Skip to content

🐛 Set fsGroup on hub pod to prevent read/write errors on PVC mounts#549

Merged
dymurray merged 1 commit into
konveyor:mainfrom
jmontleon:set-fsGroup
Mar 6, 2026
Merged

🐛 Set fsGroup on hub pod to prevent read/write errors on PVC mounts#549
dymurray merged 1 commit into
konveyor:mainfrom
jmontleon:set-fsGroup

Conversation

@jmontleon

@jmontleon jmontleon commented Mar 6, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features
    • Enhanced OpenShift environment support with improved security context configuration for initialization containers, enabling optimized permission handling for mounted volumes during container initialization.

@jmontleon jmontleon requested review from dymurray and jortel March 6, 2026 18:51
@coderabbitai

coderabbitai Bot commented Mar 6, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Rate limit exceeded

@jmontleon has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 26 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 909fc9d5-bdcf-4432-9fb0-204cb3753976

📥 Commits

Reviewing files that changed from the base of the PR and between 40f92bb and 480c2db.

📒 Files selected for processing (1)
  • roles/tackle/templates/deployment-hub.yml.j2
📝 Walkthrough

Walkthrough

Adds a conditional OpenShift-specific securityContext configuration to an init container in the deployment template. When running on OpenShift clusters, the init container now receives an fsGroup setting based on the hub_uid variable to manage mounted volume permissions appropriately.

Changes

Cohort / File(s) Summary
OpenShift Init Container Security Configuration
roles/tackle/templates/deployment-hub.yml.j2		 Introduces conditional fsGroup securityContext for init container in OpenShift deployments, ensuring proper volume permission handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A container once worried about rights,
On OpenShift's secure, guarded heights,
With fsGroup set true,
Permissions shone through,
The hub dances free—what a sight! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding fsGroup configuration to the hub pod to fix PVC mount read/write errors, which aligns with the OpenShift securityContext modification in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Mar 6, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@roles/tackle/templates/deployment-hub.yml.j2`:
- Around line 262-265: The securityContext fsGroup block is currently nested
under the enable_chown_init_container guard so OpenShift pods only get fsGroup
when that init container is enabled; move the {% if openshift_cluster %} ...
securityContext: fsGroup: {{ hub_uid }} {% endif %} block out of the
enable_chown_init_container conditional and place it at the
pod/spec/template/spec level (i.e. the main pod securityContext) so it is
applied whenever openshift_cluster is true regardless of
enable_chown_init_container; update indentation and surrounding conditionals
accordingly and keep the existing variable names securityContext, fsGroup,
openshift_cluster and enable_chown_init_container to locate the code.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ada2aa0-1538-4980-b2b0-72e5012761e2

📥 Commits

Reviewing files that changed from the base of the PR and between fe31a8c and 40f92bb.

📒 Files selected for processing (1)
  • roles/tackle/templates/deployment-hub.yml.j2

Comment thread roles/tackle/templates/deployment-hub.yml.j2 Outdated
@jmontleon
🐛 Set fsGroup on hub pod to prevent read/write errors on PVC mounts
480c2db 
Signed-off-by: Jason Montleon <jmontleo@redhat.com>
@jmontleon jmontleon added the cherry-pick/release-0.9 This PR should be cherry-picked to release-0.9 branch label Mar 6, 2026
@dymurray dymurray merged commit 50df9e0 into konveyor:main Mar 6, 2026
13 checks passed
github-actions Bot pushed a commit that referenced this pull request Mar 6, 2026
@jmontleon @web-flow
🐛 Set fsGroup on hub pod to prevent read/write errors on PVC mounts (#…
ac62ef0 
…549)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Enhanced OpenShift environment support with improved security context
configuration for initialization containers, enabling optimized
permission handling for mounted volumes during container initialization.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Jason Montleon <jmontleo@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>
@konveyor-ci-bot

konveyor-ci-bot Bot commented Mar 6, 2026

Copy link
Copy Markdown

PR cherry-picked to branch release-0.9. Backport PR: #551

dymurray pushed a commit that referenced this pull request Mar 6, 2026
@konveyor-ci-bot @jmontleon
🐛 Set fsGroup on hub pod to prevent read/write errors on PVC mounts (#…
66fd0be 
…549) (#551)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Enhanced OpenShift environment support with improved security context
configuration for initialization containers, enabling optimized
permission handling for mounted volumes during container initialization.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Jason Montleon <jmontleo@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>

Signed-off-by: Jason Montleon <jmontleo@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>
Co-authored-by: Jason Montleon <jmontleo@redhat.com>
This was referenced Jun 5, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@dymurray dymurray dymurray approved these changes

@jortel jortel Awaiting requested review from jortel

Assignees

No one assigned

Labels

cherry-pick/release-0.9 This PR should be cherry-picked to release-0.9 branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmontleon @dymurray