Add support for defining securityContext in cluster spec (#218)

KashifSaadat · prydie · commit 8f46c9358477 · 2018-09-17T14:04:57.000+01:00
Signed-off-by: Kashif Saadat &lt;kashifsaadat@gmail.com&gt;
diff --git a/pkg/apis/mysql/v1alpha1/types.go b/pkg/apis/mysql/v1alpha1/types.go
@@ -64,6 +64,8 @@ type ClusterSpec struct {
 	// and server key for group replication SSL.
 	// +optional
 	SSLSecret *corev1.LocalObjectReference `json:"sslSecret,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // ClusterConditionType represents a valid condition of a Cluster.
diff --git a/pkg/resources/statefulsets/statefulset.go b/pkg/resources/statefulsets/statefulset.go
@@ -391,5 +391,8 @@ func NewForCluster(cluster *v1alpha1.Cluster, images operatoropts.Images, servic
 	if cluster.Spec.BackupVolumeClaimTemplate != nil {
 		ss.Spec.VolumeClaimTemplates = append(ss.Spec.VolumeClaimTemplates, *cluster.Spec.BackupVolumeClaimTemplate)
 	}
+	if cluster.Spec.SecurityContext != nil {
+		ss.Spec.Template.Spec.SecurityContext = cluster.Spec.SecurityContext
+	}
 	return ss
 }
diff --git a/pkg/resources/statefulsets/statefulset_test.go b/pkg/resources/statefulsets/statefulset_test.go
@@ -165,3 +165,24 @@ func TestClusterCustomSSLSetup(t *testing.T) {
 
 	assert.True(t, hasExpectedVolumeMount, "Cluster is missing expected volume mount for custom SSL certs")
 }
+
+func TestClusterCustomSecurityContext(t *testing.T) {
+	userID := int64(27)
+	cluster := &v1alpha1.Cluster{
+		Spec: v1alpha1.ClusterSpec{
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser: &userID,
+				FSGroup:   &userID,
+			},
+		},
+	}
+
+	statefulSet := NewForCluster(cluster, mockOperatorConfig().Images, "mycluster")
+
+	if statefulSet.Spec.Template.Spec.SecurityContext != nil {
+		assert.EqualValues(t, userID, *statefulSet.Spec.Template.Spec.SecurityContext.RunAsUser, "SecurityContext Spec runAsUser does not have expected value")
+		assert.Equal(t, userID, *statefulSet.Spec.Template.Spec.SecurityContext.FSGroup, "SecurityContext Spec fsGroup does not have expected value")
+	} else {
+		t.Errorf("StatefulSet Spec is missing SecurityContext definition")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,8 @@ type ClusterSpec struct {`
`64`	`64`	`// and server key for group replication SSL.`
`65`	`65`	`// +optional`
`66`	`66`	SSLSecret *corev1.LocalObjectReference `json:"sslSecret,omitempty"`
	`67`	`+ // SecurityContext holds pod-level security attributes and common container settings.`
	`68`	+ SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
`67`	`69`	`}`
`68`	`70`
`69`	`71`	`// ClusterConditionType represents a valid condition of a Cluster.`
Original file line number	Diff line number	Diff line change
`@@ -391,5 +391,8 @@ func NewForCluster(cluster *v1alpha1.Cluster, images operatoropts.Images, servic`
`391`	`391`	`if cluster.Spec.BackupVolumeClaimTemplate != nil {`
`392`	`392`	`ss.Spec.VolumeClaimTemplates = append(ss.Spec.VolumeClaimTemplates, *cluster.Spec.BackupVolumeClaimTemplate)`
`393`	`393`	`}`
	`394`	`+ if cluster.Spec.SecurityContext != nil {`
	`395`	`+ ss.Spec.Template.Spec.SecurityContext = cluster.Spec.SecurityContext`
	`396`	`+ }`
`394`	`397`	`return ss`
`395`	`398`	`}`