Skip to content

Extend options for setting security context #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 5, 2025
Merged

Extend options for setting security context #1647

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .chloggen/add-container-security-context-option-cluster-receiver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement
# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
component: clusterReceiver
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Add an option to set the security context for the container.
# One or more tracking issues related to the change
issues: [1647]
8 changes: 8 additions & 0 deletions .chloggen/add-container-security-context-option-gateway.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement
# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
component: gateway
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Add an option to set the security context for the container.
# One or more tracking issues related to the change
issues: [1647]
8 changes: 8 additions & 0 deletions .chloggen/deprecate-security-context-option-cluster-receiver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: deprecation
# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
component: clusterReceiver
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Deprecate the `securityContext` field in favor of the `podSecurityContext`.
# One or more tracking issues related to the change
issues: [1647]
8 changes: 8 additions & 0 deletions .chloggen/deprecate-security-context-option-gateway.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: deprecation
# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
component: gateway
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Deprecate the `securityContext` field in favor of the `podSecurityContext`.
# One or more tracking issues related to the change
issues: [1647]
6 changes: 6 additions & 0 deletions helm-charts/splunk-otel-collector/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,9 @@ Splunk OpenTelemetry Collector is installed and configured to send data to Splun
- Status: Instrumentation language maturity varies. See `operator.instrumentation.spec` and documentation for utilized instrumentation details.
- Splunk Support: We offer full support for Splunk distributions and best-effort support for native OpenTelemetry distributions of auto-instrumentation libraries.
{{- end }}
{{- if not (eq (toString .Values.gateway.securityContext) "<nil>") }}
[WARNING] "gateway.securityContext" parameter is deprecated. Please use "gateway.podSecurityContext" instead.
{{ end }}
{{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }}
[WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead.
{{ end }}
Copy link
Contributor

@jvoravong jvoravong Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Can we throw a failure or print a warning if one of the following cases happens? I just want to avoid confusion about which of the two available values (securityContext vs podSecurityContext) will be used. Maybe just update the message to say podSecurityContext takes priority.

  • Both clusterReceiver.securityContext and clusterReceiver.podSecurityContext are both used
  • Both gateway.securityContext and gateway.podSecurityContext are both used

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand your suggestion. Please submit a suggesting diff

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working on this. Need to state this PR relates to #1342

Comment on lines +87 to +89
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }}
[WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead.
{{ end }}
{{- if not (eq (toString .Values. clusterReceiver.securityContext) "<nil>") }}
{{- if .Values. clusterReceiver.podSecurityContext }}
[WARNING] "clusterReceiver.securityContext" parameter is deprecated. Helm release will use values set in "clusterReceiver.podSecurityContext" instead.
{{- else }}
[WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead.
{{- end }}
{{ end }}

@jvoravong is this what you are suggesting? How does the PR you referenced relate to this one? Tmk this is a different ask

9 changes: 7 additions & 2 deletions helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,10 @@ spec:
` }}
{{- $clusterReceiver.affinity | mustMergeOverwrite (fromYaml $clusterReceiverPodAntiAffinity) | toYaml | nindent 8 }}
{{- end }}
{{- if $clusterReceiver.securityContext }}
{{- $podSecurityContext := $clusterReceiver.podSecurityContext | default $clusterReceiver.securityContext }}
{{- if $podSecurityContext }}
securityContext:
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }}
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "clusterReceiver.securityContext" $podSecurityContext) | nindent 8 }}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

{{- end }}
{{- if eq (include "splunk-otel-collector.distribution" .) "eks/fargate" }}
initContainers:
Expand Down Expand Up @@ -127,6 +128,10 @@ spec:
{{- if .Values.clusterReceiver.featureGates }}
- --feature-gates={{ .Values.clusterReceiver.featureGates }}
{{- end }}
{{- with .Values.clusterReceiver.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
image: {{ template "splunk-otel-collector.image.otelcol" . }}
imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
env:
Expand Down
9 changes: 7 additions & 2 deletions helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,10 @@ spec:
affinity:
{{- toYaml $gateway.affinity | nindent 8 }}
{{- end }}
{{- if $gateway.securityContext }}
{{- $podSecurityContext := $gateway.podSecurityContext | default $gateway.securityContext }}
{{- if $podSecurityContext }}
securityContext:
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }}
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
{{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.podSecurityContext) | nindent 8 }}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

{{- end }}
containers:
- name: otel-collector
Expand All @@ -80,6 +81,10 @@ spec:
{{- if .Values.gateway.featureGates }}
- --feature-gates={{ .Values.gateway.featureGates }}
{{- end }}
{{- with .Values.gateway.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
image: {{ template "splunk-otel-collector.image.otelcol" . }}
imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
env:
Expand Down
14 changes: 14 additions & 0 deletions helm-charts/splunk-otel-collector/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,13 @@
"type": "object"
},
"securityContext": {
"description": "[DEPRECATED] Use podSecurityContext instead.",
"type": "object"
},
"podSecurityContext": {
"type": "object"
},
"containerSecurityContext": {
"type": "object"
},
"terminationGracePeriodSeconds": {
Expand Down Expand Up @@ -1348,6 +1355,13 @@
"type": "object"
},
"securityContext": {
"description": "[DEPRECATED] Use podSecurityContext instead.",
"type": "object"
},
"podSecurityContext": {
"type": "object"
},
"containerSecurityContext": {
"type": "object"
},
"terminationGracePeriodSeconds": {
Expand Down
10 changes: 8 additions & 2 deletions helm-charts/splunk-otel-collector/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,10 +475,13 @@ clusterReceiver:
affinity: {}

# Pod configurations
securityContext: {}
podSecurityContext: {}
terminationGracePeriodSeconds: 600
priorityClassName: ""

# Security context applied to the otel-collector container in the cluster receiver deployment.
containerSecurityContext: {}

# k8s cluster receiver collector annotations
annotations: {}
podAnnotations: {}
Expand Down Expand Up @@ -1138,10 +1141,13 @@ gateway:
affinity: {}

# Pod configurations
securityContext: {}
podSecurityContext: {}
terminationGracePeriodSeconds: 600
priorityClassName: ""

# Security context applied to the otel-collector container in the gateway deployment.
containerSecurityContext: {}

# OTel collector annotations
annotations: {}
podAnnotations: {}
Expand Down
Loading