 	}, nil
 }
 

diff --git a/pkg/resource/podtemplatespec_test.go b/pkg/resource/podtemplatespec_test.go
@@ -173,6 +173,10 @@ func TestMakePodTemplateSpec(t *testing.T) {
 		}
 	}
 
+	fsGroupChangePolicy := pod.Spec.SecurityContext.FSGroupChangePolicy
+	if fsGroupChangePolicy == nil || *fsGroupChangePolicy != corev1.FSGroupChangeOnRootMismatch {
+		t.Errorf("expected FSGroupChangePolicy to be set to OnRootMismatch")
+	}
 }
 
 func verifyVolume(volume corev1.Volume, expected *volumeMount, t *testing.T) {