diff --git a/charts/mongodb-kubernetes/crds/mongodbcommunity.mongodb.com_mongodbcommunity.yaml b/charts/mongodb-kubernetes/crds/mongodbcommunity.mongodb.com_mongodbcommunity.yaml index 36d5c892..c6228046 100644 --- a/charts/mongodb-kubernetes/crds/mongodbcommunity.mongodb.com_mongodbcommunity.yaml +++ b/charts/mongodb-kubernetes/crds/mongodbcommunity.mongodb.com_mongodbcommunity.yaml @@ -240,6 +240,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: object + clusterDomain: + format: hostname + type: string featureCompatibilityVersion: description: |- FeatureCompatibilityVersion configures the feature compatibility version that will diff --git a/charts/mongodb-kubernetes/templates/operator.yaml b/charts/mongodb-kubernetes/templates/operator.yaml index d6b9fee9..ebae9c87 100644 --- a/charts/mongodb-kubernetes/templates/operator.yaml +++ b/charts/mongodb-kubernetes/templates/operator.yaml @@ -32,11 +32,10 @@ spec: {{- end }} spec: serviceAccountName: {{ .Values.operator.name }} -{{- if not .Values.managedSecurityContext }} + {{- if and (not .Values.managedSecurityContext) .Values.operator.podSecurityContext }} securityContext: - runAsNonRoot: true - runAsUser: 2000 -{{- end }} + {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} + {{- end }} {{- if .Values.registry.imagePullSecrets}} imagePullSecrets: - name: {{ .Values.registry.imagePullSecrets }} @@ -74,6 +73,10 @@ spec: requests: cpu: {{ .Values.operator.resources.requests.cpu }} memory: {{ .Values.operator.resources.requests.memory }} + {{- if and (not .Values.managedSecurityContext) .Values.operator.securityContext }} + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 12 }} + {{- end }} env: - name: OPERATOR_ENV value: {{ .Values.operator.env }} @@ -169,21 +172,21 @@ spec: - name: {{ $initDatabaseImageRepositoryEnv }} value: {{ .Values.registry.initDatabase }}/{{ .Values.initDatabase.name }} - name: INIT_DATABASE_VERSION - value: {{ $initDatabaseVersion }} + value: {{ $initDatabaseVersion | quote }} - name: DATABASE_VERSION - value: {{ $databaseVersion }} + value: {{ $databaseVersion | quote }} # Ops Manager - name: {{ $opsManagerImageRepositoryEnv }} value: {{ .Values.registry.opsManager }}/{{ .Values.opsManager.name }} - name: {{ $initOpsManagerImageRepositoryEnv }} value: {{ .Values.registry.initOpsManager }}/{{ .Values.initOpsManager.name }} - name: INIT_OPS_MANAGER_VERSION - value: {{ $initOpsManagerVersion }} + value: {{ $initOpsManagerVersion | quote }} # AppDB - name: {{ $initAppDbImageRepositoryEnv }} value: {{ .Values.registry.initAppDb }}/{{ .Values.initAppDb.name }} - name: INIT_APPDB_VERSION - value: {{ $initAppDbVersion }} + value: {{ $initAppDbVersion | quote }} - name: OPS_MANAGER_IMAGE_PULL_POLICY value: {{ .Values.registry.pullPolicy }} - name: {{ $agentImageEnv }} @@ -257,7 +260,7 @@ spec: - name: RELATED_IMAGE_{{ $opsManagerImageRepositoryEnv }}_{{ $version | replace "." "_" | replace "-" "_" }} value: "{{ $.Values.registry.opsManager }}/{{ $.Values.opsManager.name }}:{{ $version }}" {{- end }} - # since the official server images end with a different suffix we can re-use the same $mongodbImageEnv + # since the official server images end with a different suffix we can re-use the same $mongodbImageEnv {{- range $version := .Values.relatedImages.mongodb }} - name: RELATED_IMAGE_{{ $mongodbImageEnv }}_{{ $version | replace "." "_" | replace "-" "_" }} value: "{{ $.Values.mongodb.repo }}/{{ $.Values.mongodb.name }}:{{ $version }}" @@ -277,8 +280,8 @@ spec: {{- end }} {{- if .Values.customEnvVars }} {{- range split "&" .Values.customEnvVars }} - - name: {{ (split "=" .)._0 }} - value: '{{ (split "=" .)._1 }}' + - name: {{ (splitn "=" 2 .)._0 }} + value: '{{ (splitn "=" 2 .)._1 }}' {{- end }} {{- end }} {{- if .Values.multiCluster.clusters }} diff --git a/charts/mongodb-kubernetes/tests/operator_env_vars_type_test.yaml b/charts/mongodb-kubernetes/tests/operator_env_vars_type_test.yaml new file mode 100644 index 00000000..e8fcaa3e --- /dev/null +++ b/charts/mongodb-kubernetes/tests/operator_env_vars_type_test.yaml @@ -0,0 +1,58 @@ +suite: Environment Variable Quoting Check +templates: + - operator.yaml +tests: + - it: should correctly quote the value for the env vars for container images + set: + initDatabase.version: 1234 + database.version: 12d3f4 + initOpsManager.version: 1.2.3 + initAppDb.version: abc + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_DATABASE_VERSION + value: "1234" + - contains: + path: spec.template.spec.containers[0].env + content: + name: DATABASE_VERSION + value: "12d3f4" + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_OPS_MANAGER_VERSION + value: "1.2.3" + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_APPDB_VERSION + value: "abc" + - it: should correctly quote the value for the env vars for container images even when they are passed quoted + set: + initDatabase.version: "1234" + database.version: "12d3f4" + initOpsManager.version: "1.2.3" + initAppDb.version: "abc" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_DATABASE_VERSION + value: "1234" + - contains: + path: spec.template.spec.containers[0].env + content: + name: DATABASE_VERSION + value: "12d3f4" + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_OPS_MANAGER_VERSION + value: "1.2.3" + - contains: + path: spec.template.spec.containers[0].env + content: + name: INIT_APPDB_VERSION + value: "abc" diff --git a/charts/mongodb-kubernetes/tests/operator_security_context_test.yaml b/charts/mongodb-kubernetes/tests/operator_security_context_test.yaml new file mode 100644 index 00000000..591d9727 --- /dev/null +++ b/charts/mongodb-kubernetes/tests/operator_security_context_test.yaml @@ -0,0 +1,142 @@ +suite: test operator security context settings for values.yaml +templates: + - operator.yaml +tests: + - it: default values are properly set + asserts: + - exists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + # noinspection YAMLIncompatibleTypes + value: 2000 + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext + - it: drop podSecurityContext and securityContext completely + set: + operator.podSecurityContext: + operator.securityContext: + asserts: + - notExists: + path: spec.template.spec.securityContext + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext + - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true + set: + managedSecurityContext: true + asserts: + - notExists: + path: spec.template.spec.securityContext + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext + - it: custom values are properly set + set: + operator.podSecurityContext.runAsNonRoot: false + operator.podSecurityContext.seccompProfile.type: RuntimeDefault + operator.securityContext.allowPrivilegeEscalation: false + operator.securityContext.capabilities.drop: [ALL] + asserts: + - exists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: false + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + # noinspection YAMLIncompatibleTypes + value: RuntimeDefault + - equal: + path: spec.template.spec.securityContext.runAsUser + # noinspection YAMLIncompatibleTypes + value: 2000 + - exists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext + - equal: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.capabilities.drop + value: [ALL] + - it: default values are properly set when managedSecurityContext is true for openShift + values: + - ../values-openshift.yaml + asserts: + - notExists: + path: spec.template.spec.securityContext + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext + - exists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")] + - equal: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")].value + # noinspection YAMLIncompatibleTypes + value: "true" + - it: default values are properly set for multi-cluster deployment + values: + - ../values-multi-cluster.yaml + asserts: + - exists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + # noinspection YAMLIncompatibleTypes + value: 2000 + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext + - it: drop podSecurityContext and securityContext completely for multi-cluster deployment + values: + - ../values-multi-cluster.yaml + set: + operator.podSecurityContext: + operator.securityContext: + asserts: + - notExists: + path: spec.template.spec.securityContext + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext + - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true for multi-cluster deployment + values: + - ../values-multi-cluster.yaml + set: + managedSecurityContext: true + asserts: + - notExists: + path: spec.template.spec.securityContext + - notExists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext + - it: custom values are properly set for multi-cluster deployment + values: + - ../values-multi-cluster.yaml + set: + operator.podSecurityContext.runAsNonRoot: false + operator.podSecurityContext.seccompProfile.type: RuntimeDefault + operator.securityContext.allowPrivilegeEscalation: false + operator.securityContext.capabilities.drop: [ ALL ] + asserts: + - exists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: false + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + # noinspection YAMLIncompatibleTypes + value: RuntimeDefault + - equal: + path: spec.template.spec.securityContext.runAsUser + # noinspection YAMLIncompatibleTypes + value: 2000 + - exists: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext + - equal: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.capabilities.drop + value: [ ALL ] diff --git a/charts/mongodb-kubernetes/tests/schemas/chart_schema.yaml b/charts/mongodb-kubernetes/tests/schemas/chart_schema.yaml new file mode 100644 index 00000000..e3cd46a8 --- /dev/null +++ b/charts/mongodb-kubernetes/tests/schemas/chart_schema.yaml @@ -0,0 +1,37 @@ +name: str() +home: str(required=False) +version: str() +apiVersion: str() +appVersion: any(str(), num(), required=False) +description: str(required=False) +keywords: list(str(), required=False) +sources: list(str(), required=False) +maintainers: list(include('maintainer'), required=False) +dependencies: list(include('dependency'), required=False) +icon: str(required=False) +engine: str(required=False) +condition: str(required=False) +tags: str(required=False) +deprecated: bool(required=False) +kubeVersion: str(required=False) +annotations: map(str(), str(), required=False) +type: str(required=False) +--- +maintainer: + name: str() + email: str(required=False) + url: str(required=False) +--- +dependency: + name: str() + version: str() + repository: str(required=False) + condition: str(required=False) + tags: list(str(), required=False) + enabled: bool(required=False) + import-values: list(any(str(), include('import-value')), required=False) + alias: str(required=False) +--- +import-value: + child: str() + parent: str() diff --git a/charts/mongodb-kubernetes/tests/schemas/lintconf.yaml b/charts/mongodb-kubernetes/tests/schemas/lintconf.yaml new file mode 100644 index 00000000..90f48c88 --- /dev/null +++ b/charts/mongodb-kubernetes/tests/schemas/lintconf.yaml @@ -0,0 +1,42 @@ +--- +rules: + braces: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + colons: + max-spaces-before: 0 + max-spaces-after: 1 + commas: + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: + require-starting-space: true + min-spaces-from-content: 2 + document-end: disable + document-start: disable # No --- to start a file + empty-lines: + max: 2 + max-start: 0 + max-end: 0 + hyphens: + max-spaces-after: 1 + indentation: + spaces: consistent + indent-sequences: whatever # - list indentation will handle both indentation and without + check-multi-line-strings: false + key-duplicates: enable + line-length: disable # Lines can be any length + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + level: warning diff --git a/charts/mongodb-kubernetes/values-openshift.yaml b/charts/mongodb-kubernetes/values-openshift.yaml index ffb34f01..ffee6a7a 100644 --- a/charts/mongodb-kubernetes/values-openshift.yaml +++ b/charts/mongodb-kubernetes/values-openshift.yaml @@ -51,6 +51,7 @@ relatedImages: - 8.0.12 - 8.0.13 - 8.0.14 + - 8.0.15 mongodb: - 4.4.0-ubi8 - 4.4.1-ubi8 @@ -111,6 +112,7 @@ relatedImages: - 108.0.11.8830-1 - 108.0.12.8846-1 - 108.0.13.8870-1 + - 108.0.15.8888-1 - 108.0.2.8729-1 - 108.0.3.8758-1 - 108.0.4.8770-1 diff --git a/charts/mongodb-kubernetes/values.yaml b/charts/mongodb-kubernetes/values.yaml index 6bd45756..02480a91 100644 --- a/charts/mongodb-kubernetes/values.yaml +++ b/charts/mongodb-kubernetes/values.yaml @@ -47,6 +47,12 @@ operator: cpu: 1100m memory: 1Gi + podSecurityContext: + runAsNonRoot: true + runAsUser: 2000 + + securityContext: {} + # Control how many reconciles can be performed in parallel. # It sets MaxConcurrentReconciles https://pkg.go.dev/github.com/kubernetes-sigs/controller-runtime/pkg/controller#Options). # Increasing the number of concurrent reconciles will decrease the time needed to reconcile all watched resources.