CR

Author: masseelch

api/v1alpha1/reason.go

@@ -29,6 +29,8 @@ const (
 	ReasonCreatingAtlasClient = "CreatingAtlasClient"
 	// ReasonCreatingWorkingDir represents the reason for creating a working directory.
 	ReasonCreatingWorkingDir = "CreatingWorkingDir"
+	// ReasonLogin represents the reason for logging in to Atlas.
+	ReasonLogin = "Login"
 )
 
 // isFailedReason returns true if the given reason is a failed reason.

charts/atlas-operator/templates/deployment.yaml

@@ -31,6 +31,14 @@ spec:
         kubectl.kubernetes.io/default-container: manager
       {{- end }}
     spec:
+       securityContext:
+         {{- if .Values.persistence.fsGroup }}
+         fsGroup: {{ .Values.persistence.fsGroup }}
+         {{- else }}
+         {{- with .Values.podSecurityContext }}
+         {{- toYaml . | nindent 8 }}
+         {{- end }}
+         {{- end }}
       {{- if or .Values.persistence.enabled .Values.extraVolumes }}
       volumes:
       {{- if .Values.persistence.enabled }}

config/manager/manager.yaml

@@ -12,6 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: namespace
+    app.kubernetes.io/instance: system
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: atlas-operator
+    app.kubernetes.io/part-of: atlas-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: system
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -32,19 +45,6 @@ spec:
     requests:
       storage: 1Gi
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    control-plane: controller-manager
-    app.kubernetes.io/name: namespace
-    app.kubernetes.io/instance: system
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: atlas-operator
-    app.kubernetes.io/part-of: atlas-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: system
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -92,6 +92,8 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

internal/controller/atlasmigration_controller.go

@@ -275,7 +275,7 @@ func (r *AtlasMigrationReconciler) reconcile(ctx context.Context, data *migratio
 	}
 	if data.Cloud != nil && data.Cloud.Token != "" {
 		if err := c.Login(ctx, &atlasexec.LoginParams{Token: data.Cloud.Token, GrantOnly: true}); err != nil {
-			return r.resultErr(res, err, dbv1alpha1.ReasonCreatingAtlasClient)
+			return r.resultErr(res, err, dbv1alpha1.ReasonLogin)
 		}
 	}
 	var whoami *atlasexec.WhoAmI

internal/controller/atlasschema_controller.go

@@ -176,7 +176,7 @@ func (r *AtlasSchemaReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 	if data.Cloud != nil && data.Cloud.Token != "" {
 		if err := cli.Login(ctx, &atlasexec.LoginParams{Token: data.Cloud.Token, GrantOnly: true}); err != nil {
-			return r.resultErr(res, err, dbv1alpha1.ReasonCreatingAtlasClient)
+			return r.resultErr(res, err, dbv1alpha1.ReasonLogin)
 		}
 	}
 	// Calculate the hash of the current schema.

internal/controller/common.go

@@ -76,8 +76,8 @@ type (
 		// SetStderr specifies a writer to stream stderr to for every command.
 		SetStderr(io.Writer)
 	}
-	// AtlasExecFn is a function that returns an AtlasExec
-	// with the working directory and HOME directory.
+	// AtlasExecFn is a function that returns an AtlasExec configured
+	// with the given working directory, cloud configuration, and HOME directory.
 	AtlasExecFn func(dir string, c *Cloud, home string) (AtlasExec, error)
 	// Cloud holds the cloud configuration.
 	Cloud struct {
@@ -109,6 +109,10 @@ func NewAtlasExec(dir string, c *Cloud, home string) (AtlasExec, error) {
 			return nil, fmt.Errorf("creating resource home directory: %w", err)
 		}
 		env["HOME"] = homeDir
+	} else if env["HOME"] == "" {
+		// Ensure HOME is set to a safe default when not provided by the environment
+		// and no DATA_DIR-based home directory is configured.
+		env["HOME"] = "/tmp"
 	}
 	if c != nil && c.Token != "" {
 		env["ATLAS_TOKEN"] = c.Token