feat(security): security contexts are now configurable (cryostatio#457)

* feat(security): security contexts are now configurable

* test(security): update tests

* docs(security): document custom security contexts

* doc(security): fix headers

* docs(security): update docs

* fix(test-resource): rename funcs

api/v1beta1/cryostat_types.go

@@ -94,6 +94,10 @@ type CryostatSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Properties",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	AuthProperties *AuthorizationProperties `json:"authProperties,omitempty"`
+	// Options to configure the Security Contexts for the Cryostat application.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	SecurityOptions *SecurityOptions `json:"securityOptions,omitempty"`
 }
 
 type ResourceConfigList struct {
@@ -185,6 +189,10 @@ type ReportConfiguration struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:number"}
 	SubProcessMaxHeapSize int32 `json:"subProcessMaxHeapSize,omitempty"`
+	// Options to configure the Security Contexts for the Cryostat report generator.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	SecurityOptions *ReportsSecurityOptions `json:"securityOptions,omitempty"`
 }
 
 // ServiceConfig provides customization for a service created
@@ -421,3 +429,37 @@ type AuthorizationProperties struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	Filename string `json:"filename"`
 }
+
+// SecurityOptions contains Security Context customizations for the
+// main Cryostat application at both the pod and container level.
+type SecurityOptions struct {
+	// Security Context to apply to the Cryostat pod.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+	// Security Context to apply to the Cryostat application container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	CoreSecurityContext *corev1.SecurityContext `json:"coreSecurityContext,omitempty"`
+	// Security Context to apply to the JFR Data Source container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	DataSourceSecurityContext *corev1.SecurityContext `json:"dataSourceSecurityContext,omitempty"`
+	// Security Context to apply to the Grafana container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	GrafanaSecurityContext *corev1.SecurityContext `json:"grafanaSecurityContext,omitempty"`
+}
+
+// ReportsSecurityOptions contains Security Context customizations for the
+// Cryostat report generator at both the pod and container level.
+type ReportsSecurityOptions struct {
+	// Security Context to apply to the Cryostat report generator pod.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+	// Security Context to apply to the Cryostat report generator container.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	ReportsSecurityContext *corev1.SecurityContext `json:"reportsSecurityContext,omitempty"`
+}

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -222,6 +222,18 @@ spec:
         path: reportOptions.resources
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - description: Options to configure the Security Contexts for the Cryostat report
+          generator.
+        displayName: Security Options
+        path: reportOptions.securityOptions
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Security Context to apply to the Cryostat report generator pod.
+        displayName: Pod Security Context
+        path: reportOptions.securityOptions.podSecurityContext
+      - description: Security Context to apply to the Cryostat report generator container.
+        displayName: Reports Security Context
+        path: reportOptions.securityOptions.reportsSecurityContext
       - description: When zero report sidecar replicas are requested, SubProcessMaxHeapSize
           configures the maximum heap size of the basic subprocess report generator
           in MiB. The default heap size is `200` (MiB).
@@ -248,6 +260,23 @@ spec:
         path: resources.grafanaResources
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - description: Options to configure the Security Contexts for the Cryostat application.
+        displayName: Security Options
+        path: securityOptions
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Security Context to apply to the Cryostat application container.
+        displayName: Core Security Context
+        path: securityOptions.coreSecurityContext
+      - description: Security Context to apply to the JFR Data Source container.
+        displayName: Data Source Security Context
+        path: securityOptions.dataSourceSecurityContext
+      - description: Security Context to apply to the Grafana container.
+        displayName: Grafana Security Context
+        path: securityOptions.grafanaSecurityContext
+      - description: Security Context to apply to the Cryostat pod.
+        displayName: Pod Security Context
+        path: securityOptions.podSecurityContext
       - description: Options to customize the services created for the Cryostat application
           and Grafana dashboard.
         displayName: Service Options