From 8eb2833f29e94ea0d7bff91a9a9c7763d3e0d773 Mon Sep 17 00:00:00 2001
From: Francisco Borges Aurindo Barros
<francisco.borges.aurindo.barros@cern.ch>
Date: Wed, 10 Apr 2024 13:49:22 +0200
Subject: [PATCH] Blocking customizations from users using webdav
---
controllers/drupalsite_controller.go | 13 +++++++++---
controllers/drupalsite_resources.go | 31 ++++++++++++++++++++++++++++
controllers/reconciler_common.go | 2 --
3 files changed, 41 insertions(+), 5 deletions(-)
diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index bb6f529b..83e81745 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -50,8 +50,11 @@ const (
adminPauseAnnotation = "admin-pause-reconcile"
oidcSecretName = "oidc-client-secret"
- ssoProxyLabel = "drupal.okd.cern.ch/full-sso"
- sitePrimaryLabel = "drupal.webservices.cern.ch/isPrimary"
+ // Labels used by the Operator
+ ssoProxyLabel = "drupal.okd.cern.ch/full-sso"
+ sitePrimaryLabel = "drupal.webservices.cern.ch/isPrimary"
+ noCustomizationsLabel = "drupal.webservices.cern.ch/noCustomizations"
+ projectBlockedLabel = "okd.cern.ch/project-blocked"
)
var (
@@ -248,10 +251,14 @@ func (r *DrupalSiteReconciler) Reconcile(ctx context.Context, req ctrl.Request)
if drupalSite.Labels == nil {
drupalSite.Labels = map[string]string{}
}
- if (namespace.Labels[ssoProxyLabel] == "true" || drupalSite.Labels[sitePrimaryLabel] != "true" ) && drupalSite.Labels[ssoProxyLabel] != "true" {
+ if (namespace.Labels[ssoProxyLabel] == "true" || drupalSite.Labels[sitePrimaryLabel] != "true") && drupalSite.Labels[ssoProxyLabel] != "true" {
drupalSite.Labels[ssoProxyLabel] = "true"
return r.updateCRorFailReconcile(ctx, log, drupalSite)
}
+ if namespace.Labels[noCustomizationsLabel] == "true" && drupalSite.Labels[noCustomizationsLabel] != "true" {
+ drupalSite.Labels[noCustomizationsLabel] = "true"
+ return r.updateCRorFailReconcile(ctx, log, drupalSite)
+ }
// 2. Check all conditions and update them if needed
update := false
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 3a66965a..77ad8597 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -1172,6 +1172,37 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
currentobject.Spec.Template.Spec.Containers[i].Image = WebDAVImage
currentobject.Spec.Template.Spec.Containers[i].Command = []string{"php-fpm"}
currentobject.Spec.Template.Spec.Containers[i].Resources = config.webDAVResources
+ currentobject.Spec.Template.Spec.Containers[i].VolumeMounts = []corev1.VolumeMount{
+ {
+ Name: "drupal-directory-" + d.Name,
+ MountPath: "/drupal-data",
+ },
+ {
+ Name: "webdav-volume",
+ MountPath: "/webdav/htdigest",
+ ReadOnly: true,
+ },
+ {
+ Name: "empty-dir",
+ MountPath: "/var/run/",
+ },
+ }
+ // Move this code section outside in case we apply to PHP-FPM container as well
+ readOnlyMountModule := corev1.VolumeMount{
+ Name: "drupal-directory-" + d.Name,
+ MountPath: "/drupal-data/modules",
+ SubPath: "modules",
+ ReadOnly: true,
+ }
+ readOnlyMountTheme := corev1.VolumeMount{
+ Name: "drupal-directory-" + d.Name,
+ MountPath: "/drupal-data/themes",
+ SubPath: "themes",
+ ReadOnly: true,
+ }
+ if d.Labels[noCustomizationsLabel] == "true" {
+ currentobject.Spec.Template.Spec.Containers[i].VolumeMounts = append(currentobject.Spec.Template.Spec.Containers[i].VolumeMounts, readOnlyMountModule, readOnlyMountTheme)
+ }
case "cron":
currentobject.Spec.Template.Spec.Containers[i].Command = []string{
"sh",
diff --git a/controllers/reconciler_common.go b/controllers/reconciler_common.go
index ab2a65e0..22324b47 100644
--- a/controllers/reconciler_common.go
+++ b/controllers/reconciler_common.go
@@ -60,8 +60,6 @@ type DeploymentConfig struct {
drupalLogsResources corev1.ResourceRequirements
}
-const projectBlockedLabel = "okd.cern.ch/project-blocked"
-
func setReady(drp *webservicesv1a1.DrupalSite) (update bool) {
return drp.Status.Conditions.SetCondition(status.Condition{
Type: "Ready",
--
GitLab