Adding support for OpenShift securityContext

Adding autodetection of solr-operator running on an OpenShift cluster to
remove the default Solr fsGroup, and have an empty securityContext on
OpenShift.

Fixes #466

with '#' will be ignored, and an empty message aborts the commit.  # #
Date:      Fri May 24 20:34:53 2024 -0600 # # On branch openshift # Your
branch is up to date with 'origin/openshift'.  # # Changes to be
committed: #	new file:   controllers/autodetect.go #	modified:
controllers/solrcloud_controller.go #	modified:
controllers/suite_test.go #	modified:
controllers/util/solr_util.go #	modified:   main.go #

Author: computate

controllers/autodetect.go

@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Copied from grafana-operator
+// With the Apache License: https://github.com/grafana/grafana-operator/blob/master/LICENSE
+// See: https://github.com/grafana/grafana-operator/blob/master/controllers/autodetect/main.go
+// Package autodetect is for auto-detecting traits from the environment (platform, APIs, ...).
+package controllers
+
+import (
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+)
+
+var _ AutoDetect = (*autoDetect)(nil)
+
+// AutoDetect provides an assortment of routines that auto-detect traits based on the runtime.
+type AutoDetect interface {
+	IsOpenshift() (bool, error)
+}
+
+type autoDetect struct {
+	dcl discovery.DiscoveryInterface
+}
+
+// New creates a new auto-detection worker, using the given client when talking to the current cluster.
+func NewAutodetect(restConfig *rest.Config) (AutoDetect, error) {
+	dcl, err := discovery.NewDiscoveryClientForConfig(restConfig)
+	if err != nil {
+		// it's pretty much impossible to get into this problem, as most of the
+		// code branches from the previous call just won't fail at all,
+		// but let's handle this error anyway...
+		return nil, err
+	}
+
+	return &autoDetect{
+		dcl: dcl,
+	}, nil
+}
+
+// Platform returns the detected platform this operator is running on. Possible values: Kubernetes, OpenShift.
+func (a *autoDetect) IsOpenshift() (bool, error) {
+	apiList, err := a.dcl.ServerGroups()
+	if err != nil {
+		return false, err
+	}
+
+	apiGroups := apiList.Groups
+	for i := range apiGroups {
+		if apiGroups[i].Name == "route.openshift.io" {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

controllers/solrcloud_controller.go

@@ -21,13 +21,14 @@ import (
 	"context"
 	"crypto/md5"
 	"fmt"
-	policyv1 "k8s.io/api/policy/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"reflect"
 	"sort"
 	"strings"
 	"time"
 
+	policyv1 "k8s.io/api/policy/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+
 	solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
 	"github.com/apache/solr-operator/controllers/util"
 	"github.com/go-logr/logr"
@@ -53,7 +54,8 @@ import (
 // SolrCloudReconciler reconciles a SolrCloud object
 type SolrCloudReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme      *runtime.Scheme
+	IsOpenShift bool
 }
 
 var useZkCRD bool
@@ -328,7 +330,7 @@ func (r *SolrCloudReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	var statefulSet *appsv1.StatefulSet
 	if !blockReconciliationOfStatefulSet {
 		// Generate StatefulSet that should exist
-		expectedStatefulSet := util.GenerateStatefulSet(instance, &newStatus, hostNameIpMap, reconcileConfigInfo, tls, security)
+		expectedStatefulSet := util.GenerateStatefulSet(instance, &newStatus, hostNameIpMap, reconcileConfigInfo, tls, security, r.IsOpenShift)
 
 		// Check if the StatefulSet already exists
 		statefulSetLogger := logger.WithValues("statefulSet", expectedStatefulSet.Name)

controllers/suite_test.go

@@ -19,13 +19,14 @@ package controllers
 
 import (
 	"context"
-	"github.com/go-logr/logr"
-	zkApi "github.com/pravega/zookeeper-operator/api/v1beta1"
 	"path/filepath"
-	ctrl "sigs.k8s.io/controller-runtime"
 	"testing"
 	"time"
 
+	"github.com/go-logr/logr"
+	zkApi "github.com/pravega/zookeeper-operator/api/v1beta1"
+	ctrl "sigs.k8s.io/controller-runtime"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -106,8 +107,9 @@ var _ = BeforeSuite(func(ctx context.Context) {
 	// Start up Reconcilers
 	By("starting the reconcilers")
 	Expect((&SolrCloudReconciler{
-		Client: k8sManager.GetClient(),
-		Scheme: k8sManager.GetScheme(),
+		Client:      k8sManager.GetClient(),
+		Scheme:      k8sManager.GetScheme(),
+		IsOpenShift: false,
 	}).SetupWithManager(k8sManager)).To(Succeed())
 
 	Expect((&SolrPrometheusExporterReconciler{

controllers/util/solr_util.go

@@ -19,6 +19,10 @@ package util
 
 import (
 	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
 	solr "github.com/apache/solr-operator/api/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -28,9 +32,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/utils/pointer"
 	"k8s.io/utils/ptr"
-	"sort"
-	"strconv"
-	"strings"
 )
 
 const (
@@ -84,7 +85,7 @@ var (
 // replicas: the number of replicas for the SolrCloud instance
 // storage: the size of the storage for the SolrCloud instance (e.g. 100Gi)
 // zkConnectionString: the connectionString of the ZK instance to connect to
-func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCloudStatus, hostNameIPs map[string]string, reconcileConfigInfo map[string]string, tls *TLSCerts, security *SecurityConfig) *appsv1.StatefulSet {
+func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCloudStatus, hostNameIPs map[string]string, reconcileConfigInfo map[string]string, tls *TLSCerts, security *SecurityConfig, isOpenShift bool) *appsv1.StatefulSet {
 	terminationGracePeriod := int64(60)
 	shareProcessNamespace := false
 	solrPodPort := solrCloud.Spec.SolrAddressability.PodPort
@@ -549,19 +550,20 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl
 				Spec: corev1.PodSpec{
 					TerminationGracePeriodSeconds: &terminationGracePeriod,
 					ShareProcessNamespace:         &shareProcessNamespace,
-					SecurityContext: &corev1.PodSecurityContext{
-						FSGroup: &defaultFSGroup,
-					},
-					Volumes:        solrVolumes,
-					InitContainers: initContainers,
-					HostAliases:    hostAliases,
-					Containers:     containers,
-					ReadinessGates: podReadinessGates,
+					SecurityContext:               &corev1.PodSecurityContext{},
+					Volumes:                       solrVolumes,
+					InitContainers:                initContainers,
+					HostAliases:                   hostAliases,
+					Containers:                    containers,
+					ReadinessGates:                podReadinessGates,
 				},
 			},
 			VolumeClaimTemplates: pvcs,
 		},
 	}
+	if !isOpenShift {
+		stateful.Spec.Template.Spec.SecurityContext.FSGroup = &defaultFSGroup
+	}
 	if solrCloud.UsesHeadlessService() {
 		stateful.Spec.Template.Spec.Subdomain = solrCloud.HeadlessServiceName()
 	}
@@ -598,7 +600,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl
 
 		if customPodOptions.PodSecurityContext != nil {
 			stateful.Spec.Template.Spec.SecurityContext = customPodOptions.PodSecurityContext
-			if stateful.Spec.Template.Spec.SecurityContext.FSGroup == nil {
+			if stateful.Spec.Template.Spec.SecurityContext.FSGroup == nil && !isOpenShift {
 				stateful.Spec.Template.Spec.SecurityContext.FSGroup = &defaultFSGroup
 			}
 		}

main.go

@@ -22,18 +22,19 @@ import (
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"github.com/apache/solr-operator/controllers/util/solr_api"
-	"github.com/apache/solr-operator/version"
-	"github.com/fsnotify/fsnotify"
-	zkApi "github.com/pravega/zookeeper-operator/api/v1beta1"
 	"io/ioutil"
 	"net/http"
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
+
+	"github.com/apache/solr-operator/controllers/util/solr_api"
+	"github.com/apache/solr-operator/version"
+	"github.com/fsnotify/fsnotify"
+	zkApi "github.com/pravega/zookeeper-operator/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
-	"strings"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -198,9 +199,26 @@ func main() {
 		}
 	}
 
+	// Fetch k8s api credentials and detect platform
+	restConfig := ctrl.GetConfigOrDie()
+
+	autodetect, err := controllers.NewAutodetect(restConfig)
+	if err != nil {
+		setupLog.Error(err, "failed to setup auto-detect routine")
+		os.Exit(1)
+	}
+
+	isOpenShift, err := autodetect.IsOpenshift()
+	setupLog.Info("autodetect", "isOpenShift", isOpenShift)
+	if err != nil {
+		setupLog.Error(err, "unable to detect the platform")
+		os.Exit(1)
+	}
+
 	if err = (&controllers.SolrCloudReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:      mgr.GetClient(),
+		Scheme:      mgr.GetScheme(),
+		IsOpenShift: isOpenShift,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "SolrCloud")
 		os.Exit(1)