registry: add --fs-group and --supplementary-groups to oc adm registry

openshift · Feb 14, 2017 · 7ea4f72 · 7ea4f72
1 parent bd3e362
commit 7ea4f72
Show file tree

Hide file tree

Showing 11 changed files with 108 additions and 0 deletions.
diff --git a/contrib/completions/bash/oadm b/contrib/completions/bash/oadm
@@ -4504,6 +4504,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4525,6 +4527,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
@@ -4513,6 +4513,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4534,6 +4536,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift
@@ -4504,6 +4504,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4525,6 +4527,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")
@@ -9422,6 +9426,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -9443,6 +9449,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/contrib/completions/zsh/oadm b/contrib/completions/zsh/oadm
@@ -4652,6 +4652,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4673,6 +4675,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
@@ -4661,6 +4661,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4682,6 +4684,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift
@@ -4652,6 +4652,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4673,6 +4675,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")
@@ -9570,6 +9574,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -9591,6 +9597,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

diff --git a/docs/man/man1/oadm-registry.1 b/docs/man/man1/oadm-registry.1
@@ -45,6 +45,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-enforce\-quota\fP=false
     If true, the registry will refuse to write blobs if they exceed quota limits
 
+.PP
+\fB\-\-fs\-group\fP=""
+    Specify fsGroup which is an ID's that grants group access to registry block storage
+
 .PP
 \fB\-\-images\fP="openshift/origin\-${component}:${version}"
     The image to base this registry on \- ${component} will be replaced with \-\-type
@@ -85,6 +89,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-service\-account\fP="registry"
     Name of the service account to use to run the registry pod.
 
+.PP
+\fB\-\-supplemental\-groups\fP=[]
+    Specify supplemental groups which is an array of ID's that grants group access to registry shared storage
+
 .PP
 \fB\-\-tls\-certificate\fP=""
     An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS

diff --git a/docs/man/man1/oc-adm-registry.1 b/docs/man/man1/oc-adm-registry.1
@@ -45,6 +45,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-enforce\-quota\fP=false
     If true, the registry will refuse to write blobs if they exceed quota limits
 
+.PP
+\fB\-\-fs\-group\fP=""
+    Specify fsGroup which is an ID's that grants group access to registry block storage
+
 .PP
 \fB\-\-images\fP="openshift/origin\-${component}:${version}"
     The image to base this registry on \- ${component} will be replaced with \-\-type
@@ -85,6 +89,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-service\-account\fP="registry"
     Name of the service account to use to run the registry pod.
 
+.PP
+\fB\-\-supplemental\-groups\fP=[]
+    Specify supplemental groups which is an array of ID's that grants group access to registry shared storage
+
 .PP
 \fB\-\-tls\-certificate\fP=""
     An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS

diff --git a/docs/man/man1/openshift-admin-registry.1 b/docs/man/man1/openshift-admin-registry.1
@@ -45,6 +45,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-enforce\-quota\fP=false
     If true, the registry will refuse to write blobs if they exceed quota limits
 
+.PP
+\fB\-\-fs\-group\fP=""
+    Specify fsGroup which is an ID's that grants group access to registry block storage
+
 .PP
 \fB\-\-images\fP="openshift/origin\-${component}:${version}"
     The image to base this registry on \- ${component} will be replaced with \-\-type
@@ -85,6 +89,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-service\-account\fP="registry"
     Name of the service account to use to run the registry pod.
 
+.PP
+\fB\-\-supplemental\-groups\fP=[]
+    Specify supplemental groups which is an array of ID's that grants group access to registry shared storage
+
 .PP
 \fB\-\-tls\-certificate\fP=""
     An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS

diff --git a/docs/man/man1/openshift-cli-adm-registry.1 b/docs/man/man1/openshift-cli-adm-registry.1
@@ -45,6 +45,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-enforce\-quota\fP=false
     If true, the registry will refuse to write blobs if they exceed quota limits
 
+.PP
+\fB\-\-fs\-group\fP=""
+    Specify fsGroup which is an ID's that grants group access to registry block storage
+
 .PP
 \fB\-\-images\fP="openshift/origin\-${component}:${version}"
     The image to base this registry on \- ${component} will be replaced with \-\-type
@@ -85,6 +89,10 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi
 \fB\-\-service\-account\fP="registry"
     Name of the service account to use to run the registry pod.
 
+.PP
+\fB\-\-supplemental\-groups\fP=[]
+    Specify supplemental groups which is an array of ID's that grants group access to registry shared storage
+
 .PP
 \fB\-\-tls\-certificate\fP=""
     An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS

diff --git a/pkg/cmd/admin/registry/registry.go b/pkg/cmd/admin/registry/registry.go
@@ -108,6 +108,11 @@ type RegistryConfig struct {
 	DaemonSet      bool
 	EnforceQuota   bool
 
+	// SupplementalGroups is list of int64, however cobra does not have appropriate func
+	// for that type list.
+	SupplementalGroups []string
+	FSGroup            string
+
 	ServingCertPath string
 	ServingKeyPath  string
 
@@ -181,6 +186,8 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i
 	cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.")
 	cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS")
 	cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS")
+	cmd.Flags().StringSliceVar(&cfg.SupplementalGroups, "supplemental-groups", cfg.SupplementalGroups, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage")
+	cmd.Flags().StringVar(&cfg.FSGroup, "fs-group", "", "Specify fsGroup which is an ID that grants group access to registry block storage")
 	cmd.Flags().BoolVar(&cfg.DaemonSet, "daemonset", cfg.DaemonSet, "If true, use a daemonset instead of a deployment config.")
 	cmd.Flags().BoolVar(&cfg.EnforceQuota, "enforce-quota", cfg.EnforceQuota, "If true, the registry will refuse to write blobs if they exceed quota limits")
 
@@ -224,6 +231,23 @@ func (opts *RegistryOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,
 		opts.nodeSelector = valid
 	}
 
+	if len(opts.Config.FSGroup) > 0 {
+		if _, err := strconv.ParseInt(opts.Config.FSGroup, 10, 64); err != nil {
+			return kcmdutil.UsageError(cmd, "invalid group ID %q specified for fsGroup (%v)", opts.Config.FSGroup, err)
+		}
+	}
+
+	if len(opts.Config.SupplementalGroups) > 0 {
+		for _, v := range opts.Config.SupplementalGroups {
+			if val, err := strconv.ParseInt(v, 10, 64); err != nil || val == 0 {
+				return kcmdutil.UsageError(cmd, "invalid group ID %q specified for supplemental group (%v)", v, err)
+			}
+		}
+	}
+	if len(opts.Config.SupplementalGroups) > 0 && len(opts.Config.FSGroup) > 0 {
+		return kcmdutil.UsageError(cmd, "fsGroup and supplemental groups cannot be specified both at the same time")
+	}
+
 	var portsErr error
 	if opts.ports, portsErr = app.ContainerPortsFromString(opts.Config.Ports); portsErr != nil {
 		return portsErr
@@ -356,6 +380,7 @@ func (opts *RegistryOptions) RunCmdRegistry() error {
 				VolumeSource: kapi.VolumeSource{},
 			}),
 			ServiceAccountName: opts.Config.ServiceAccount,
+			SecurityContext:    generateSecurityContext(opts.Config),
 		},
 	}
 	if mountHost {
@@ -543,3 +568,22 @@ func generateSecretsConfig(
 
 	return secrets, volumes, mounts, extraEnv, len(defaultCrt) > 0, nil
 }
+
+func generateSecurityContext(conf *RegistryConfig) *kapi.PodSecurityContext {
+	result := &kapi.PodSecurityContext{}
+	if len(conf.SupplementalGroups) > 0 {
+		result.SupplementalGroups = []int64{}
+		for _, val := range conf.SupplementalGroups {
+			// The errors are handled by Complete()
+			if groupID, err := strconv.ParseInt(val, 10, 64); err == nil {
+				result.SupplementalGroups = append(result.SupplementalGroups, groupID)
+			}
+		}
+	}
+	if len(conf.FSGroup) > 0 {
+		if groupID, err := strconv.ParseInt(conf.FSGroup, 10, 64); err == nil {
+			result.FSGroup = &groupID
+		}
+	}
+	return result
+}