Prepare for release v0.38.0-rc.1 (#738)

ProductLine: KubeDB

Release: v2023.12.1-rc.1

Release-tracker: kubedb/CHANGELOG#76

Signed-off-by: 1gtm <[email protected]>

go.mod

@@ -28,7 +28,7 @@ require (
 	kmodules.xyz/client-go v0.25.43
 	kmodules.xyz/custom-resources v0.25.2
 	kmodules.xyz/monitoring-agent-api v0.25.6
-	kubedb.dev/apimachinery v0.38.0-rc.0
+	kubedb.dev/apimachinery v0.38.0-rc.1
 	kubedb.dev/db-client-go v0.0.8-0.20230818101900-6ddd035705ef
 	sigs.k8s.io/controller-runtime v0.13.1
 	sigs.k8s.io/yaml v1.3.0
@@ -143,7 +143,7 @@ require (
 	kmodules.xyz/offshoot-api v0.25.5 // indirect
 	kmodules.xyz/prober v0.25.0 // indirect
 	kubeops.dev/sidekick v0.0.3 // indirect
-	kubestash.dev/apimachinery v0.2.0-rc.1 // indirect
+	kubestash.dev/apimachinery v0.2.0 // indirect
 	sigs.k8s.io/gateway-api v0.4.3 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.12.1 // indirect

go.sum

@@ -1413,14 +1413,14 @@ kmodules.xyz/offshoot-api v0.25.5 h1:erUtTDj9iljikd9CvrCz0E32P5mgEqq1NYxy06lxrNo
 kmodules.xyz/offshoot-api v0.25.5/go.mod h1:wotLtcXWHw6KrWX6Ry2EsHn2I2QTvyLX7gXAuwBjkFc=
 kmodules.xyz/prober v0.25.0 h1:R5uRLHJEvEtEoogj+vaTAob0Btph6+PX5IlS6hPh8PA=
 kmodules.xyz/prober v0.25.0/go.mod h1:z4RTnjaajNQa/vPltsiOnO3xI716I/ziD2ac2Exm+1M=
-kubedb.dev/apimachinery v0.38.0-rc.0 h1:6rUuZn15tcUmersxJdw4dLDLdmcVeceMd4JSgw1xYuk=
-kubedb.dev/apimachinery v0.38.0-rc.0/go.mod h1:lenDiWAjCEVTHUFu4PR1f024tNErhaS0y6za1iBCY6Y=
+kubedb.dev/apimachinery v0.38.0-rc.1 h1:EkqgCtr6JA9AIlhUSHBmxN04AnjEEYWcaxUtP3JjVL0=
+kubedb.dev/apimachinery v0.38.0-rc.1/go.mod h1:cIralklbh1plpXPLCMweCATKzQV/YwX6RRzroiMCKGE=
 kubedb.dev/db-client-go v0.0.8-0.20230818101900-6ddd035705ef h1:1efGdivo8V46zH0umhrmSbJ1eBwqZcqQ6kMcKHe5+d0=
 kubedb.dev/db-client-go v0.0.8-0.20230818101900-6ddd035705ef/go.mod h1:rjVBtbrycRJg1SAa/YMNmQerbhTt+4CXW737rNG6wAM=
 kubeops.dev/sidekick v0.0.3 h1:xkIcgnOgBAblhDbsIWIJOIhAGZLzWieqPpm1VhGHTlU=
 kubeops.dev/sidekick v0.0.3/go.mod h1:h/f0nIKdRX/jrE7CbN0drhBBbEpFcAYViyVNE8dbDYM=
-kubestash.dev/apimachinery v0.2.0-rc.1 h1:K4Gmtw6cSQngFQMcBjnwOuqgKaRGXk9z9zR4bVLanpU=
-kubestash.dev/apimachinery v0.2.0-rc.1/go.mod h1:vlT+qYeOTh5GjzdKw9qhJlXxS+PvvVZivm+l7y+OUIs=
+kubestash.dev/apimachinery v0.2.0 h1:xu6Um9Z0gFgMbKzUHIJAsvh+izJ6Nl4LJPyK4SUnntE=
+kubestash.dev/apimachinery v0.2.0/go.mod h1:ouqYby7/IIHRJgadPc++tzh3vxtjIgk1pDzU0YRCCw4=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/etcd_version_types.go

@@ -64,6 +64,9 @@ type EtcdVersionSpec struct {
 	Stash appcat.StashAddonSpec `json:"stash,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // EtcdVersionDatabase is the Etcd Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/kafka_version_types.go

@@ -67,6 +67,9 @@ type KafkaVersionSpec struct {
 	Stash appcat.StashAddonSpec `json:"stash,omitempty"`
 	// update constraints
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // KafkaVersionDatabase is the Kafka Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/mariadb_version_types.go

@@ -73,6 +73,9 @@ type MariaDBVersionSpec struct {
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // MariaDBVersionDatabase is the mariadb image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/memcached_version_types.go

@@ -58,6 +58,9 @@ type MemcachedVersionSpec struct {
 	Deprecated bool `json:"deprecated,omitempty"`
 	// PSP names
 	PodSecurityPolicies MemcachedVersionPodSecurityPolicy `json:"podSecurityPolicies"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // MemcachedVersionDatabase is the Memcached Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/mongodb_version_types.go

@@ -75,6 +75,9 @@ type MongoDBVersionSpec struct {
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 	// Archiver defines the walg & stash-addon related specifications
 	Archiver ArchiverSpec `json:"archiver,omitempty"`
 }

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/mysql_version_types.go

@@ -84,6 +84,9 @@ type MySQLVersionSpec struct {
 	RouterInitContainer MySQLVersionRouterInitContainer `json:"routerInitContainer,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // MySQLVersionDatabase is the MySQL Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/perconaxtradb_version_types.go

@@ -73,6 +73,9 @@ type PerconaXtraDBVersionSpec struct {
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // PerconaXtraDBVersionDatabase is the perconaxtradb image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/proxysql_version_types.go

@@ -59,6 +59,9 @@ type ProxySQLVersionSpec struct {
 	PodSecurityPolicies ProxySQLVersionPodSecurityPolicy `json:"podSecurityPolicies"`
 	// update constraints
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // ProxySQLVersionProxysql is the proxysql image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/redis_version_types.go

@@ -72,6 +72,9 @@ type RedisVersionSpec struct {
 	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 	// +optional
 	GitSyncer GitSyncer `json:"gitSyncer,omitempty"`
+	// SecurityContext is for the additional config for the DB container
+	// +optional
+	SecurityContext SecurityContext `json:"securityContext"`
 }
 
 // RedisVersionInitContainer is the Redis init container image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/types.go

@@ -71,3 +71,8 @@ type ManifestRestore struct {
 type GitSyncer struct {
 	Image string `json:"image"`
 }
+
+// SecurityContext is for the additional config for the DB container
+type SecurityContext struct {
+	RunAsUser *int64 `json:"runAsUser,omitempty"`
+}

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/elasticsearch_helpers.go

@@ -386,17 +386,23 @@ func (e Elasticsearch) StatsServiceLabels() map[string]string {
 	return e.ServiceLabels(StatsServiceAlias, map[string]string{LabelRole: RoleStats})
 }
 
-func (e Elasticsearch) setContainerSecurityContextDefaults(podTemplate *ofst.PodTemplateSpec) {
+func (e Elasticsearch) setContainerSecurityContextDefaults(esVersion *catalog.ElasticsearchVersion, podTemplate *ofst.PodTemplateSpec) {
 	if podTemplate == nil {
 		return
 	}
 	if podTemplate.Spec.ContainerSecurityContext == nil {
 		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
 	}
-	e.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
+	if podTemplate.Spec.SecurityContext == nil {
+		podTemplate.Spec.SecurityContext = &core.PodSecurityContext{}
+	}
+	if podTemplate.Spec.SecurityContext.FSGroup == nil {
+		podTemplate.Spec.SecurityContext.FSGroup = esVersion.Spec.SecurityContext.RunAsUser
+	}
+	e.assignDefaultContainerSecurityContext(esVersion, podTemplate.Spec.ContainerSecurityContext)
 }
 
-func (e Elasticsearch) assignDefaultContainerSecurityContext(sc *core.SecurityContext) {
+func (e Elasticsearch) assignDefaultContainerSecurityContext(esVersion *catalog.ElasticsearchVersion, sc *core.SecurityContext) {
 	if sc.AllowPrivilegeEscalation == nil {
 		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
 	}
@@ -409,7 +415,10 @@ func (e Elasticsearch) assignDefaultContainerSecurityContext(sc *core.SecurityCo
 		sc.RunAsNonRoot = pointer.BoolP(true)
 	}
 	if sc.RunAsUser == nil {
-		sc.RunAsUser = pointer.Int64P(1000)
+		sc.RunAsUser = esVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.RunAsGroup == nil {
+		sc.RunAsGroup = esVersion.Spec.SecurityContext.RunAsUser
 	}
 	if sc.SeccompProfile == nil {
 		sc.SeccompProfile = secomp.DefaultSeccompProfile()
@@ -621,16 +630,16 @@ func (e *Elasticsearch) SetDefaults(esVersion *catalog.ElasticsearchVersion, top
 	}
 
 	e.setDefaultAffinity(&e.Spec.PodTemplate, e.OffshootSelectors(), topology)
-	e.setContainerSecurityContextDefaults(&e.Spec.PodTemplate)
+	e.setContainerSecurityContextDefaults(esVersion, &e.Spec.PodTemplate)
 	e.setDefaultInternalUsersAndRoleMappings(esVersion)
-	e.SetMetricsExporterDefaults()
+	e.SetMetricsExporterDefaults(esVersion)
 	e.SetTLSDefaults(esVersion)
 }
 
-func (e *Elasticsearch) SetMetricsExporterDefaults() {
+func (e *Elasticsearch) SetMetricsExporterDefaults(esVersion *catalog.ElasticsearchVersion) {
 	e.Spec.Monitor.SetDefaults()
 	if e.Spec.Monitor != nil && e.Spec.Monitor.Prometheus != nil && e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
-		e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1000)
+		e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = esVersion.Spec.SecurityContext.RunAsUser
 	}
 }
 

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/kafka_helpers.go

@@ -17,18 +17,22 @@ limitations under the License.
 package v1alpha2
 
 import (
+	"context"
 	"fmt"
 	"path/filepath"
 	"strings"
 
 	"kubedb.dev/apimachinery/apis"
+	catalog "kubedb.dev/apimachinery/apis/catalog/v1alpha1"
 	"kubedb.dev/apimachinery/apis/kubedb"
 	"kubedb.dev/apimachinery/crds"
 
 	promapi "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"gomodules.xyz/pointer"
 	core "k8s.io/api/core/v1"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 	kmapi "kmodules.xyz/client-go/api/v1"
 	"kmodules.xyz/client-go/apiextensions"
 	meta_util "kmodules.xyz/client-go/meta"
@@ -316,14 +320,21 @@ func (k *Kafka) SetDefaults() {
 		}
 	}
 
-	k.setDefaultContainerSecurityContext(&k.Spec.PodTemplate)
+	var kfVersion catalog.KafkaVersion
+	err := DefaultClient.Get(context.TODO(), types.NamespacedName{Name: k.Spec.Version}, &kfVersion)
+	if err != nil {
+		klog.Errorf("can't get the kafka version object %s for %s \n", err.Error(), k.Spec.Version)
+		return
+	}
+
+	k.setDefaultContainerSecurityContext(&kfVersion, &k.Spec.PodTemplate)
 	if k.Spec.CruiseControl != nil {
-		k.setDefaultContainerSecurityContext(&k.Spec.CruiseControl.PodTemplate)
+		k.setDefaultContainerSecurityContext(&kfVersion, &k.Spec.CruiseControl.PodTemplate)
 	}
+
 	k.Spec.Monitor.SetDefaults()
-	// If prometheus enabled, & RunAsUser not set. set the default 1001
 	if k.Spec.Monitor != nil && k.Spec.Monitor.Prometheus != nil && k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
-		k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1001)
+		k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = kfVersion.Spec.SecurityContext.RunAsUser
 	}
 
 	if k.Spec.EnableSSL {
@@ -332,17 +343,23 @@ func (k *Kafka) SetDefaults() {
 	k.SetHealthCheckerDefaults()
 }
 
-func (k *Kafka) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) {
+func (k *Kafka) setDefaultContainerSecurityContext(kfVersion *catalog.KafkaVersion, podTemplate *ofst.PodTemplateSpec) {
 	if podTemplate == nil {
 		return
 	}
 	if podTemplate.Spec.ContainerSecurityContext == nil {
 		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
 	}
-	k.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
+	if podTemplate.Spec.SecurityContext == nil {
+		podTemplate.Spec.SecurityContext = &core.PodSecurityContext{}
+	}
+	if podTemplate.Spec.SecurityContext.FSGroup == nil {
+		podTemplate.Spec.SecurityContext.FSGroup = kfVersion.Spec.SecurityContext.RunAsUser
+	}
+	k.assignDefaultContainerSecurityContext(kfVersion, podTemplate.Spec.ContainerSecurityContext)
 }
 
-func (k *Kafka) assignDefaultContainerSecurityContext(sc *core.SecurityContext) {
+func (k *Kafka) assignDefaultContainerSecurityContext(kfVersion *catalog.KafkaVersion, sc *core.SecurityContext) {
 	if sc.AllowPrivilegeEscalation == nil {
 		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
 	}
@@ -355,7 +372,10 @@ func (k *Kafka) assignDefaultContainerSecurityContext(sc *core.SecurityContext)
 		sc.RunAsNonRoot = pointer.BoolP(true)
 	}
 	if sc.RunAsUser == nil {
-		sc.RunAsUser = pointer.Int64P(1001)
+		sc.RunAsUser = kfVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.RunAsGroup == nil {
+		sc.RunAsGroup = kfVersion.Spec.SecurityContext.RunAsUser
 	}
 	if sc.SeccompProfile == nil {
 		sc.SeccompProfile = secomp.DefaultSeccompProfile()