Add function to clear the runAsGroup and runAsUser values in the defa…

…ult cm for triggers to handle restricted securityContext Context: As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.16. Once this becomes the default setting, existing Triggers functionality may break. This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC) doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default.
tektoncd · Jul 9, 2024 · 3d3dd91 · 3d3dd91
1 parent db58e94
commit 3d3dd91
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/pkg/reconciler/openshift/tektontrigger/extension.go b/pkg/reconciler/openshift/tektontrigger/extension.go
@@ -22,21 +22,39 @@ import (
 	mf "github.com/manifestival/manifestival"
 	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
 	"github.com/tektoncd/operator/pkg/reconciler/common"
+	"github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektontrigger"
 	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
+	"knative.dev/pkg/ptr"
 )
 
+// triggersProperties holds fields for configuring runAsUser and runAsGroup.
+type triggersProperties struct {
+	DefaultRunAsUser  *string `json:"default-run-as-user,omitempty"`
+	DefaultRunAsGroup *string `json:"default-run-as-group,omitempty"`
+}
+
+const emptyValue = ""
+
 func OpenShiftExtension(ctx context.Context) common.Extension {
 	return openshiftExtension{}
 }
 
 type openshiftExtension struct{}
 
 func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
+	// Updating the default values of runAsUser and runAsGroup to an empty string
+	// to ensure compatibility with OpenShift's requirements for managing these settings
+	// in Triggers Eventlistener containers SCC.
+	triggersData := triggersProperties{
+		DefaultRunAsUser:  ptr.String(emptyValue),
+		DefaultRunAsGroup: ptr.String(emptyValue),
+	}
+
 	return []mf.Transformer{
 		occommon.RemoveRunAsUser(),
 		occommon.RemoveRunAsGroup(),
 		occommon.ApplyCABundles,
-		replaceDeploymentArgs("-el-security-context", "false"),
+		common.AddConfigMapValues(tektontrigger.ConfigDefaults, triggersData),
 		replaceDeploymentArgs("-el-events", "enable"),
 	}
 }

diff --git a/pkg/reconciler/openshift/tektontrigger/transformers_test.go b/pkg/reconciler/openshift/tektontrigger/transformers_test.go
@@ -56,13 +56,12 @@ func TestReplaceImages(t *testing.T) {
 		}
 
 		newManifest, err := manifest.Transform(
-			replaceDeploymentArgs("-el-security-context", "false"),
 			replaceDeploymentArgs("-el-events", "enable"),
 		)
 		if err != nil {
 			t.Errorf("assertion failed; expected no error %v", err)
 		}
-		assertDeployContainerArgsValue(t, newManifest.Resources(), "-el-security-context", "false")
+		assertDeployContainerArgsValue(t, newManifest.Resources(), "-el-security-context", "true")
 		assertDeployContainerArgsValue(t, newManifest.Resources(), "-el-events", "enable")
 	})
 }