Add PodSecurityContext fields to .spec.securityContext

api/v1/openlibertyapplication_types.go

@@ -133,9 +133,14 @@ type OpenLibertyApplicationSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=28,type=spec,displayName="Affinity"
 	Affinity *OpenLibertyApplicationAffinity `json:"affinity,omitempty"`
 
-	// Security context for the application container.
+	// Security context for the application pod and container.
 	// +operator-sdk:csv:customresourcedefinitions:order=29,type=spec,displayName="Security Context"
-	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+	SecurityContext *OpenLibertyApplicationSecurityContext `json:"securityContext,omitempty"`
+}
+
+// Define the security context object for the application pod and container
+type OpenLibertyApplicationSecurityContext struct {
+	common.AppSecurityContext `json:",omitempty"`
 }
 
 // Define health checks on application container to determine whether it is alive or ready to receive traffic
@@ -1074,8 +1079,22 @@ func (a *OpenLibertyApplicationAffinity) GetNodeAffinityLabels() map[string]stri
 	return a.NodeAffinityLabels
 }
 
+func (sc *OpenLibertyApplicationSecurityContext) GetContainerSecurityContext() *corev1.SecurityContext {
+	if sc == nil {
+		return nil
+	}
+	return common.GetSecurityContext(&sc.AppSecurityContext)
+}
+
+func (sc *OpenLibertyApplicationSecurityContext) GetPodSecurityContext() *corev1.PodSecurityContext {
+	if sc == nil {
+		return nil
+	}
+	return common.GetPodSecurityContext(&sc.AppSecurityContext)
+}
+
 // GetSecurityContext returns container security context
-func (cr *OpenLibertyApplication) GetSecurityContext() *corev1.SecurityContext {
+func (cr *OpenLibertyApplication) GetSecurityContext() common.BaseComponentSecurityContext {
 	return cr.Spec.SecurityContext
 }
 

api/v1/openlibertydump_types.go

@@ -41,6 +41,7 @@ type OpenLibertyDumpStatus struct {
 type DumpStatusVersions struct {
 	Reconciled string `json:"reconciled,omitempty"`
 }
+
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:storageversion

api/v1/openlibertytrace_types.go

@@ -36,6 +36,7 @@ type OpenLibertyTraceStatus struct {
 type TraceStatusVersions struct {
 	Reconciled string `json:"reconciled,omitempty"`
 }
+
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:storageversion

bundle/manifests/apps.openliberty.io_openlibertyapplications.yaml

@@ -3492,7 +3492,7 @@ spec:
                     type: string
                 type: object
               securityContext:
-                description: Security context for the application container.
+                description: Security context for the application pod and container.
                 properties:
                   allowPrivilegeEscalation:
                     description: 'AllowPrivilegeEscalation controls whether a process
@@ -3521,6 +3521,28 @@ spec:
                           type: string
                         type: array
                     type: object
+                  fsGroup:
+                    description: "A special supplemental group that applies to all
+                      containers in a pod. Some volume types allow the Kubelet to
+                      change the ownership of that volume to be owned by the pod:
+                      \n 1. The owning GID will be the FSGroup 2. The setgid bit is
+                      set (new files created in the volume will be owned by FSGroup)
+                      3. The permission bits are OR'd with rw-rw---- \n If unset,
+                      the Kubelet will not modify the ownership and permissions of
+                      any volume. Note that this field cannot be set when spec.os.name
+                      is windows."
+                    format: int64
+                    type: integer
+                  fsGroupChangePolicy:
+                    description: 'fsGroupChangePolicy defines behavior of changing
+                      ownership and permission of the volume before being exposed
+                      inside Pod. This field will only apply to volume types which
+                      support fsGroup based ownership(and permissions). It will have
+                      no effect on ephemeral volume types such as: secret, configmaps
+                      and emptydir. Valid values are "OnRootMismatch" and "Always".
+                      If not specified, "Always" is used. Note that this field cannot
+                      be set when spec.os.name is windows.'
+                    type: string
                   privileged:
                     description: Run container in privileged mode. Processes in privileged
                       containers are essentially equivalent to root on the host. Defaults
@@ -3613,6 +3635,34 @@ spec:
                     required:
                     - type
                     type: object
+                  supplementalGroups:
+                    description: A list of groups applied to the first process run
+                      in each container, in addition to the container's primary GID.  If
+                      unspecified, no groups will be added to any container. Note
+                      that this field cannot be set when spec.os.name is windows.
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
+                  sysctls:
+                    description: Sysctls hold a list of namespaced sysctls used for
+                      the pod. Pods with unsupported sysctls (by the container runtime)
+                      might fail to launch. Note that this field cannot be set when
+                      spec.os.name is windows.
+                    items:
+                      description: Sysctl defines a kernel parameter to be set
+                      properties:
+                        name:
+                          description: Name of a property to set
+                          type: string
+                        value:
+                          description: Value of a property to set
+                          type: string
+                      required:
+                      - name
+                      - value
+                      type: object
+                    type: array
                   windowsOptions:
                     description: The Windows specific settings applied to all containers.
                       If unspecified, the options from the PodSecurityContext will

bundle/manifests/open-liberty.clusterserviceversion.yaml

@@ -91,7 +91,7 @@ metadata:
     categories: Application Runtime
     certified: "true"
     containerImage: icr.io/appcafe/open-liberty-operator:daily
-    createdAt: "2023-08-22T16:39:10Z"
+    createdAt: "2023-10-04T09:50:21Z"
     description: Deploy and manage containerized Liberty applications
     olm.skipRange: '>=0.8.0 <1.2.2'
     operators.openshift.io/infrastructure-features: '["disconnected"]'
@@ -408,7 +408,7 @@ spec:
         path: statefulSet.storage.volumeClaimTemplate
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:PersistentVolumeClaim
-      - description: Security context for the application container.
+      - description: Security context for the application pod and container.
         displayName: Security Context
         path: securityContext
       - description: Labels to set on ServiceMonitor.

config/crd/bases/apps.openliberty.io_openlibertyapplications.yaml

@@ -3489,7 +3489,7 @@ spec:
                     type: string
                 type: object
               securityContext:
-                description: Security context for the application container.
+                description: Security context for the application pod and container.
                 properties:
                   allowPrivilegeEscalation:
                     description: 'AllowPrivilegeEscalation controls whether a process
@@ -3518,6 +3518,28 @@ spec:
                           type: string
                         type: array
                     type: object
+                  fsGroup:
+                    description: "A special supplemental group that applies to all
+                      containers in a pod. Some volume types allow the Kubelet to
+                      change the ownership of that volume to be owned by the pod:
+                      \n 1. The owning GID will be the FSGroup 2. The setgid bit is
+                      set (new files created in the volume will be owned by FSGroup)
+                      3. The permission bits are OR'd with rw-rw---- \n If unset,
+                      the Kubelet will not modify the ownership and permissions of
+                      any volume. Note that this field cannot be set when spec.os.name
+                      is windows."
+                    format: int64
+                    type: integer
+                  fsGroupChangePolicy:
+                    description: 'fsGroupChangePolicy defines behavior of changing
+                      ownership and permission of the volume before being exposed
+                      inside Pod. This field will only apply to volume types which
+                      support fsGroup based ownership(and permissions). It will have
+                      no effect on ephemeral volume types such as: secret, configmaps
+                      and emptydir. Valid values are "OnRootMismatch" and "Always".
+                      If not specified, "Always" is used. Note that this field cannot
+                      be set when spec.os.name is windows.'
+                    type: string
                   privileged:
                     description: Run container in privileged mode. Processes in privileged
                       containers are essentially equivalent to root on the host. Defaults
@@ -3610,6 +3632,34 @@ spec:
                     required:
                     - type
                     type: object
+                  supplementalGroups:
+                    description: A list of groups applied to the first process run
+                      in each container, in addition to the container's primary GID.  If
+                      unspecified, no groups will be added to any container. Note
+                      that this field cannot be set when spec.os.name is windows.
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
+                  sysctls:
+                    description: Sysctls hold a list of namespaced sysctls used for
+                      the pod. Pods with unsupported sysctls (by the container runtime)
+                      might fail to launch. Note that this field cannot be set when
+                      spec.os.name is windows.
+                    items:
+                      description: Sysctl defines a kernel parameter to be set
+                      properties:
+                        name:
+                          description: Name of a property to set
+                          type: string
+                        value:
+                          description: Value of a property to set
+                          type: string
+                      required:
+                      - name
+                      - value
+                      type: object
+                    type: array
                   windowsOptions:
                     description: The Windows specific settings applied to all containers.
                       If unspecified, the options from the PodSecurityContext will

config/manifests/bases/open-liberty.clusterserviceversion.yaml

@@ -321,7 +321,7 @@ spec:
         path: statefulSet.storage.volumeClaimTemplate
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:PersistentVolumeClaim
-      - description: Security context for the application container.
+      - description: Security context for the application pod and container.
         displayName: Security Context
         path: securityContext
       - description: Labels to set on ServiceMonitor.

controllers/openlibertytrace_controller.go

@@ -193,7 +193,7 @@ func (r *ReconcileOpenLibertyTrace) UpdateStatus(issue error, conditionType open
 	s.SetCondition(statusCondition)
 
 	instance.Status.Versions.Reconciled = lutils.OperandVersion
-	
+
 	err := r.Client.Status().Update(context.Background(), &instance)
 	if err != nil {
 		r.Log.Error(err, "Unable to update status")

controllers/semeru_compiler.go

@@ -366,6 +366,7 @@ func (r *ReconcileOpenLiberty) reconcileSemeruDeployment(ola *openlibertyv1.Open
 
 	// Copy the securityContext from the OpenLibertyApplcation CR
 	deploy.Spec.Template.Spec.Containers[0].SecurityContext = utils.GetSecurityContext(ola)
+	deploy.Spec.Template.Spec.SecurityContext = utils.GetPodSecurityContext(ola)
 
 	lutils.AddSecretResourceVersionAsEnvVar(&deploy.Spec.Template, ola, r.GetClient(), ola.Status.SemeruCompiler.TLSSecretName, "TLS")
 }

go.mod

@@ -3,7 +3,7 @@ module github.com/OpenLiberty/open-liberty-operator
 go 1.19
 
 require (
-	github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20230907143425-055a7d066125
+	github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20231003175027-10600e7dfe19
 	github.com/go-logr/logr v1.2.2
 	github.com/openshift/api v0.0.0-20220414050251-a83e6f8f1d50
 	github.com/openshift/library-go v0.0.0-20220630204433-c71d40c7de49

go.sum

@@ -71,6 +71,8 @@ github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.
 github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20230613090743-bf7f8422094b/go.mod h1:JsX0ioxZzA0yM1Sxg/1QKLg9dGqDXYvGZ+WwiQrMoxQ=
 github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20230907143425-055a7d066125 h1:+QH7HGxWvbKYAwWY6/HQ0GgHZQzz+mNGf9Jafs0+Q9g=
 github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20230907143425-055a7d066125/go.mod h1:JsX0ioxZzA0yM1Sxg/1QKLg9dGqDXYvGZ+WwiQrMoxQ=
+github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20231003175027-10600e7dfe19 h1:sW3Wn4yTLJ6rglZxJjzf/WFGxy2JWJpfqmGE2cHPsww=
+github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20231003175027-10600e7dfe19/go.mod h1:JsX0ioxZzA0yM1Sxg/1QKLg9dGqDXYvGZ+WwiQrMoxQ=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@@ -108,7 +110,9 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
@@ -153,6 +157,7 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -248,6 +253,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=