From cb6cda7265fb55940674573309580132c7617677 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 1 Aug 2022 19:04:00 -0700
Subject: [PATCH] fix: crash in operator console for missing fsGroup (#2211)

Bonus: Add support for "fsGroupChangePolicy"
Bonus: keep only github actions in workflow folder
---
 .github/workflows/jobs.yaml                   |  2 +-
 models/security_context.go                    | 19 +++---------
 operatorapi/embedded_spec.go                  | 12 +++++---
 operatorapi/tenants.go                        | 29 ++++++++++++++-----
 operatorapi/tenants_helper.go                 | 16 +++++-----
 swagger-operator.yml                          |  3 +-
 {.github/workflows => tests}/common.sh        |  4 +--
 .../console-sa-secret.yaml                    |  0
 {.github/workflows => tests}/deploy-tenant.sh |  4 +--
 9 files changed, 48 insertions(+), 41 deletions(-)
 rename {.github/workflows => tests}/common.sh (97%)
 rename {.github/workflows => tests}/console-sa-secret.yaml (100%)
 rename {.github/workflows => tests}/deploy-tenant.sh (92%)

diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml
index e5e275b2a..b0fa14f83 100644
--- a/.github/workflows/jobs.yaml
+++ b/.github/workflows/jobs.yaml
@@ -193,7 +193,7 @@ jobs:
           curl -sLO "https://dl.k8s.io/release/v1.23.1/bin/linux/amd64/kubectl" -o kubectl
           chmod +x kubectl
           mv kubectl /usr/local/bin
-          "${GITHUB_WORKSPACE}/.github/workflows/deploy-tenant.sh"
+          "${GITHUB_WORKSPACE}/tests/deploy-tenant.sh"
           echo "start ---> make test-operator-integration";
           make test-operator-integration;
 
diff --git a/models/security_context.go b/models/security_context.go
index e6afbf005..71fc7d78c 100644
--- a/models/security_context.go
+++ b/models/security_context.go
@@ -37,8 +37,10 @@ import (
 type SecurityContext struct {
 
 	// fs group
-	// Required: true
-	FsGroup *string `json:"fsGroup"`
+	FsGroup string `json:"fsGroup,omitempty"`
+
+	// fs group change policy
+	FsGroupChangePolicy string `json:"fsGroupChangePolicy,omitempty"`
 
 	// run as group
 	// Required: true
@@ -57,10 +59,6 @@ type SecurityContext struct {
 func (m *SecurityContext) Validate(formats strfmt.Registry) error {
 	var res []error
 
-	if err := m.validateFsGroup(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateRunAsGroup(formats); err != nil {
 		res = append(res, err)
 	}
@@ -79,15 +77,6 @@ func (m *SecurityContext) Validate(formats strfmt.Registry) error {
 	return nil
 }
 
-func (m *SecurityContext) validateFsGroup(formats strfmt.Registry) error {
-
-	if err := validate.Required("fsGroup", "body", m.FsGroup); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (m *SecurityContext) validateRunAsGroup(formats strfmt.Registry) error {
 
 	if err := validate.Required("runAsGroup", "body", m.RunAsGroup); err != nil {
diff --git a/operatorapi/embedded_spec.go b/operatorapi/embedded_spec.go
index 933e2fa03..b20ee6bcd 100644
--- a/operatorapi/embedded_spec.go
+++ b/operatorapi/embedded_spec.go
@@ -4203,13 +4203,15 @@ func init() {
       "required": [
         "runAsUser",
         "runAsGroup",
-        "runAsNonRoot",
-        "fsGroup"
+        "runAsNonRoot"
       ],
       "properties": {
         "fsGroup": {
           "type": "string"
         },
+        "fsGroupChangePolicy": {
+          "type": "string"
+        },
         "runAsGroup": {
           "type": "string"
         },
@@ -9833,13 +9835,15 @@ func init() {
       "required": [
         "runAsUser",
         "runAsGroup",
-        "runAsNonRoot",
-        "fsGroup"
+        "runAsNonRoot"
       ],
       "properties": {
         "fsGroup": {
           "type": "string"
         },
+        "fsGroupChangePolicy": {
+          "type": "string"
+        },
         "runAsGroup": {
           "type": "string"
         },
diff --git a/operatorapi/tenants.go b/operatorapi/tenants.go
index 8c343a30b..56425d943 100644
--- a/operatorapi/tenants.go
+++ b/operatorapi/tenants.go
@@ -2762,15 +2762,28 @@ func parseTenantPool(pool *miniov2.Pool) *models.Pool {
 	var securityContext models.SecurityContext
 
 	if pool.SecurityContext != nil {
-		fsGroup := strconv.Itoa(int(*pool.SecurityContext.FSGroup))
-		runAsGroup := strconv.Itoa(int(*pool.SecurityContext.RunAsGroup))
-		runAsUser := strconv.Itoa(int(*pool.SecurityContext.RunAsUser))
-
+		var fsGroup string
+		var runAsGroup string
+		var runAsUser string
+		var fsGroupChangePolicy string
+		if pool.SecurityContext.FSGroup != nil {
+			fsGroup = strconv.Itoa(int(*pool.SecurityContext.FSGroup))
+		}
+		if pool.SecurityContext.RunAsGroup != nil {
+			runAsGroup = strconv.Itoa(int(*pool.SecurityContext.RunAsGroup))
+		}
+		if pool.SecurityContext.RunAsUser != nil {
+			runAsUser = strconv.Itoa(int(*pool.SecurityContext.RunAsUser))
+		}
+		if pool.SecurityContext.FSGroupChangePolicy != nil {
+			fsGroupChangePolicy = string(*pool.SecurityContext.FSGroupChangePolicy)
+		}
 		securityContext = models.SecurityContext{
-			FsGroup:      &fsGroup,
-			RunAsGroup:   &runAsGroup,
-			RunAsNonRoot: pool.SecurityContext.RunAsNonRoot,
-			RunAsUser:    &runAsUser,
+			FsGroup:             fsGroup,
+			RunAsGroup:          &runAsGroup,
+			RunAsNonRoot:        pool.SecurityContext.RunAsNonRoot,
+			RunAsUser:           &runAsUser,
+			FsGroupChangePolicy: fsGroupChangePolicy,
 		}
 	}
 
diff --git a/operatorapi/tenants_helper.go b/operatorapi/tenants_helper.go
index 77926fbe2..48c3fefff 100644
--- a/operatorapi/tenants_helper.go
+++ b/operatorapi/tenants_helper.go
@@ -50,32 +50,32 @@ func convertModelSCToK8sSC(sc *models.SecurityContext) (*corev1.PodSecurityConte
 	if err != nil {
 		return nil, err
 	}
-	RunAsGroup, err := strconv.ParseInt(*sc.RunAsGroup, 10, 64)
+	runAsGroup, err := strconv.ParseInt(*sc.RunAsGroup, 10, 64)
 	if err != nil {
 		return nil, err
 	}
-	FsGroup, err := strconv.ParseInt(*sc.FsGroup, 10, 64)
+	fsGroup, err := strconv.ParseInt(sc.FsGroup, 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	return &corev1.PodSecurityContext{
 		RunAsUser:    &runAsUser,
-		RunAsGroup:   &RunAsGroup,
+		RunAsGroup:   &runAsGroup,
 		RunAsNonRoot: sc.RunAsNonRoot,
-		FSGroup:      &FsGroup,
+		FSGroup:      &fsGroup,
 	}, nil
 }
 
 // convertK8sSCToModelSC validates and converts from corev1.PodSecurityContext to models.SecurityContext
 func convertK8sSCToModelSC(sc *corev1.PodSecurityContext) *models.SecurityContext {
 	runAsUser := strconv.FormatInt(*sc.RunAsUser, 10)
-	RunAsGroup := strconv.FormatInt(*sc.RunAsGroup, 10)
-	FsGroup := strconv.FormatInt(*sc.FSGroup, 10)
+	runAsGroup := strconv.FormatInt(*sc.RunAsGroup, 10)
+	fsGroup := strconv.FormatInt(*sc.FSGroup, 10)
 	return &models.SecurityContext{
 		RunAsUser:    &runAsUser,
-		RunAsGroup:   &RunAsGroup,
+		RunAsGroup:   &runAsGroup,
 		RunAsNonRoot: sc.RunAsNonRoot,
-		FsGroup:      &FsGroup,
+		FsGroup:      fsGroup,
 	}
 }
 
diff --git a/swagger-operator.yml b/swagger-operator.yml
index 40f7dba4b..e48179a4e 100644
--- a/swagger-operator.yml
+++ b/swagger-operator.yml
@@ -3457,7 +3457,6 @@ definitions:
       - runAsUser
       - runAsGroup
       - runAsNonRoot
-      - fsGroup
     properties:
       runAsUser:
         type: string
@@ -3467,6 +3466,8 @@ definitions:
         type: boolean
       fsGroup:
         type: string
+      fsGroupChangePolicy:
+        type: string
 
   allocatableResourcesResponse:
     type: object
diff --git a/.github/workflows/common.sh b/tests/common.sh
similarity index 97%
rename from .github/workflows/common.sh
rename to tests/common.sh
index 045ebc21f..ff8f8bb48 100755
--- a/.github/workflows/common.sh
+++ b/tests/common.sh
@@ -41,7 +41,7 @@ function install_operator() {
     echo "Installing Current Operator"
 
     # TODO: Compile the current branch and create an overlay to use that image version
-    try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/resources"
+    try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/resources"
 
     echo "Waiting for k8s api"
     sleep 10
@@ -91,4 +91,4 @@ function check_tenant_status() {
     kubectl run admin-mc -i --tty --image minio/mc --command -- bash -c "until (mc alias set minio/ https://minio.$1.svc.cluster.local $USER $PASSWORD); do echo \"...waiting... for 5secs\" && sleep 5; done; mc admin info minio/;"
 
     echo "Done."
-}
\ No newline at end of file
+}
diff --git a/.github/workflows/console-sa-secret.yaml b/tests/console-sa-secret.yaml
similarity index 100%
rename from .github/workflows/console-sa-secret.yaml
rename to tests/console-sa-secret.yaml
diff --git a/.github/workflows/deploy-tenant.sh b/tests/deploy-tenant.sh
similarity index 92%
rename from .github/workflows/deploy-tenant.sh
rename to tests/deploy-tenant.sh
index dbd7c2cab..ee232ed7d 100755
--- a/.github/workflows/deploy-tenant.sh
+++ b/tests/deploy-tenant.sh
@@ -24,8 +24,8 @@ function install_tenants() {
 	echo "Installing tenants"
 
 	# Install lite & kes tenants
-	try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/tenant-lite"
-	try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/tenant-kes-encryption"
+	try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/tenant-lite"
+	try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/tenant-kes-encryption"
 
 	echo "Waiting for the tenant statefulset, this indicates the tenant is being fulfilled"
 	waitdone=0