Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds the ability to render deployments templates with a reference global floatingUserId field. This field is used to globally unset the runAsUser field in container securityContexts (like the painter's floatingUserId) and supresses the rendering of the pod's securityContext.
This feature is enabled by setting the GlobalFloatingUserIdPath in the Operator to the path of the global field, and defaults to an empty string (disabled).
Context
This has been added to facilitate OpenShift deployments by creating a single field that can apply the changes necessary to deploy with OpenShift. The template generation is used by Gloo Gateway EE to create its Portal deployments, and this change will allow the global setting to be applied.
Example usage: https://github.com/solo-io/solo-projects/compare/consistent-floating-user-id...consistent-floating-user-id-with-portal-operator
Manual validation
There is a solo-projects PR that has the non-skv2 related Helm changes to support the new global flag for OpenShift which has been validated by Field Engingeering. Because the skv2 generated templated has not been updated,
gateway-portal-web-server.glooPortalServer. floatingUserId=true
needs to be set.The approach for this test is to generate the Helm from that branch with
gateway-portal-web-server.glooPortalServer. floatingUserId=true
and use it as the baseline against which to validate the skv2 changes.We will then generate helm in that branch without
gateway-portal-web-server.glooPortalServer. floatingUserId=true
to see the changes from not including that flag - runAsUser is rendered for the portal, and we can ignore the generated security artifacts:We then switch to a fork of that branch which has had the SKv2 changes pulled in an regenerate the Helm without
gateway-portal-web-server.glooPortalServer. floatingUserId=true
and validate that it matches the original helm ( ignoring the generated security artifacts)We are now rendering the OpenShift-compatible helm without the
Script to generate and diff helm. Expand to see results:
Results: