Raise memory limits to 2Gi and other test fixes (#468)

* fix(tests): add security context to ldap pod * Raise memory limit to 2Gi * fix(tests): add service accounts to keycloak and python deployments * Update changelog * fix(tests): add the druid op as a test dependency
stackabletech · Mar 12, 2024 · 1a2fcee · 1a2fcee
1 parent d8ae0c0
commit 1a2fcee
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,19 +9,24 @@
 - Add support for OpenID Connect ([#423]).
 - Support versions `2.1.3`, `3.0.3`, `3.1.0` ([#457]).
 
+### Changed
+
+- Raise memory requests and limits for Superset pods to 2Gi ([#468]).
+
 ### Fixed
 
 - BREAKING: Fixed various issues in the CRD structure. `clusterConfig.credentialsSecret` is now mandatory ([#429]).
 
 ### Removed
 
-- Rmoved support for version `2.1.0` ([#457]).
+- Removed support for version `2.1.0` ([#457]).
 
 [#423]: https://github.com/stackabletech/superset-operator/pull/423
 [#429]: https://github.com/stackabletech/superset-operator/pull/429
 [#431]: https://github.com/stackabletech/superset-operator/pull/431
 [#448]: https://github.com/stackabletech/superset-operator/pull/448
 [#457]: https://github.com/stackabletech/superset-operator/pull/457
+[#468]: https://github.com/stackabletech/superset-operator/pull/468
 
 ## [23.11.0] - 2023-11-24
 

diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -361,7 +361,7 @@ impl SupersetConfig {
                     max: Some(Quantity("1200m".to_owned())),
                 },
                 memory: MemoryLimitsFragment {
-                    limit: Some(Quantity("1000Mi".to_owned())),
+                    limit: Some(Quantity("2Gi".to_owned())),
                     runtime_limits: NoRuntimeLimitsFragment {},
                 },
                 storage: SupersetStorageConfigFragment {},

diff --git a/tests/release.yaml b/tests/release.yaml
@@ -12,5 +12,7 @@ releases:
         operatorVersion: 0.0.0-dev
       listener:
         operatorVersion: 0.0.0-dev
+      druid:
+        operatorVersion: 0.0.0-dev
       superset:
         operatorVersion: 0.0.0-dev
diff --git a/tests/templates/kuttl/ldap/2-install-openldap.yaml.j2 b/tests/templates/kuttl/ldap/2-install-openldap.yaml.j2
@@ -38,6 +38,12 @@ commands:
               app.kubernetes.io/name: openldap
           spec:
             serviceAccountName: "druid-ldap-sa"
+            #
+            # The security context below is necessary to avoid the following error on OpenShift:
+            #    /opt/bitnami/scripts/openldap/setup.sh: line 102: /opt/bitnami/openldap/sbin/slappasswd: Operation not permitted
+            #
+            securityContext:
+              fsGroup: 1000
             containers:
               - name: openldap
                 image: docker.io/bitnami/openldap:2.5

diff --git a/...kuttl/oidc/50-install-test-container.yaml → ...tl/oidc/50-install-test-container.yaml.j2 b/...kuttl/oidc/50-install-test-container.yaml → ...tl/oidc/50-install-test-container.yaml.j2
@@ -1,4 +1,33 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: python
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: python
+{% if test_scenario['values']['openshift'] == 'true' %}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{% endif %}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: python
+subjects:
+  - kind: ServiceAccount
+    name: python
+roleRef:
+  kind: Role
+  name: python
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 metadata:
@@ -21,6 +50,7 @@ spec:
       labels:
         app: python
     spec:
+      serviceAccountName: python
       securityContext:
         fsGroup: 1000
       containers:

diff --git a/...emplates/kuttl/oidc/install-keycloak.yaml → ...lates/kuttl/oidc/install-keycloak.yaml.j2 b/...emplates/kuttl/oidc/install-keycloak.yaml → ...lates/kuttl/oidc/install-keycloak.yaml.j2
@@ -69,6 +69,7 @@ spec:
       labels:
         app: $INSTANCE_NAME
     spec:
+      serviceAccountName: keycloak
       containers:
         - name: keycloak
           image: quay.io/keycloak/keycloak:23.0.4
@@ -138,3 +139,32 @@ spec:
           server:
             caCert:
               secretClass: tls
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+{% if test_scenario['values']['openshift'] == 'true' %}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{% endif %}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: keycloak
+roleRef:
+  kind: Role
+  name: keycloak
+  apiGroup: rbac.authorization.k8s.io