Add support for readOnlyRootFilesystem (fixes #1402)

k8ssandra · Sep 10, 2024 · 6fdb3a9 · 6fdb3a9
1 parent 08585c3
commit 6fdb3a9
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 16 deletions.
diff --git a/CHANGELOG/CHANGELOG-1.20.md b/CHANGELOG/CHANGELOG-1.20.md
@@ -16,3 +16,4 @@ When cutting a new release, update the `unreleased` heading to the tag being gen
 ## unreleased
 
 * [BUGFIX] [#1399](https://github.com/k8ssandra/k8ssandra-operator/issues/1399) Fixed SecretSyncController to handle multiple namespaces
+* [FEATURE] [#1402](https://github.com/k8ssandra/k8ssandra-operator/issues/1402) Add support for readOnlyRootFilesystem
diff --git a/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go b/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go
@@ -445,6 +445,10 @@ type DatacenterOptions struct {
 	// Use cautiously.
 	// +optional
 	DatacenterName string `json:"datacenterName,omitempty"`
+
+	// ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+	// new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`
 }
 
 // NetworkingConfig is a copy of cass-operator's NetworkingConfig struct. It is copied here to

diff --git a/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go b/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml b/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml
@@ -10671,6 +10671,11 @@ spec:
                             - name
                             type: object
                           type: array
+                        readOnlyRootFilesystem:
+                          description: |-
+                            ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                            new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                          type: boolean
                         resources:
                           description: Resources is the cpu and memory resources for
                             the cassandra container.
@@ -23112,6 +23117,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  readOnlyRootFilesystem:
+                    description: |-
+                      ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                      new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                    type: boolean
                   resources:
                     description: Resources is the cpu and memory resources for the
                       cassandra container.

diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
@@ -10609,6 +10609,11 @@ spec:
                             - name
                             type: object
                           type: array
+                        readOnlyRootFilesystem:
+                          description: |-
+                            ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                            new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                          type: boolean
                         resources:
                           description: Resources is the cpu and memory resources for
                             the cassandra container.
@@ -23050,6 +23055,11 @@ spec:
                       - name
                       type: object
                     type: array
+                  readOnlyRootFilesystem:
+                    description: |-
+                      ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                      new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                    type: boolean
                   resources:
                     description: Resources is the cpu and memory resources for the
                       cassandra container.

diff --git a/pkg/cassandra/datacenter.go b/pkg/cassandra/datacenter.go
@@ -114,6 +114,7 @@ type DatacenterConfig struct {
 	ExternalSecrets           bool
 	McacEnabled               bool
 	DatacenterName            string
+	ReadOnlyRootFilesystem    *bool
 
 	// InitialTokensByPodName is a list of initial tokens for the RF first pods in the cluster. It
 	// is only populated when num_tokens < 16 in the whole cluster. Used for generating default
@@ -165,22 +166,23 @@ func NewDatacenter(klusterKey types.NamespacedName, template *DatacenterConfig)
 			}, labels.CleanedUpByLabels(klusterKey)),
 		},
 		Spec: cassdcapi.CassandraDatacenterSpec{
-			Size:                template.Size,
-			Stopped:             template.Stopped,
-			ServerVersion:       template.ServerVersion.String(),
-			ServerImage:         template.ServerImage,
-			ServerType:          string(template.ServerType),
-			Config:              rawConfig,
-			Racks:               template.Racks,
-			StorageConfig:       *template.StorageConfig,
-			ClusterName:         template.Cluster,
-			SuperuserSecretName: superUserSecretName,
-			Users:               template.Users,
-			Networking:          template.Networking,
-			PodTemplateSpec:     &template.PodTemplateSpec,
-			CDC:                 template.CDC,
-			DseWorkloads:        template.DseWorkloads,
-			ServiceAccountName:  template.ServiceAccount,
+			Size:                   template.Size,
+			Stopped:                template.Stopped,
+			ServerVersion:          template.ServerVersion.String(),
+			ServerImage:            template.ServerImage,
+			ServerType:             string(template.ServerType),
+			Config:                 rawConfig,
+			Racks:                  template.Racks,
+			StorageConfig:          *template.StorageConfig,
+			ClusterName:            template.Cluster,
+			SuperuserSecretName:    superUserSecretName,
+			Users:                  template.Users,
+			Networking:             template.Networking,
+			PodTemplateSpec:        &template.PodTemplateSpec,
+			CDC:                    template.CDC,
+			DseWorkloads:           template.DseWorkloads,
+			ServiceAccountName:     template.ServiceAccount,
+			ReadOnlyRootFilesystem: template.ReadOnlyRootFilesystem,
 		},
 	}
 
@@ -365,6 +367,7 @@ func Coalesce(clusterName string, clusterTemplate *api.CassandraClusterTemplate,
 	dcConfig.PodTemplateSpec.Spec.SecurityContext = mergedOptions.PodSecurityContext
 	dcConfig.PerNodeInitContainerImage = mergedOptions.PerNodeConfigInitContainerImage
 	dcConfig.ServiceAccount = mergedOptions.ServiceAccount
+	dcConfig.ReadOnlyRootFilesystem = mergedOptions.ReadOnlyRootFilesystem
 
 	dcConfig.Meta.Tags = goalesceutils.MergeCRs(clusterTemplate.Meta.Tags, dcTemplate.Meta.Tags)
 	dcConfig.Meta.CommonLabels = goalesceutils.MergeCRs(clusterTemplate.Meta.CommonLabels, dcTemplate.Meta.CommonLabels)