Support patch directives in pod/container overrides

[amisevsk]

What does this PR do?

Adds support for Kubernetes strategic merge patch directives. This allows deleting/overwriting fields that are not settable otherwise.

For example, if the default pod securityContext is configured to be

config:
  workspace:
    podSecurityContext:
      fsGroup: 2000
      runAsGroup: 3000
      runAsUser: 1000

setting the pod-overrides attribute to be

      pod-overrides:
        spec:
          securityContext:
            runAsUser: 1001

will result in the pod using the securityContext

securityContext:
    fsGroup: 2000
    runAsGroup: 3000
    runAsUser: 1001

whereas setting it to be

      pod-overrides:
        spec:
          securityContext:
            runAsUser: 1001
            $patch: replace

will result in the securityContext

securityContext:
    runAsUser: 1001

To do this, we have to apply the raw yaml specified in the overrides field as the patch rather than deserializing it, since Go will drop unrecognized fields in the struct when deserializing.

What issues does this PR fix or reference?

Closes #966

Is it tested? How?

Test by using directives in pod/container overrides.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[codecov]

Codecov Report

Base: 50.18% // Head: 50.20% // Increases project coverage by +0.01% 🎉

Coverage data is based on head (85dc50c) compared to base (bc1e483).
Patch coverage: 73.91% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #967      +/-   ##
==========================================
+ Coverage   50.18%   50.20%   +0.01%     
==========================================
  Files          39       39              
  Lines        2467     2484      +17     
==========================================
+ Hits         1238     1247       +9     
- Misses       1103     1107       +4     
- Partials      126      130       +4     

Impacted Files	Coverage Δ
pkg/library/overrides/pods.go	69.81% <56.52%> (-12.42%)	⬇️
pkg/library/overrides/containers.go	75.67% <91.30%> (+7.81%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[AObuchow]

This test name as well as /container-overrides/overrides-can-use-delete-directive.yaml and /container-overrides/overrides-can-use-replace-directive.yaml starts with a lower-case letter rather than uppercase like the others.

Very unimportant and doesn't need to be fixed, but it's the only remark I could find about this PR :P

[AObuchow]

I still need to do some manual testing, but the code changes look good to me.

It might be worth linking https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md?rgh-link-date=2022-11-03T17%3A21%3A38Z#basic-patch-format in the additional documentation for pod/container overrides.

Maybe something as simple as:

...The value of the attribute is applied via Kubernetes strategic merge to patch the default configuration according to predefined merge rules.

[dkwon17]

LGTM, and I had some issues with manipulating the securityContext: using $patch: replace / $patch: delete on OpenShift (I think OpenShift might intervene and set the securityContext itself), but it worked well on Minikube.

[AObuchow]

Tested on OpenShift 4.11, everything works as expected 👍
Here was the DWOC I used:

config:
  routing:
    defaultRoutingClass: basic
  workspace:
    imagePullPolicy: Always
    podSecurityContext:
      fsGroup: 1000670000
      runAsUser: 1000670000

Setting the devworkspace's pod-overrides to the following:

    attributes:
      pod-overrides:
        spec:
          securityContext:
            runAsUser: 1000670001

Resulted in the following security context:

      securityContext:
        runAsUser: 1000670001
        fsGroup: 1000670000

Here I tested the replace patch directive:

    attributes:
      pod-overrides:
        spec:
          securityContext:
            runAsUser: 1000670001
            $patch: replace

Which resulted in the following security context (as expected):

    securityContext:
        runAsUser: 1000670001

And lastly, I tested the delete patch directive:

    attributes:
      pod-overrides:
        spec:
          securityContext:
            runAsUser: 1000670001
            $patch: delete

Which removed the security context entirely, as expected:

securityContext: {}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, AObuchow, dkwon17, ibuziuk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [amisevsk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment