mongodb · mongodb-kubernetes-gh-app · Oct 17, 2025
@@ -240,6 +240,9 @@ spec:
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
                 type: object
+              clusterDomain:
+                format: hostname
+                type: string
               featureCompatibilityVersion:
                 description: |-
                   FeatureCompatibilityVersion configures the feature compatibility version that will

@@ -32,11 +32,10 @@ spec:
 {{- end }}
     spec:
       serviceAccountName: {{ .Values.operator.name }}
-{{- if not .Values.managedSecurityContext }}
+      {{- if and (not .Values.managedSecurityContext) .Values.operator.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 2000
-{{- end }}
+        {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
+      {{- end }}
 {{- if .Values.registry.imagePullSecrets}}
       imagePullSecrets:
         - name: {{ .Values.registry.imagePullSecrets }}
@@ -74,6 +73,10 @@ spec:
             requests:
               cpu: {{ .Values.operator.resources.requests.cpu }}
               memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if and (not .Values.managedSecurityContext) .Values.operator.securityContext }}
+          securityContext:
+            {{- toYaml .Values.operator.securityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: OPERATOR_ENV
               value: {{ .Values.operator.env }}
@@ -277,8 +280,8 @@ spec:
     {{- end }}
     {{- if .Values.customEnvVars }}
       {{- range split "&" .Values.customEnvVars }}
-            - name: {{ (split "=" .)._0 }}
-              value: '{{ (split "=" .)._1 }}'
+            - name: {{ (splitn "=" 2 .)._0 }}
+              value: '{{ (splitn "=" 2 .)._1 }}'
       {{- end }}
     {{- end }}
 {{- if .Values.multiCluster.clusters }}

@@ -0,0 +1,142 @@
+suite: test operator security context settings for values.yaml
+templates:
+  - operator.yaml
+tests:
+  - it: default values are properly set
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: custom values are properly set
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ALL]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.capabilities.drop
+          value: [ALL]
+  - it: default values are properly set when managedSecurityContext is true for openShift
+    values:
+      - ../values-openshift.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")]
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")].value
+          # noinspection YAMLIncompatibleTypes
+          value: "true"
+  - it: default values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: custom values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ ALL ]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.capabilities.drop
+          value: [ ALL ]
@@ -0,0 +1,37 @@
+name: str()
+home: str(required=False)
+version: str()
+apiVersion: str()
+appVersion: any(str(), num(), required=False)
+description: str(required=False)
+keywords: list(str(), required=False)
+sources: list(str(), required=False)
+maintainers: list(include('maintainer'), required=False)
+dependencies: list(include('dependency'), required=False)
+icon: str(required=False)
+engine: str(required=False)
+condition: str(required=False)
+tags: str(required=False)
+deprecated: bool(required=False)
+kubeVersion: str(required=False)
+annotations: map(str(), str(), required=False)
+type: str(required=False)
+---
+maintainer:
+  name: str()
+  email: str(required=False)
+  url: str(required=False)
+---
+dependency:
+  name: str()
+  version: str()
+  repository: str(required=False)
+  condition: str(required=False)
+  tags: list(str(), required=False)
+  enabled: bool(required=False)
+  import-values: list(any(str(), include('import-value')), required=False)
+  alias: str(required=False)
+---
+import-value:
+  child: str()
+  parent: str()
@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 2
+  document-end: disable
+  document-start: disable           # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever      # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable              # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning
@@ -47,6 +47,12 @@ operator:
       cpu: 1100m
       memory: 1Gi
 
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+
+  securityContext: {}
+
   # Control how many reconciles can be performed in parallel.
   # It sets MaxConcurrentReconciles https://pkg.go.dev/github.com/kubernetes-sigs/controller-runtime/pkg/controller#Options).
   # Increasing the number of concurrent reconciles will decrease the time needed to reconcile all watched resources.