Don't run init container as root and avoid chmod and chowning (#524)

Author: sbernauer

CHANGELOG.md

@@ -8,9 +8,11 @@ All notable changes to this project will be documented in this file.
 
 - Updated stackable image versions ([#513]).
 - operator-rs: 0.26.0 -> 0.27.1 ([#519]).
+- Don't run init container as root and avoid chmod and chowning ([#524]).
 
 [#513]: https://github.com/stackabletech/kafka-operator/pull/513
 [#519]: https://github.com/stackabletech/kafka-operator/pull/519
+[#524]: https://github.com/stackabletech/kafka-operator/pull/524
 
 ## [0.8.0] - 2022-11-07
 

docs/modules/getting_started/examples/code/zookeeper.yaml

@@ -4,7 +4,9 @@ kind: ZookeeperCluster
 metadata:
   name: simple-zk
 spec:
-  version: 3.8.0-stackable0.8.0
+  image:
+    productVersion: 3.8.0
+    stackableVersion: 0.8.0
   servers:
     roleGroups:
       default:

examples/logging/simple-kafka-cluster-opa-log4j.yaml

@@ -4,7 +4,9 @@ kind: ZookeeperCluster
 metadata:
   name: simple-zk
 spec:
-  version: 3.8.0-stackable0.8.0
+  image:
+    productVersion: 3.8.0
+    stackableVersion: 0.8.0
   servers:
     roleGroups:
       default:

examples/opa/simple-kafka-cluster-opa-allow-all.yaml

@@ -4,7 +4,9 @@ kind: ZookeeperCluster
 metadata:
   name: simple-zk
 spec:
-  version: 3.8.0-stackable0.8.0
+  image:
+    productVersion: 3.8.0
+    stackableVersion: 0.8.0
   servers:
     roleGroups:
       default:

examples/tls/simple-kafka-cluster-tls.yaml

@@ -4,7 +4,9 @@ kind: ZookeeperCluster
 metadata:
   name: simple-zk
 spec:
-  version: 3.8.0-stackable0.8.0
+  image:
+    productVersion: 3.8.0
+    stackableVersion: 0.8.0
   servers:
     roleGroups:
       default:

rust/operator/src/command.rs

@@ -1,5 +1,5 @@
 use stackable_kafka_crd::{
-    KafkaCluster, CLIENT_PORT, SECURE_CLIENT_PORT, SSL_STORE_PASSWORD, STACKABLE_DATA_DIR,
+    KafkaCluster, CLIENT_PORT, SECURE_CLIENT_PORT, SSL_STORE_PASSWORD,
     STACKABLE_TLS_CLIENT_AUTH_DIR, STACKABLE_TLS_CLIENT_DIR, STACKABLE_TLS_INTERNAL_DIR,
     STACKABLE_TMP_DIR, SYSTEM_TRUST_STORE_DIR,
 };
@@ -12,28 +12,22 @@ pub fn prepare_container_cmd_args(kafka: &KafkaCluster) -> String {
             STACKABLE_TLS_CLIENT_AUTH_DIR,
             "stackable-tls-client-auth-ca-cert",
         ));
-        args.extend(chown_and_chmod(STACKABLE_TLS_CLIENT_AUTH_DIR));
     } else if kafka.client_tls_secret_class().is_some() {
         // Copy system truststore to stackable truststore
         args.push(format!("keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE_DIR} -srcstoretype jks -srcstorepass {SSL_STORE_PASSWORD} -destkeystore {STACKABLE_TLS_CLIENT_DIR}/truststore.p12 -deststoretype pkcs12 -deststorepass {SSL_STORE_PASSWORD} -noprompt"));
         args.extend(create_key_and_trust_store(
             STACKABLE_TLS_CLIENT_DIR,
             "stackable-tls-client-ca-cert",
         ));
-        args.extend(chown_and_chmod(STACKABLE_TLS_CLIENT_DIR));
     }
 
     if kafka.internal_tls_secret_class().is_some() {
         args.extend(create_key_and_trust_store(
             STACKABLE_TLS_INTERNAL_DIR,
             "stackable-tls-internal-ca-cert",
         ));
-        args.extend(chown_and_chmod(STACKABLE_TLS_INTERNAL_DIR));
     }
 
-    args.extend(chown_and_chmod(STACKABLE_DATA_DIR));
-    args.extend(chown_and_chmod(STACKABLE_TMP_DIR));
-
     args.join(" && ")
 }
 
@@ -98,15 +92,6 @@ fn create_key_and_trust_store(directory: &str, alias_name: &str) -> Vec<String>
     ]
 }
 
-/// Generates a shell script to chown and chmod the provided directory.
-fn chown_and_chmod(directory: &str) -> Vec<String> {
-    vec![
-        format!("echo chown and chmod {dir}", dir = directory),
-        format!("chown -R stackable:stackable {dir}", dir = directory),
-        format!("chmod -R a=,u=rwX {dir}", dir = directory),
-    ]
-}
-
 /// Extract the nodeport from the nodeport service
 fn get_node_port(directory: &str, port_name: &str) -> String {
     format!("kubectl get service \"$POD_NAME\" -o jsonpath='{{.spec.ports[?(@.name==\"{name}\")].nodePort}}' | tee {dir}/{name}_nodeport", dir = directory, name = port_name)

rust/operator/src/kafka_controller.rs

@@ -12,7 +12,7 @@ use stackable_kafka_crd::{
 use stackable_operator::{
     builder::{
         ConfigMapBuilder, ContainerBuilder, ObjectMetaBuilder, PodBuilder,
-        SecretOperatorVolumeSourceBuilder, SecurityContextBuilder, VolumeBuilder,
+        SecretOperatorVolumeSourceBuilder, VolumeBuilder,
     },
     cluster_resources::ClusterResources,
     commons::{
@@ -27,8 +27,8 @@ use stackable_operator::{
             core::v1::{
                 ConfigMap, ConfigMapKeySelector, ConfigMapVolumeSource, ContainerPort,
                 EmptyDirVolumeSource, EnvVar, EnvVarSource, ExecAction, ObjectFieldSelector,
-                PodSpec, Probe, ResourceRequirements, Service, ServiceAccount, ServicePort,
-                ServiceSpec, Volume,
+                PodSecurityContext, PodSpec, Probe, ResourceRequirements, Service, ServiceAccount,
+                ServicePort, ServiceSpec, Volume,
             },
             rbac::v1::{RoleBinding, RoleRef, Subject},
         },
@@ -694,8 +694,7 @@ fn build_broker_rolegroup_statefulset(
         ])
         .args(vec![command::prepare_container_cmd_args(kafka)])
         .add_volume_mount(LOG_DIRS_VOLUME_NAME, STACKABLE_DATA_DIR)
-        .add_volume_mount("tmp", STACKABLE_TMP_DIR)
-        .security_context(SecurityContextBuilder::run_as_root());
+        .add_volume_mount("tmp", STACKABLE_TMP_DIR);
 
     let resources = rolegroup_typed_config.resources.clone();
     let pvcs = resources.storage.build_pvcs();
@@ -858,6 +857,12 @@ fn build_broker_rolegroup_statefulset(
             empty_dir: Some(EmptyDirVolumeSource::default()),
             ..Volume::default()
         })
+        .security_context(PodSecurityContext {
+            run_as_user: Some(1000),
+            run_as_group: Some(1000),
+            fs_group: Some(1000),
+            ..PodSecurityContext::default()
+        })
         .build_template();
     let pod_template_spec = pod_template.spec.get_or_insert_with(PodSpec::default);
     // Don't run kcat pod as PID 1, to ensure that default signal handlers apply

tests/templates/kuttl/configuration/00-install-zk.yaml.j2

@@ -10,11 +10,12 @@ kind: ZookeeperCluster
 metadata:
   name: kafka-zk
 spec:
+  image:
+    productVersion: "{{ test_scenario['values']['zookeeper-latest'].split('-stackable')[0] }}"
+    stackableVersion: "{{ test_scenario['values']['zookeeper-latest'].split('-stackable')[1] }}"
   servers:
     roleGroups:
       default:
         replicas: 1
         config:
           myidOffset: 10
-  version: {{ test_scenario['values']['zookeeper-latest'] }}
-  stopped: false

tests/templates/kuttl/delete-rolegroup/00-install-zk.yaml.j2

@@ -10,8 +10,10 @@ kind: ZookeeperCluster
 metadata:
   name: kafka-zk
 spec:
+  image:
+    productVersion: "{{ test_scenario['values']['zookeeper-latest'].split('-stackable')[0] }}"
+    stackableVersion: "{{ test_scenario['values']['zookeeper-latest'].split('-stackable')[1] }}"
   servers:
     roleGroups:
       default:
         replicas: 1
-  version: {{ test_scenario['values']['zookeeper-latest'] }}

tests/templates/kuttl/smoke/00-install-zk.yaml.j2

@@ -10,11 +10,12 @@ kind: ZookeeperCluster
 metadata:
   name: kafka-zk
 spec:
+  image:
+    productVersion: "{{ test_scenario['values']['zookeeper'].split('-stackable')[0] }}"
+    stackableVersion: "{{ test_scenario['values']['zookeeper'].split('-stackable')[1] }}"
   servers:
     roleGroups:
       default:
         replicas: 1
         config:
           myidOffset: 10
-  version: {{ test_scenario['values']['zookeeper'] }}
-  stopped: false