Skip to content

Commit 8c82124

Browse files
dvaldiviadvaldivia
authored
Prometheus Security Context (#973)
* Prometheus Security Context Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com> * Missing files Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
1 parent 0ae0338 commit 8c82124

File tree

5 files changed

+288
-3
lines changed

5 files changed

+288
-3
lines changed

models/prometheus_configuration.go

Lines changed: 54 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

models/security_context.go

Lines changed: 139 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

operatorapi/embedded_spec.go

Lines changed: 60 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

operatorapi/operator_tenants.go

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -395,11 +395,11 @@ func getTenantCreds(ctx context.Context, client K8sClientI, tenant *miniov2.Tena
395395
}
396396

397397
func getTenant(ctx context.Context, operatorClient OperatorClientI, namespace, tenantName string) (*miniov2.Tenant, error) {
398-
minInst, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
398+
tenant, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
399399
if err != nil {
400400
return nil, err
401401
}
402-
return minInst, nil
402+
return tenant, nil
403403
}
404404

405405
func isPrometheusEnabled(annotations map[string]string) bool {
@@ -1309,6 +1309,16 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
13091309
if prometheusImage != "" {
13101310
minInst.Spec.Prometheus.Image = prometheusImage
13111311
}
1312+
// if security context for prometheus is present, configure it.
1313+
if tenantReq.PrometheusConfiguration != nil && tenantReq.PrometheusConfiguration.SecurityContext != nil {
1314+
sc := tenantReq.PrometheusConfiguration.SecurityContext
1315+
minInst.Spec.Prometheus.SecurityContext = &corev1.PodSecurityContext{
1316+
RunAsUser: sc.RunAsUser,
1317+
RunAsGroup: sc.RunAsGroup,
1318+
RunAsNonRoot: sc.RunAsNonRoot,
1319+
FSGroup: sc.FsGroup,
1320+
}
1321+
}
13121322

13131323
// expose services
13141324
minInst.Spec.ExposeServices = &miniov2.ExposeServices{

swagger-operator.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1317,6 +1317,9 @@ definitions:
13171317
default: 5
13181318
image:
13191319
type: string
1320+
securityContext:
1321+
type: object
1322+
$ref: '#/definitions/securityContext'
13201323
idpConfiguration:
13211324
type: object
13221325
properties:
@@ -2263,3 +2266,23 @@ definitions:
22632266
type: string
22642267
force:
22652268
type: boolean
2269+
securityContext:
2270+
type: object
2271+
required:
2272+
- runAsUser
2273+
- runAsGroup
2274+
- runAsNonRoot
2275+
- fsGroup
2276+
properties:
2277+
runAsUser:
2278+
type: integer
2279+
format: int64
2280+
runAsGroup:
2281+
type: integer
2282+
format: int64
2283+
runAsNonRoot:
2284+
type: boolean
2285+
fsGroup:
2286+
type: integer
2287+
format: int64
2288+

0 commit comments

Comments
 (0)