Add support for readOnlyRootFilesystem (fixes #1402) (#1403)

--------- Co-authored-by: Alexander Dejanovski <alex.dejanovski@datastax.com>
k8ssandra · Sep 12, 2024 · 69085ba · 69085ba
1 parent f9502fc
commit 69085ba
Show file tree

Hide file tree

Showing 11 changed files with 163 additions and 20 deletions.
diff --git a/CHANGELOG/CHANGELOG-1.20.md b/CHANGELOG/CHANGELOG-1.20.md
@@ -17,3 +17,4 @@ When cutting a new release, update the `unreleased` heading to the tag being gen
 
 * [BUGFIX] [#1399](https://github.com/k8ssandra/k8ssandra-operator/issues/1399) Fixed SecretSyncController to handle multiple namespaces
 * [FEATURE] [#1382](https://github.com/k8ssandra/k8ssandra-operator/issues/1382) Add service to expose DC nodes in the control plane
+* [FEATURE] [#1402](https://github.com/k8ssandra/k8ssandra-operator/issues/1402) Add support for readOnlyRootFilesystem
diff --git a/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go b/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go
@@ -445,6 +445,10 @@ type DatacenterOptions struct {
 	// Use cautiously.
 	// +optional
 	DatacenterName string `json:"datacenterName,omitempty"`
+
+	// ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+	// new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`
 }
 
 // NetworkingConfig is a copy of cass-operator's NetworkingConfig struct. It is copied here to

diff --git a/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go b/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml b/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml
@@ -10671,6 +10671,11 @@ spec:
                             - name
                             type: object
                           type: array
+                        readOnlyRootFilesystem:
+                          description: |-
+                            ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                            new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                          type: boolean
                         resources:
                           description: Resources is the cpu and memory resources for
                             the cassandra container.
@@ -23112,6 +23117,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  readOnlyRootFilesystem:
+                    description: |-
+                      ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                      new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                    type: boolean
                   resources:
                     description: Resources is the cpu and memory resources for the
                       cassandra container.

diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
@@ -10609,6 +10609,11 @@ spec:
                             - name
                             type: object
                           type: array
+                        readOnlyRootFilesystem:
+                          description: |-
+                            ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                            new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                          type: boolean
                         resources:
                           description: Resources is the cpu and memory resources for
                             the cassandra container.
@@ -23050,6 +23055,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  readOnlyRootFilesystem:
+                    description: |-
+                      ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                      new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                    type: boolean
                   resources:
                     description: Resources is the cpu and memory resources for the
                       cassandra container.

diff --git a/controllers/k8ssandra/k8ssandracluster_controller_test.go b/controllers/k8ssandra/k8ssandracluster_controller_test.go
@@ -158,6 +158,7 @@ func createSingleDcCluster(t *testing.T, ctx context.Context, f *framework.Frame
 							ManagementApiAuth: &cassdcapi.ManagementApiAuthConfig{
 								Insecure: &cassdcapi.ManagementApiAuthInsecureConfig{},
 							},
+							ReadOnlyRootFilesystem: ptr.To(true),
 						},
 					},
 				},
@@ -186,7 +187,7 @@ func createSingleDcCluster(t *testing.T, ctx context.Context, f *framework.Frame
 	require.NoError(err, "failed to get CassandraDatacenter")
 	require.True(dc.Spec.PodTemplateSpec.Spec.SecurityContext.RunAsUser != nil && *dc.Spec.PodTemplateSpec.Spec.SecurityContext.RunAsUser == 999, "pod security context was not properly set")
 	require.True(dc.Spec.ManagementApiAuth.Insecure != nil, "management api auth was not properly set")
-
+	require.True(*dc.Spec.ReadOnlyRootFilesystem, "read only root filesystem was not properly set")
 	lastTransitionTime := metav1.Now()
 
 	t.Log("update datacenter status to scaling up")