Skip to content

Commit

Permalink
Add update logic to handle addition of PSS to deployments (#1533)
Browse files Browse the repository at this point in the history
Signed-off-by: Siddhesh Ghadi <[email protected]>
  • Loading branch information
svghadi authored Sep 4, 2024
1 parent 0c1f08e commit db22b50
Show file tree
Hide file tree
Showing 6 changed files with 94 additions and 25 deletions.
4 changes: 3 additions & 1 deletion controllers/argocd/applicationset.go
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,8 @@ func (r *ReconcileArgoCD) reconcileApplicationSetDeployment(cr *argoproj.ArgoCD,
!reflect.DeepEqual(existing.Spec.Template.Labels, deploy.Spec.Template.Labels) ||
!reflect.DeepEqual(existing.Spec.Selector, deploy.Spec.Selector) ||
!reflect.DeepEqual(existing.Spec.Template.Spec.NodeSelector, deploy.Spec.Template.Spec.NodeSelector) ||
!reflect.DeepEqual(existing.Spec.Template.Spec.Tolerations, deploy.Spec.Template.Spec.Tolerations)
!reflect.DeepEqual(existing.Spec.Template.Spec.Tolerations, deploy.Spec.Template.Spec.Tolerations) ||
!reflect.DeepEqual(existing.Spec.Template.Spec.Containers[0].SecurityContext, deploy.Spec.Template.Spec.Containers[0].SecurityContext)

// If the Deployment already exists, make sure the values we care about are up-to-date
if deploymentsDifferent {
Expand All @@ -274,6 +275,7 @@ func (r *ReconcileArgoCD) reconcileApplicationSetDeployment(cr *argoproj.ArgoCD,
existing.Spec.Selector = deploy.Spec.Selector
existing.Spec.Template.Spec.NodeSelector = deploy.Spec.Template.Spec.NodeSelector
existing.Spec.Template.Spec.Tolerations = deploy.Spec.Template.Spec.Tolerations
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
return r.Client.Update(context.TODO(), existing)
}
return nil // Deployment found with nothing to do, move along...
Expand Down
24 changes: 24 additions & 0 deletions controllers/argocd/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,11 @@ func (r *ReconcileArgoCD) reconcileRedisDeployment(cr *argoproj.ArgoCD, useTLS b
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].SecurityContext, existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}

if changed {
return r.Client.Update(context.TODO(), existing)
}
Expand Down Expand Up @@ -808,11 +813,21 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].SecurityContext, existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.InitContainers[0].Resources, existing.Spec.Template.Spec.InitContainers[0].Resources) {
existing.Spec.Template.Spec.InitContainers[0].Resources = deploy.Spec.Template.Spec.InitContainers[0].Resources
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.InitContainers[0].SecurityContext, existing.Spec.Template.Spec.InitContainers[0].SecurityContext) {
existing.Spec.Template.Spec.InitContainers[0].SecurityContext = deploy.Spec.Template.Spec.InitContainers[0].SecurityContext
changed = true
}

if changed {
return r.Client.Update(context.TODO(), existing)
}
Expand Down Expand Up @@ -1135,6 +1150,10 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
existing.Spec.Template.Spec.Containers[0].Command = deploy.Spec.Template.Spec.Containers[0].Command
changed = true
}
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].SecurityContext, existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[1:],
existing.Spec.Template.Spec.Containers[1:]) {
existing.Spec.Template.Spec.Containers = append(existing.Spec.Template.Spec.Containers[0:1],
Expand Down Expand Up @@ -1371,6 +1390,11 @@ func (r *ReconcileArgoCD) reconcileServerDeployment(cr *argoproj.ArgoCD, useTLSF
existing.Spec.Template.Spec.Containers[0].Resources = deploy.Spec.Template.Spec.Containers[0].Resources
changed = true
}
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].SecurityContext,
existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[1:],
existing.Spec.Template.Spec.Containers[1:]) {
existing.Spec.Template.Spec.Containers = append(existing.Spec.Template.Spec.Containers[0:1],
Expand Down
10 changes: 10 additions & 0 deletions controllers/argocd/dex.go
Original file line number Diff line number Diff line change
Expand Up @@ -356,12 +356,22 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
existing.Spec.Template.Spec.InitContainers[0].Env = deploy.Spec.Template.Spec.InitContainers[0].Env
changed = true
}
if !reflect.DeepEqual(existing.Spec.Template.Spec.InitContainers[0].SecurityContext,
deploy.Spec.Template.Spec.InitContainers[0].SecurityContext) {
existing.Spec.Template.Spec.InitContainers[0].SecurityContext = deploy.Spec.Template.Spec.InitContainers[0].SecurityContext
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].Resources, existing.Spec.Template.Spec.Containers[0].Resources) {
existing.Spec.Template.Spec.Containers[0].Resources = deploy.Spec.Template.Spec.Containers[0].Resources
changed = true
}

if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].SecurityContext, existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = deploy.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}

if changed {
return r.Client.Update(context.TODO(), existing)
}
Expand Down
62 changes: 38 additions & 24 deletions controllers/argocd/keycloak.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
json "encoding/json"
"fmt"
"os"
"reflect"

argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
"github.com/argoproj-labs/argocd-operator/common"
Expand Down Expand Up @@ -236,18 +237,7 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container {
{ContainerPort: 8443, Name: "https", Protocol: "TCP"},
{ContainerPort: 8888, Name: "ping", Protocol: "TCP"},
},
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"ALL",
},
},
AllowPrivilegeEscalation: boolPtr(false),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
SecurityContext: restrictedContainerSecurityContext(),
ReadinessProbe: &corev1.Probe{
TimeoutSeconds: 240,
InitialDelaySeconds: 120,
Expand Down Expand Up @@ -639,18 +629,7 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment {
{Name: "http", ContainerPort: httpPort},
{Name: "https", ContainerPort: portTLS},
},
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"ALL",
},
},
AllowPrivilegeEscalation: boolPtr(false),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
SecurityContext: restrictedContainerSecurityContext(),
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
HTTPGet: &corev1.HTTPGetAction{
Expand Down Expand Up @@ -1352,11 +1331,21 @@ func (r *ReconcileArgoCD) reconcileKeycloakForOpenShift(cr *argoproj.ArgoCD) err
log.Error(err, fmt.Sprintf("Keycloak Deployment not found or being created for ArgoCD %s in namespace %s",
cr.Name, cr.Namespace))
} else {
changed := false
// Handle Image upgrades
desiredImage := getKeycloakContainerImage(cr)
if existingDC.Spec.Template.Spec.Containers[0].Image != desiredImage {
existingDC.Spec.Template.Spec.Containers[0].Image = desiredImage
changed = true
}

desiredSecurityContext := restrictedContainerSecurityContext()
if !reflect.DeepEqual(existingDC.Spec.Template.Spec.Containers[0].SecurityContext, desiredSecurityContext) {
existingDC.Spec.Template.Spec.Containers[0].SecurityContext = desiredSecurityContext
changed = true
}

if changed {
err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
return r.Client.Update(context.TODO(), existingDC)
})
Expand Down Expand Up @@ -1455,11 +1444,21 @@ func (r *ReconcileArgoCD) reconcileKeycloak(cr *argoproj.ArgoCD) error {
log.Error(err, fmt.Sprintf("Keycloak Deployment not found or being created for ArgoCD %s in namespace %s",
cr.Name, cr.Namespace))
} else {
changed := false
// Handle Image upgrades
desiredImage := getKeycloakContainerImage(cr)
if existingDeployment.Spec.Template.Spec.Containers[0].Image != desiredImage {
existingDeployment.Spec.Template.Spec.Containers[0].Image = desiredImage
changed = true
}

desiredSecurityContext := restrictedContainerSecurityContext()
if !reflect.DeepEqual(existingDeployment.Spec.Template.Spec.Containers[0].SecurityContext, desiredSecurityContext) {
existingDeployment.Spec.Template.Spec.Containers[0].SecurityContext = desiredSecurityContext
changed = true
}

if changed {
err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
return r.Client.Update(context.TODO(), existingDeployment)
})
Expand Down Expand Up @@ -1515,3 +1514,18 @@ func (r *ReconcileArgoCD) reconcileKeycloak(cr *argoproj.ArgoCD) error {

return nil
}

func restrictedContainerSecurityContext() *corev1.SecurityContext {
return &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"ALL",
},
},
AllowPrivilegeEscalation: boolPtr(false),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
}
}
5 changes: 5 additions & 0 deletions controllers/argocd/notifications.go
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,11 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD,
deploymentChanged = true
}

if !reflect.DeepEqual(existingDeployment.Spec.Template.Spec.Containers[0].SecurityContext, desiredDeployment.Spec.Template.Spec.Containers[0].SecurityContext) {
existingDeployment.Spec.Template.Spec.Containers[0].SecurityContext = desiredDeployment.Spec.Template.Spec.Containers[0].SecurityContext
deploymentChanged = true
}

if !reflect.DeepEqual(existingDeployment.Spec.Template.Spec.ServiceAccountName, desiredDeployment.Spec.Template.Spec.ServiceAccountName) {
existingDeployment.Spec.Template.Spec.ServiceAccountName = desiredDeployment.Spec.Template.Spec.ServiceAccountName
deploymentChanged = true
Expand Down
14 changes: 14 additions & 0 deletions controllers/argocd/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -444,13 +444,23 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
existing.Spec.Template.Spec.Containers[i].Resources = ss.Spec.Template.Spec.Containers[i].Resources
changed = true
}

if !reflect.DeepEqual(ss.Spec.Template.Spec.Containers[i].SecurityContext, existing.Spec.Template.Spec.Containers[i].SecurityContext) {
existing.Spec.Template.Spec.Containers[i].SecurityContext = ss.Spec.Template.Spec.Containers[i].SecurityContext
changed = true
}
}

if !reflect.DeepEqual(ss.Spec.Template.Spec.InitContainers[0].Resources, existing.Spec.Template.Spec.InitContainers[0].Resources) {
existing.Spec.Template.Spec.InitContainers[0].Resources = ss.Spec.Template.Spec.InitContainers[0].Resources
changed = true
}

if !reflect.DeepEqual(ss.Spec.Template.Spec.InitContainers[0].SecurityContext, existing.Spec.Template.Spec.InitContainers[0].SecurityContext) {
existing.Spec.Template.Spec.InitContainers[0].SecurityContext = ss.Spec.Template.Spec.InitContainers[0].SecurityContext
changed = true
}

if changed {
return r.Client.Update(context.TODO(), existing)
}
Expand Down Expand Up @@ -778,6 +788,10 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
existing.Spec.Template.Spec.Containers[0].Resources = ss.Spec.Template.Spec.Containers[0].Resources
changed = true
}
if !reflect.DeepEqual(ss.Spec.Template.Spec.Containers[0].SecurityContext, existing.Spec.Template.Spec.Containers[0].SecurityContext) {
existing.Spec.Template.Spec.Containers[0].SecurityContext = ss.Spec.Template.Spec.Containers[0].SecurityContext
changed = true
}
if !reflect.DeepEqual(ss.Spec.Replicas, existing.Spec.Replicas) {
existing.Spec.Replicas = ss.Spec.Replicas
changed = true
Expand Down

0 comments on commit db22b50

Please sign in to comment.