Set default resource to Pgpool (#1155)

Signed-off-by: MobarakHsn <mobarak@appscode.com>

apis/kubedb/v1alpha2/constants.go

@@ -503,9 +503,9 @@ const (
 	EnvPgpoolPasswordEncryptionMethod = "PGPOOL_PASSWORD_ENCRYPTION_METHOD"
 	EnvEnablePoolPasswd               = "PGPOOL_ENABLE_POOL_PASSWD"
 	EnvSkipPasswdEncryption           = "PGPOOL_SKIP_PASSWORD_ENCRYPTION"
-	ConfigSecretMountPath             = "/config"
-	ConfigVolumeName                  = "pgpool-config"
-	ContainerName                     = "pgpool"
+	PgpoolConfigSecretMountPath       = "/config"
+	PgpoolConfigVolumeName            = "pgpool-config"
+	PgpoolContainerName               = "pgpool"
 	PgpoolAuthUsername                = "pcp"
 	SyncPeriod                        = 10
 	// ========================================== ZooKeeper Constants =================================================//

apis/kubedb/v1alpha2/pgpool_helpers.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 
+	"kubedb.dev/apimachinery/apis"
 	catalog "kubedb.dev/apimachinery/apis/catalog/v1alpha1"
 	"kubedb.dev/apimachinery/apis/kubedb"
 	"kubedb.dev/apimachinery/crds"
@@ -32,7 +33,9 @@ import (
 	appslister "k8s.io/client-go/listers/apps/v1"
 	"k8s.io/klog/v2"
 	"kmodules.xyz/client-go/apiextensions"
+	core_util "kmodules.xyz/client-go/core/v1"
 	meta_util "kmodules.xyz/client-go/meta"
+	"kmodules.xyz/client-go/policy/secomp"
 	ofst "kmodules.xyz/offshoot-api/api/v2"
 )
 
@@ -153,26 +156,58 @@ func (p *Pgpool) GetNameSpacedName() string {
 	return p.Namespace + "/" + p.Name
 }
 
-func (p *Pgpool) SetSecurityContext(ppVersion *catalog.PgpoolVersion) {
-	if p.Spec.PodTemplate.Spec.SecurityContext == nil {
-		p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{
-			RunAsUser:    ppVersion.Spec.SecurityContext.RunAsUser,
-			RunAsGroup:   ppVersion.Spec.SecurityContext.RunAsUser,
-			RunAsNonRoot: pointer.BoolP(true),
-		}
-	} else {
-		if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil {
-			p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = ppVersion.Spec.SecurityContext.RunAsUser
+func (p *Pgpool) SetSecurityContext(ppVersion *catalog.PgpoolVersion, podTemplate *ofst.PodTemplateSpec) {
+	if podTemplate == nil {
+		return
+	}
+	if podTemplate.Spec.SecurityContext == nil {
+		podTemplate.Spec.SecurityContext = &core.PodSecurityContext{}
+	}
+	if podTemplate.Spec.SecurityContext.FSGroup == nil {
+		podTemplate.Spec.SecurityContext.FSGroup = ppVersion.Spec.SecurityContext.RunAsUser
+	}
+
+	container := core_util.GetContainerByName(podTemplate.Spec.Containers, PgpoolContainerName)
+	if container == nil {
+		container = &core.Container{
+			Name: PgpoolContainerName,
 		}
-		if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil {
-			p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser
+	}
+	if container.SecurityContext == nil {
+		container.SecurityContext = &core.SecurityContext{}
+	}
+	p.assignContainerSecurityContext(ppVersion, container.SecurityContext)
+	podTemplate.Spec.Containers = core_util.UpsertContainer(podTemplate.Spec.Containers, *container)
+}
+
+func (p *Pgpool) assignContainerSecurityContext(ppVersion *catalog.PgpoolVersion, sc *core.SecurityContext) {
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
 		}
 	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.RunAsUser == nil {
+		sc.RunAsUser = ppVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.RunAsGroup == nil {
+		sc.RunAsGroup = ppVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = secomp.DefaultSeccompProfile()
+	}
+}
 
-	// Need to set FSGroup equal to  p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup.
-	// So that /var/pv directory have the group permission for the RunAsGroup user GID.
-	// Otherwise, We will get write permission denied.
-	p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup
+func (p *Pgpool) setContainerResourceLimits(podTemplate *ofst.PodTemplateSpec) {
+	ppContainer := core_util.GetContainerByName(podTemplate.Spec.Containers, PgpoolContainerName)
+	if ppContainer != nil && (ppContainer.Resources.Requests == nil && ppContainer.Resources.Limits == nil) {
+		apis.SetDefaultResourceLimits(&ppContainer.Resources, DefaultResources)
+	}
 }
 
 func (p *Pgpool) SetDefaults() {
@@ -189,7 +224,6 @@ func (p *Pgpool) SetDefaults() {
 		p.Spec.PodTemplate = &ofst.PodTemplateSpec{}
 		p.Spec.PodTemplate.Spec.Containers = []core.Container{}
 	}
-	p.SetHealthCheckerDefaults()
 
 	ppVersion := catalog.PgpoolVersion{}
 	err := DefaultClient.Get(context.TODO(), types.NamespacedName{
@@ -199,9 +233,10 @@ func (p *Pgpool) SetDefaults() {
 		klog.Errorf("can't get the pgpool version object %s for %s \n", err.Error(), p.Spec.Version)
 		return
 	}
-	if p.Spec.PodTemplate != nil {
-		p.SetSecurityContext(&ppVersion)
-	}
+
+	p.SetHealthCheckerDefaults()
+	p.SetSecurityContext(&ppVersion, p.Spec.PodTemplate)
+	p.setContainerResourceLimits(p.Spec.PodTemplate)
 }
 
 func (p *Pgpool) GetPersistentSecrets() []string {

apis/kubedb/v1alpha2/pgpool_webhook.go

@@ -206,7 +206,7 @@ func PgpoolValidateVersion(p *Pgpool) error {
 }
 
 var PgpoolReservedVolumes = []string{
-	ConfigVolumeName,
+	PgpoolConfigVolumeName,
 }
 
 func PgpoolValidateVolumes(p *Pgpool) error {
@@ -231,7 +231,7 @@ var PgpoolForbiddenEnvVars = []string{
 
 func PgpoolGetMainContainerEnvs(p *Pgpool) []core.EnvVar {
 	for _, container := range p.Spec.PodTemplate.Spec.Containers {
-		if container.Name == ContainerName {
+		if container.Name == PgpoolContainerName {
 			return container.Env
 		}
 	}
@@ -277,5 +277,5 @@ func PgpoolValidateVolumesMountPaths(podTemplate *ofst.PodTemplateSpec) error {
 }
 
 var PgpoolReservedVolumesMountPaths = []string{
-	ConfigSecretMountPath,
+	PgpoolConfigSecretMountPath,
 }