From 6fdb3a9690d7b87ec2e44e9d0434c2922a0b44ad Mon Sep 17 00:00:00 2001 From: Olivier Michallat Date: Tue, 10 Sep 2024 10:38:38 -0700 Subject: [PATCH] Add support for readOnlyRootFilesystem (fixes #1402) --- CHANGELOG/CHANGELOG-1.20.md | 1 + .../v1alpha1/k8ssandracluster_types.go | 4 +++ .../v1alpha1/zz_generated.deepcopy.go | 5 +++ .../crds/k8ssandra-operator-crds.yaml | 10 ++++++ .../bases/k8ssandra.io_k8ssandraclusters.yaml | 10 ++++++ pkg/cassandra/datacenter.go | 35 ++++++++++--------- 6 files changed, 49 insertions(+), 16 deletions(-) diff --git a/CHANGELOG/CHANGELOG-1.20.md b/CHANGELOG/CHANGELOG-1.20.md index 5b66a43cf..f7cf1ba98 100644 --- a/CHANGELOG/CHANGELOG-1.20.md +++ b/CHANGELOG/CHANGELOG-1.20.md @@ -16,3 +16,4 @@ When cutting a new release, update the `unreleased` heading to the tag being gen ## unreleased * [BUGFIX] [#1399](https://github.com/k8ssandra/k8ssandra-operator/issues/1399) Fixed SecretSyncController to handle multiple namespaces +* [FEATURE] [#1402](https://github.com/k8ssandra/k8ssandra-operator/issues/1402) Add support for readOnlyRootFilesystem \ No newline at end of file diff --git a/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go b/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go index f0a874420..b4d3203c3 100644 --- a/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go +++ b/apis/k8ssandra/v1alpha1/k8ssandracluster_types.go @@ -445,6 +445,10 @@ type DatacenterOptions struct { // Use cautiously. // +optional DatacenterName string `json:"datacenterName,omitempty"` + + // ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + // new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` } // NetworkingConfig is a copy of cass-operator's NetworkingConfig struct. It is copied here to diff --git a/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go b/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go index 46432e01b..697e8fd93 100644 --- a/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go +++ b/apis/k8ssandra/v1alpha1/zz_generated.deepcopy.go @@ -289,6 +289,11 @@ func (in *DatacenterOptions) DeepCopyInto(out *DatacenterOptions) { *out = new(v1beta1.ManagementApiAuthConfig) (*in).DeepCopyInto(*out) } + if in.ReadOnlyRootFilesystem != nil { + in, out := &in.ReadOnlyRootFilesystem, &out.ReadOnlyRootFilesystem + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatacenterOptions. diff --git a/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml b/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml index 6295111fe..244e42f65 100644 --- a/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml +++ b/charts/k8ssandra-operator/crds/k8ssandra-operator-crds.yaml @@ -10671,6 +10671,11 @@ spec: - name type: object type: array + readOnlyRootFilesystem: + description: |- + ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + type: boolean resources: description: Resources is the cpu and memory resources for the cassandra container. @@ -23112,6 +23117,11 @@ spec: - name type: object type: array + readOnlyRootFilesystem: + description: |- + ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + type: boolean resources: description: Resources is the cpu and memory resources for the cassandra container. diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml index 74c93c120..49a466754 100644 --- a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml +++ b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml @@ -10609,6 +10609,11 @@ spec: - name type: object type: array + readOnlyRootFilesystem: + description: |- + ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + type: boolean resources: description: Resources is the cpu and memory resources for the cassandra container. @@ -23050,6 +23055,11 @@ spec: - name type: object type: array + readOnlyRootFilesystem: + description: |- + ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + type: boolean resources: description: Resources is the cpu and memory resources for the cassandra container. diff --git a/pkg/cassandra/datacenter.go b/pkg/cassandra/datacenter.go index 660b6e644..2014b57bb 100644 --- a/pkg/cassandra/datacenter.go +++ b/pkg/cassandra/datacenter.go @@ -114,6 +114,7 @@ type DatacenterConfig struct { ExternalSecrets bool McacEnabled bool DatacenterName string + ReadOnlyRootFilesystem *bool // InitialTokensByPodName is a list of initial tokens for the RF first pods in the cluster. It // is only populated when num_tokens < 16 in the whole cluster. Used for generating default @@ -165,22 +166,23 @@ func NewDatacenter(klusterKey types.NamespacedName, template *DatacenterConfig) }, labels.CleanedUpByLabels(klusterKey)), }, Spec: cassdcapi.CassandraDatacenterSpec{ - Size: template.Size, - Stopped: template.Stopped, - ServerVersion: template.ServerVersion.String(), - ServerImage: template.ServerImage, - ServerType: string(template.ServerType), - Config: rawConfig, - Racks: template.Racks, - StorageConfig: *template.StorageConfig, - ClusterName: template.Cluster, - SuperuserSecretName: superUserSecretName, - Users: template.Users, - Networking: template.Networking, - PodTemplateSpec: &template.PodTemplateSpec, - CDC: template.CDC, - DseWorkloads: template.DseWorkloads, - ServiceAccountName: template.ServiceAccount, + Size: template.Size, + Stopped: template.Stopped, + ServerVersion: template.ServerVersion.String(), + ServerImage: template.ServerImage, + ServerType: string(template.ServerType), + Config: rawConfig, + Racks: template.Racks, + StorageConfig: *template.StorageConfig, + ClusterName: template.Cluster, + SuperuserSecretName: superUserSecretName, + Users: template.Users, + Networking: template.Networking, + PodTemplateSpec: &template.PodTemplateSpec, + CDC: template.CDC, + DseWorkloads: template.DseWorkloads, + ServiceAccountName: template.ServiceAccount, + ReadOnlyRootFilesystem: template.ReadOnlyRootFilesystem, }, } @@ -365,6 +367,7 @@ func Coalesce(clusterName string, clusterTemplate *api.CassandraClusterTemplate, dcConfig.PodTemplateSpec.Spec.SecurityContext = mergedOptions.PodSecurityContext dcConfig.PerNodeInitContainerImage = mergedOptions.PerNodeConfigInitContainerImage dcConfig.ServiceAccount = mergedOptions.ServiceAccount + dcConfig.ReadOnlyRootFilesystem = mergedOptions.ReadOnlyRootFilesystem dcConfig.Meta.Tags = goalesceutils.MergeCRs(clusterTemplate.Meta.Tags, dcTemplate.Meta.Tags) dcConfig.Meta.CommonLabels = goalesceutils.MergeCRs(clusterTemplate.Meta.CommonLabels, dcTemplate.Meta.CommonLabels)