diff --git a/.changelog/3119.added.txt b/.changelog/3119.added.txt new file mode 100644 index 0000000000..d1cddb2ace --- /dev/null +++ b/.changelog/3119.added.txt @@ -0,0 +1 @@ +feat(metrics): set securityContext for metrics collector \ No newline at end of file diff --git a/deploy/helm/sumologic/README.md b/deploy/helm/sumologic/README.md index ae5573d951..d35be4b8f9 100644 --- a/deploy/helm/sumologic/README.md +++ b/deploy/helm/sumologic/README.md @@ -126,7 +126,7 @@ The following table lists the configurable parameters of the Sumo Logic chart an | `sumologic.metrics.collector.otelcol.podAnnotations` | Additional annotations for the experimental otelcol metrics pods. | `{}` | | `sumologic.metrics.collector.otelcol.podLabels` | Additional labels for the experimental otelcol metrics pods. | `{}` | | `sumologic.metrics.collector.otelcol.priorityClassName` | Priority class name for the experimental otelcol metrics. | `null` | -| `sumologic.metrics.collector.otelcol.securityContext` | The securityContext configuration for the experimental otelcol metrics. | `{}` | +| `sumologic.metrics.collector.otelcol.securityContext` | The securityContext configuration for the experimental otelcol metrics. | `{"fsGroup": 999}` | | `sumologic.metrics.collector.otelcol.tolerations` | Tolerations for the experimental otelcol metrics. | `[]` | | `sumologic.traces.enabled` | Set the enabled flag to true to enable tracing ingestion. _Tracing must be enabled for the account first. Please contact your Sumo representative for activation details_ | `true` | | `sumologic.traces.spans_per_request` | Maximum number of spans sent in single batch | `100` | diff --git a/deploy/helm/sumologic/templates/metrics/collector/otelcol/opentelemetrycollector.yaml b/deploy/helm/sumologic/templates/metrics/collector/otelcol/opentelemetrycollector.yaml index b2ecade1e0..bc7d6e2f5b 100644 --- a/deploy/helm/sumologic/templates/metrics/collector/otelcol/opentelemetrycollector.yaml +++ b/deploy/helm/sumologic/templates/metrics/collector/otelcol/opentelemetrycollector.yaml @@ -44,10 +44,6 @@ spec: tolerations: {{ toYaml .Values.sumologic.metrics.collector.otelcol.tolerations | indent 4 }} {{- end }} -{{- if .Values.sumologic.metrics.collector.otelcol.securityContext }} - securityContext: - {{- toYaml .Values.sumologic.metrics.collector.otelcol.securityContext | nindent 4 }} -{{- end }} {{- if .Values.sumologic.metrics.collector.otelcol.priorityClassName }} priorityClassName: {{ .Values.sumologic.metrics.collector.otelcol.priorityClassName | quote }} {{- end }} @@ -67,6 +63,8 @@ spec: {{- if .Values.metadata.metrics.statefulset.extraEnvVars }} {{ toYaml .Values.metadata.metrics.statefulset.extraEnvVars | nindent 4 }} {{- end }} + podSecurityContext: + {{ .Values.sumologic.metrics.collector.otelcol.securityContext | toYaml | nindent 4 }} ports: - name: pprof port: 1777 diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index dd1b2ea752..db42f0adb0 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -480,7 +480,10 @@ sumologic: ## Selector for PodMonitors used for target discovery. ## See https://github.com/open-telemetry/opentelemetry-operator/blob/main/docs/api.md#opentelemetrycollectorspectargetallocatorprometheuscr podMonitorSelector: {} - securityContext: {} + securityContext: + ## The group ID of all processes in the statefulset containers. This can be anything, but it does need to be set. + ## The default is 0 (root), and containers don't have write permissions for volumes in that case. + fsGroup: 999 tolerations: [] otelcol: @@ -3871,8 +3874,8 @@ metadata: pullPolicy: IfNotPresent securityContext: - ## ToDo: Verify following comment - ## The group ID of all processes in the statefulset containers. By default this needs to be otelcol(999). + ## The group ID of all processes in the statefulset containers. This can be anything, but it does need to be set. + ## The default is 0 (root), and containers don't have write permissions for volumes in that case. fsGroup: 999 ## Add custom labels to all otelcol sts pods(logs and metrics) @@ -4279,8 +4282,8 @@ otelevents: podAnnotations: {} securityContext: - ## ToDo: Verify following comment - ## The group ID of all processes in the statefulset containers. By default this needs to be otelcol(999). + ## The group ID of all processes in the statefulset containers. This can be anything, but it does need to be set. + ## The default is 0 (root), and containers don't have write permissions for volumes in that case. fsGroup: 999 ## Set securityContext for containers running in pods in events statefulset. diff --git a/tests/helm/testdata/goldenfile/metrics_collector_otc/basic.output.yaml b/tests/helm/testdata/goldenfile/metrics_collector_otc/basic.output.yaml index 04c45f295b..f6bf25a593 100644 --- a/tests/helm/testdata/goldenfile/metrics_collector_otc/basic.output.yaml +++ b/tests/helm/testdata/goldenfile/metrics_collector_otc/basic.output.yaml @@ -67,6 +67,8 @@ spec: - name: NO_PROXY value: kubernetes.default.svc + podSecurityContext: + fsGroup: 999 ports: - name: pprof port: 1777 diff --git a/tests/helm/testdata/goldenfile/metrics_collector_otc/custom.output.yaml b/tests/helm/testdata/goldenfile/metrics_collector_otc/custom.output.yaml index bb493bbf99..26ebffb935 100644 --- a/tests/helm/testdata/goldenfile/metrics_collector_otc/custom.output.yaml +++ b/tests/helm/testdata/goldenfile/metrics_collector_otc/custom.output.yaml @@ -39,8 +39,6 @@ spec: - effect: NoSchedule key: null operator: Exists - securityContext: - fsGroup: 999 priorityClassName: "customPriority" autoscaler: maxReplicas: 30 @@ -97,6 +95,8 @@ spec: secretKeyRef: key: secret_key name: secret_name + podSecurityContext: + fsGroup: 999 ports: - name: pprof port: 1777