Added MANAGED_SECURITY_CONTEXT check and refactored env vars (#401)

Nikolas De Giorgis · web-flow · commit 213788391a89 · 2021-03-30T10:21:48.000+01:00
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -6,6 +6,7 @@ import (
 
 	mdbv1 "github.com/mongodb/mongodb-kubernetes-operator/api/v1"
 	"github.com/mongodb/mongodb-kubernetes-operator/controllers"
+	"github.com/mongodb/mongodb-kubernetes-operator/controllers/construct"
 	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -21,6 +22,10 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 )
 
+const (
+	WatchNamespaceEnv = "WATCH_NAMESPACE"
+)
+
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
@@ -52,12 +57,12 @@ func main() {
 		os.Exit(1)
 	}
 
-	if !hasRequiredVariables(log, "AGENT_IMAGE", "VERSION_UPGRADE_HOOK_IMAGE", "READINESS_PROBE_IMAGE") {
+	if !hasRequiredVariables(log, construct.AgentImageEnv, construct.VersionUpgradeHookImageEnv, construct.ReadinessProbeImageEnv) {
 		os.Exit(1)
 	}
 
 	// Get watch namespace from environment variable.
-	namespace, nsSpecified := os.LookupEnv("WATCH_NAMESPACE")
+	namespace, nsSpecified := os.LookupEnv(WatchNamespaceEnv)
 	if !nsSpecified {
 		os.Exit(1)
 	}
diff --git a/config/samples/mongodb.com_v1_mongodbcommunity_openshift_cr.yaml b/config/samples/mongodb.com_v1_mongodbcommunity_openshift_cr.yaml
@@ -25,17 +25,6 @@ spec:
     spec:
       serviceName: example-openshift-mongodb-svc
       selector: {}
-      template:
-        spec:
-          containers:
-            - name: "mongodb-agent"
-              env:
-                - name: MANAGED_SECURITY_CONTEXT
-                  value: "true"
-            - name: "mongod"
-              env:
-                - name: MANAGED_SECURITY_CONTEXT
-                  value: "true"
 
 # the user credentials will be generated from this secret
 # once the credentials are generated, this secret is no longer required
diff --git a/controllers/construct/build_statefulset_test.go b/controllers/construct/build_statefulset_test.go
@@ -17,7 +17,7 @@ import (
 )
 
 func init() {
-	os.Setenv(versionUpgradeHookImageEnv, "version-upgrade-hook-image")
+	os.Setenv(VersionUpgradeHookImageEnv, "version-upgrade-hook-image")
 }
 
 func newTestReplicaSet() mdbv1.MongoDBCommunity {
diff --git a/controllers/construct/mongodbstatefulset.go b/controllers/construct/mongodbstatefulset.go
@@ -12,6 +12,7 @@ import (
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/probes"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/resourcerequirements"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/statefulset"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/envvar"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/scale"
 	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -23,7 +24,6 @@ const (
 	AgentName   = "mongodb-agent"
 	MongodbName = "mongod"
 
-	AgentImageEnv                  = "AGENT_IMAGE"
 	versionUpgradeHookName         = "mongod-posthook"
 	readinessProbeContainerName    = "mongodb-agent-readinessprobe"
 	dataVolumeName                 = "data-volume"
@@ -34,18 +34,20 @@ const (
 	operatorServiceAccountName     = "mongodb-kubernetes-operator"
 	agentHealthStatusFilePathValue = "/var/log/mongodb-mms-automation/healthstatus/agent-health-status.json"
 
-	readinessProbeImageEnv = "READINESS_PROBE_IMAGE"
+	MongodbRepoUrl = "MONGODB_REPO_URL"
 
-	MongodbImageEnv = "MONGODB_IMAGE"
-	MongodbRepoUrl  = "MONGODB_REPO_URL"
-
-	versionUpgradeHookImageEnv = "VERSION_UPGRADE_HOOK_IMAGE"
-	headlessAgentEnv           = "HEADLESS_AGENT"
-	podNamespaceEnv            = "POD_NAMESPACE"
-	automationConfigEnv        = "AUTOMATION_CONFIG_MAP"
+	headlessAgentEnv    = "HEADLESS_AGENT"
+	podNamespaceEnv     = "POD_NAMESPACE"
+	automationConfigEnv = "AUTOMATION_CONFIG_MAP"
 
 	automationconfFilePath = "/data/automation-mongod.conf"
 	keyfileFilePath        = "/var/lib/mongodb-mms-automation/authentication/keyfile"
+
+	AgentImageEnv              = "AGENT_IMAGE"
+	MongodbImageEnv            = "MONGODB_IMAGE"
+	VersionUpgradeHookImageEnv = "VERSION_UPGRADE_HOOK_IMAGE"
+	ReadinessProbeImageEnv     = "READINESS_PROBE_IMAGE"
+	ManagedSecurityContextEnv  = "MANAGED_SECURITY_CONTEXT"
 )
 
 // MongoDBStatefulSetOwner is an interface which any resource which generates a MongoDB StatefulSet should implement.
@@ -124,6 +126,13 @@ func BuildMongoDBReplicaSetStatefulSetModificationFunction(mdb MongoDBStatefulSe
 			singleModeVolumeClaim = statefulset.WithVolumeClaim(dataVolumeName, dataPvc())
 		}
 	}
+
+	podSecurityContext := podtemplatespec.NOOP()
+	managedSecurityContext := envvar.ReadBool(ManagedSecurityContextEnv)
+	if !managedSecurityContext {
+		podSecurityContext = podtemplatespec.WithSecurityContext(podtemplatespec.DefaultPodSecurityContext())
+	}
+
 	return statefulset.Apply(
 		statefulset.WithName(mdb.GetName()),
 		statefulset.WithNamespace(mdb.GetNamespace()),
@@ -137,7 +146,7 @@ func BuildMongoDBReplicaSetStatefulSetModificationFunction(mdb MongoDBStatefulSe
 		singleModeVolumeClaim,
 		statefulset.WithPodSpecTemplate(
 			podtemplatespec.Apply(
-				podtemplatespec.WithSecurityContext(podtemplatespec.DefaultPodSecurityContext()),
+				podSecurityContext,
 				podtemplatespec.WithPodLabels(labels),
 				podtemplatespec.WithVolume(healthStatusVolume),
 				podtemplatespec.WithVolume(hooksVolume),
@@ -162,14 +171,20 @@ func mongodbAgentContainer(automationConfigSecretName string, volumeMounts []cor
 		"-healthCheckFilePath=" + agentHealthStatusFilePathValue,
 		"-serveStatusPort=5000",
 		"-useLocalMongoDbTools"}, " ")
+
+	securityContext := container.NOOP()
+	managedSecurityContext := envvar.ReadBool(ManagedSecurityContextEnv)
+	if !managedSecurityContext {
+		securityContext = container.WithSecurityContext(container.DefaultSecurityContext())
+	}
 	return container.Apply(
 		container.WithName(AgentName),
 		container.WithImage(os.Getenv(AgentImageEnv)),
 		container.WithImagePullPolicy(corev1.PullAlways),
 		container.WithReadinessProbe(DefaultReadiness()),
 		container.WithResourceRequirements(resourcerequirements.Defaults()),
 		container.WithVolumeMounts(volumeMounts),
-		container.WithSecurityContext(container.DefaultSecurityContext()),
+		securityContext,
 		container.WithCommand([]string{"/bin/bash", "-c", `current_uid=$(id -u)
 echo $current_uid
 declare -r current_uid
@@ -212,7 +227,7 @@ func versionUpgradeHookInit(volumeMount []corev1.VolumeMount) container.Modifica
 	return container.Apply(
 		container.WithName(versionUpgradeHookName),
 		container.WithCommand([]string{"cp", "version-upgrade-hook", "/hooks/version-upgrade"}),
-		container.WithImage(os.Getenv(versionUpgradeHookImageEnv)),
+		container.WithImage(os.Getenv(VersionUpgradeHookImageEnv)),
 		container.WithImagePullPolicy(corev1.PullAlways),
 		container.WithVolumeMounts(volumeMount),
 	)
@@ -248,7 +263,7 @@ func readinessProbeInit(volumeMount []corev1.VolumeMount) container.Modification
 	return container.Apply(
 		container.WithName(readinessProbeContainerName),
 		container.WithCommand([]string{"cp", "/probes/readinessprobe", "/opt/scripts/readinessprobe"}),
-		container.WithImage(os.Getenv(readinessProbeImageEnv)),
+		container.WithImage(os.Getenv(ReadinessProbeImageEnv)),
 		container.WithImagePullPolicy(corev1.PullAlways),
 		container.WithVolumeMounts(volumeMount),
 	)
@@ -282,6 +297,12 @@ exec mongod -f %s;
 		mongoDbCommand,
 	}
 
+	securityContext := container.NOOP()
+	managedSecurityContext := envvar.ReadBool(ManagedSecurityContextEnv)
+	if !managedSecurityContext {
+		securityContext = container.WithSecurityContext(container.DefaultSecurityContext())
+	}
+
 	return container.Apply(
 		container.WithName(MongodbName),
 		container.WithImage(getMongoDBImage(version)),
@@ -295,6 +316,6 @@ exec mongod -f %s;
 		),
 		container.WithVolumeMounts(volumeMounts),
 
-		container.WithSecurityContext(container.DefaultSecurityContext()),
+		securityContext,
 	)
 }
diff --git a/controllers/replicaset_controller_test.go b/controllers/replicaset_controller_test.go
@@ -40,7 +40,7 @@ import (
 )
 
 func init() {
-	os.Setenv("AGENT_IMAGE", "agent-image")
+	os.Setenv(construct.AgentImageEnv, "agent-image")
 }
 
 func newTestReplicaSet() mdbv1.MongoDBCommunity {
@@ -561,12 +561,6 @@ func TestReplicaSet_IsScaledUpToDesiredMembers_WhenFirstCreated(t *testing.T) {
 	assert.Equal(t, 3, mdb.Status.CurrentMongoDBMembers)
 }
 
-func TestOpenshift_Configuration(t *testing.T) {
-	sts := performReconciliationAndGetStatefulSet(t, "openshift_mdb.yaml")
-	assert.Equal(t, "MANAGED_SECURITY_CONTEXT", sts.Spec.Template.Spec.Containers[1].Env[3].Name)
-	assert.Equal(t, "MANAGED_SECURITY_CONTEXT", sts.Spec.Template.Spec.Containers[0].Env[1].Name)
-}
-
 func TestVolumeClaimTemplates_Configuration(t *testing.T) {
 	sts := performReconciliationAndGetStatefulSet(t, "volume_claim_templates_mdb.yaml")
 
diff --git a/controllers/testdata/openshift_mdb.yaml b/controllers/testdata/openshift_mdb.yaml
@@ -19,16 +19,3 @@ spec:
           db: admin
         - name: userAdminAnyDatabase
           db: admin
-  statefulSet:
-    spec:
-      template:
-        spec:
-          containers:
-            - name: "mongodb-agent"
-              env:
-                - name: MANAGED_SECURITY_CONTEXT
-                  value: "true"
-            - name: "mongod"
-              env:
-                - name: MANAGED_SECURITY_CONTEXT
-                  value: "true"
diff --git a/docs/deploy-configure.md b/docs/deploy-configure.md
@@ -128,7 +128,7 @@ To upgrade this resource from `4.0.6` to `4.2.7`:
 
 ## Deploy Replica Sets on OpenShift
 
-To deploy the operator on OpenShift you will have to provide the environment variable `MANAGED_SECURITY_CONTEXT` set to `true` for both the `mongodb` and `mongodb-agent` containers, as well as the operator deployment.
+To deploy the operator on OpenShift you will have to provide the environment variable `MANAGED_SECURITY_CONTEXT` set to `true` for the operator deployment.
 
 See [here](/config/samples/mongodb.com_v1_mongodbcommunity_openshift_cr.yaml) for
 an example of how to provide the required configuration for a MongoDB
diff --git a/test/e2e/setup/setup.go b/test/e2e/setup/setup.go
@@ -9,6 +9,7 @@ import (
 	"path"
 	"testing"
 
+	"github.com/mongodb/mongodb-kubernetes-operator/controllers/construct"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/generate"
 	"github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
@@ -145,7 +146,7 @@ func deployOperator() error {
 		withOperatorImage(testConfig.operatorImage),
 		withVersionUpgradeHookImage(testConfig.versionUpgradeHookImage),
 		withEnvVar("WATCH_NAMESPACE", watchNamespace),
-		withEnvVar("AGENT_IMAGE", testConfig.agentImage),
+		withEnvVar(construct.AgentImageEnv, testConfig.agentImage),
 	); err != nil {
 		return errors.Errorf("error building operator deployment: %s", err)
 	}
@@ -240,7 +241,7 @@ func withVersionUpgradeHookImage(image string) func(runtime.Object) {
 	return func(obj runtime.Object) {
 		if dep, ok := obj.(*appsv1.Deployment); ok {
 			versionUpgradeHookEnv := corev1.EnvVar{
-				Name:  "VERSION_UPGRADE_HOOK_IMAGE",
+				Name:  construct.VersionUpgradeHookImageEnv,
 				Value: image,
 			}
 			found := false
diff --git a/test/e2e/setup/test_config.go b/test/e2e/setup/test_config.go
@@ -1,16 +1,15 @@
 package setup
 
 import (
+	"github.com/mongodb/mongodb-kubernetes-operator/controllers/construct"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/envvar"
 )
 
 const (
-	testNamespaceEnvName      = "TEST_NAMESPACE"
-	operatorImageEnvName      = "OPERATOR_IMAGE"
-	agentImage                = "AGENT_IMAGE"
-	clusterWideEnvName        = "CLUSTER_WIDE"
-	versionUpgradeHookEnvName = "VERSION_UPGRADE_HOOK_IMAGE"
-	performCleanupEnvName     = "PERFORM_CLEANUP"
+	testNamespaceEnvName  = "TEST_NAMESPACE"
+	operatorImageEnvName  = "OPERATOR_IMAGE"
+	clusterWideEnvName    = "CLUSTER_WIDE"
+	performCleanupEnvName = "PERFORM_CLEANUP"
 )
 
 type testConfig struct {
@@ -26,8 +25,8 @@ func loadTestConfigFromEnv() testConfig {
 	return testConfig{
 		namespace:               envvar.GetEnvOrDefault(testNamespaceEnvName, "default"),
 		operatorImage:           envvar.GetEnvOrDefault(operatorImageEnvName, "quay.io/mongodb/community-operator-dev:latest"),
-		versionUpgradeHookImage: envvar.GetEnvOrDefault(versionUpgradeHookEnvName, "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.2"),
-		agentImage:              envvar.GetEnvOrDefault(agentImage, "quay.io/mongodb/mongodb-agent:10.27.0.6772-1"), // TODO: better way to decide default agent image.
+		versionUpgradeHookImage: envvar.GetEnvOrDefault(construct.VersionUpgradeHookImageEnv, "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.2"),
+		agentImage:              envvar.GetEnvOrDefault(construct.AgentImageEnv, "quay.io/mongodb/mongodb-agent:10.27.0.6772-1"), // TODO: better way to decide default agent image.
 		clusterWide:             envvar.ReadBool(clusterWideEnvName),
 		performCleanup:          envvar.ReadBool(performCleanupEnvName),
 	}

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`)`
`18`	`18`
`19`	`19`	`func init() {`
`20`		`- os.Setenv(versionUpgradeHookImageEnv, "version-upgrade-hook-image")`
	`20`	`+ os.Setenv(VersionUpgradeHookImageEnv, "version-upgrade-hook-image")`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`func newTestReplicaSet() mdbv1.MongoDBCommunity {`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ import (`
`40`	`40`	`)`
`41`	`41`
`42`	`42`	`func init() {`
`43`		`- os.Setenv("AGENT_IMAGE", "agent-image")`
	`43`	`+ os.Setenv(construct.AgentImageEnv, "agent-image")`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`func newTestReplicaSet() mdbv1.MongoDBCommunity {`
`@@ -561,12 +561,6 @@ func TestReplicaSet_IsScaledUpToDesiredMembers_WhenFirstCreated(t *testing.T) {`
`561`	`561`	`assert.Equal(t, 3, mdb.Status.CurrentMongoDBMembers)`
`562`	`562`	`}`
`563`	`563`
`564`		`-func TestOpenshift_Configuration(t *testing.T) {`
`565`		`- sts := performReconciliationAndGetStatefulSet(t, "openshift_mdb.yaml")`
`566`		`- assert.Equal(t, "MANAGED_SECURITY_CONTEXT", sts.Spec.Template.Spec.Containers[1].Env[3].Name)`
`567`		`- assert.Equal(t, "MANAGED_SECURITY_CONTEXT", sts.Spec.Template.Spec.Containers[0].Env[1].Name)`
`568`		`-}`
`569`		`-`
`570`	`564`	`func TestVolumeClaimTemplates_Configuration(t *testing.T) {`
`571`	`565`	`sts := performReconciliationAndGetStatefulSet(t, "volume_claim_templates_mdb.yaml")`
`572`	`566`