Release MCK 1.6.0-rc

charts/mongodb-kubernetes/crds/mongodbcommunity.mongodb.com_mongodbcommunity.yaml

@@ -240,6 +240,9 @@ spec:
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
                 type: object
+              clusterDomain:
+                format: hostname
+                type: string
               featureCompatibilityVersion:
                 description: |-
                   FeatureCompatibilityVersion configures the feature compatibility version that will

charts/mongodb-kubernetes/templates/operator.yaml

@@ -32,11 +32,10 @@ spec:
 {{- end }}
     spec:
       serviceAccountName: {{ .Values.operator.name }}
-{{- if not .Values.managedSecurityContext }}
+      {{- if and (not .Values.managedSecurityContext) .Values.operator.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 2000
-{{- end }}
+        {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
+      {{- end }}
 {{- if .Values.registry.imagePullSecrets}}
       imagePullSecrets:
         - name: {{ .Values.registry.imagePullSecrets }}
@@ -74,6 +73,10 @@ spec:
             requests:
               cpu: {{ .Values.operator.resources.requests.cpu }}
               memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if and (not .Values.managedSecurityContext) .Values.operator.securityContext }}
+          securityContext:
+            {{- toYaml .Values.operator.securityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: OPERATOR_ENV
               value: {{ .Values.operator.env }}
@@ -169,21 +172,21 @@ spec:
             - name: {{ $initDatabaseImageRepositoryEnv }}
               value: {{ .Values.registry.initDatabase }}/{{ .Values.initDatabase.name }}
             - name: INIT_DATABASE_VERSION
-              value: {{ $initDatabaseVersion }}
+              value: {{ $initDatabaseVersion | quote }}
             - name: DATABASE_VERSION
-              value: {{ $databaseVersion }}
+              value: {{ $databaseVersion | quote }}
             # Ops Manager
             - name: {{ $opsManagerImageRepositoryEnv }}
               value: {{ .Values.registry.opsManager }}/{{ .Values.opsManager.name }}
             - name: {{ $initOpsManagerImageRepositoryEnv }}
               value: {{ .Values.registry.initOpsManager }}/{{ .Values.initOpsManager.name }}
             - name: INIT_OPS_MANAGER_VERSION
-              value: {{ $initOpsManagerVersion }}
+              value: {{ $initOpsManagerVersion | quote }}
             # AppDB
             - name: {{ $initAppDbImageRepositoryEnv }}
               value: {{ .Values.registry.initAppDb }}/{{ .Values.initAppDb.name }}
             - name: INIT_APPDB_VERSION
-              value: {{ $initAppDbVersion }}
+              value: {{ $initAppDbVersion | quote }}
             - name: OPS_MANAGER_IMAGE_PULL_POLICY
               value: {{ .Values.registry.pullPolicy }}
             - name: {{ $agentImageEnv }}
@@ -257,7 +260,7 @@ spec:
             - name: RELATED_IMAGE_{{ $opsManagerImageRepositoryEnv }}_{{ $version | replace "." "_" | replace "-" "_" }}
               value: "{{ $.Values.registry.opsManager }}/{{ $.Values.opsManager.name }}:{{ $version }}"
       {{- end }}
-      # since the official server images end with a different suffix we can re-use the same $mongodbImageEnv
+            # since the official server images end with a different suffix we can re-use the same $mongodbImageEnv
       {{- range $version := .Values.relatedImages.mongodb }}
             - name: RELATED_IMAGE_{{ $mongodbImageEnv }}_{{ $version | replace "." "_" | replace "-" "_" }}
               value: "{{ $.Values.mongodb.repo }}/{{ $.Values.mongodb.name }}:{{ $version }}"
@@ -277,8 +280,8 @@ spec:
     {{- end }}
     {{- if .Values.customEnvVars }}
       {{- range split "&" .Values.customEnvVars }}
-            - name: {{ (split "=" .)._0 }}
-              value: '{{ (split "=" .)._1 }}'
+            - name: {{ (splitn "=" 2 .)._0 }}
+              value: '{{ (splitn "=" 2 .)._1 }}'
       {{- end }}
     {{- end }}
 {{- if .Values.multiCluster.clusters }}

charts/mongodb-kubernetes/tests/operator_env_vars_type_test.yaml

@@ -0,0 +1,58 @@
+suite: Environment Variable Quoting Check
+templates:
+  - operator.yaml
+tests:
+  - it: should correctly quote the value for the env vars for container images
+    set:
+      initDatabase.version: 1234
+      database.version: 12d3f4
+      initOpsManager.version: 1.2.3
+      initAppDb.version: abc
+    asserts:      
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_DATABASE_VERSION
+            value: "1234"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: DATABASE_VERSION
+            value: "12d3f4"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_OPS_MANAGER_VERSION
+            value: "1.2.3"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_APPDB_VERSION
+            value: "abc"
+  - it: should correctly quote the value for the env vars for container images even when they are passed quoted
+    set:
+      initDatabase.version: "1234"
+      database.version: "12d3f4"
+      initOpsManager.version: "1.2.3"
+      initAppDb.version: "abc"
+    asserts:      
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_DATABASE_VERSION
+            value: "1234"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: DATABASE_VERSION
+            value: "12d3f4"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_OPS_MANAGER_VERSION
+            value: "1.2.3"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: INIT_APPDB_VERSION
+            value: "abc"

charts/mongodb-kubernetes/tests/operator_security_context_test.yaml

@@ -0,0 +1,142 @@
+suite: test operator security context settings for values.yaml
+templates:
+  - operator.yaml
+tests:
+  - it: default values are properly set
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: custom values are properly set
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ALL]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.capabilities.drop
+          value: [ALL]
+  - it: default values are properly set when managedSecurityContext is true for openShift
+    values:
+      - ../values-openshift.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")]
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")].value
+          # noinspection YAMLIncompatibleTypes
+          value: "true"
+  - it: default values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: custom values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ ALL ]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.capabilities.drop
+          value: [ ALL ]

charts/mongodb-kubernetes/tests/schemas/chart_schema.yaml

@@ -0,0 +1,37 @@
+name: str()
+home: str(required=False)
+version: str()
+apiVersion: str()
+appVersion: any(str(), num(), required=False)
+description: str(required=False)
+keywords: list(str(), required=False)
+sources: list(str(), required=False)
+maintainers: list(include('maintainer'), required=False)
+dependencies: list(include('dependency'), required=False)
+icon: str(required=False)
+engine: str(required=False)
+condition: str(required=False)
+tags: str(required=False)
+deprecated: bool(required=False)
+kubeVersion: str(required=False)
+annotations: map(str(), str(), required=False)
+type: str(required=False)
+---
+maintainer:
+  name: str()
+  email: str(required=False)
+  url: str(required=False)
+---
+dependency:
+  name: str()
+  version: str()
+  repository: str(required=False)
+  condition: str(required=False)
+  tags: list(str(), required=False)
+  enabled: bool(required=False)
+  import-values: list(any(str(), include('import-value')), required=False)
+  alias: str(required=False)
+---
+import-value:
+  child: str()
+  parent: str()

charts/mongodb-kubernetes/tests/schemas/lintconf.yaml

@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 2
+  document-end: disable
+  document-start: disable           # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever      # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable              # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning

charts/mongodb-kubernetes/values-openshift.yaml

@@ -51,6 +51,7 @@ relatedImages:
   - 8.0.12
   - 8.0.13
   - 8.0.14
+  - 8.0.15
   mongodb:
   - 4.4.0-ubi8
   - 4.4.1-ubi8
@@ -111,6 +112,7 @@ relatedImages:
   - 108.0.11.8830-1
   - 108.0.12.8846-1
   - 108.0.13.8870-1
+  - 108.0.15.8888-1
   - 108.0.2.8729-1
   - 108.0.3.8758-1
   - 108.0.4.8770-1

charts/mongodb-kubernetes/values.yaml

@@ -47,6 +47,12 @@ operator:
       cpu: 1100m
       memory: 1Gi
 
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+
+  securityContext: {}
+
   # Control how many reconciles can be performed in parallel.
   # It sets MaxConcurrentReconciles https://pkg.go.dev/github.com/kubernetes-sigs/controller-runtime/pkg/controller#Options).
   # Increasing the number of concurrent reconciles will decrease the time needed to reconcile all watched resources.