feat: add optional SSSD support to controller

This enables user validation for operations like Slurm reservation creation with users
without exposing SSH access to the controller pod.

Author: faganihajizada

api/v1beta1/controller_keys.go

@@ -98,3 +98,20 @@ func (o *Controller) ConfigKey() types.NamespacedName {
 		Namespace: o.Namespace,
 	}
 }
+
+func (o *Controller) SssdSecretKey() types.NamespacedName {
+	return types.NamespacedName{
+		Name:      o.Spec.SssdConfRef.Name,
+		Namespace: o.Namespace,
+	}
+}
+
+func (o *Controller) SssdSecretRef() *corev1.SecretKeySelector {
+	key := o.SssdSecretKey()
+	return &corev1.SecretKeySelector{
+		LocalObjectReference: corev1.LocalObjectReference{
+			Name: key.Name,
+		},
+		Key: o.Spec.SssdConfRef.Key,
+	}
+}

api/v1beta1/controller_types.go

@@ -115,6 +115,10 @@ type ControllerSpec struct {
 	// Metrics defines the metric collection configuration.
 	// +optional
 	Metrics Metrics `json:"metrics,omitzero"`
+
+	// SssdConfRef is a reference to a secret containing the `sssd.conf`.
+	// +optional
+	SssdConfRef corev1.SecretKeySelector `json:"sssdConfRef,omitzero"`
 }
 
 type ControllerPersistence struct {

api/v1beta1/zz_generated.deepcopy.go

@@ -100,4 +100,9 @@ spec:
   metrics:
     {{- toYaml . | nindent 4 }}
   {{- end }}{{- /* with .Values.controller.metrics */}}
+  {{- if or .Values.sssd.conf .Values.sssd.secretRef }}
+  sssdConfRef:
+    name: {{ include "slurm.sssdConf.name" . }}
+    key: {{ include "slurm.sssdConf.key" . }}
+  {{- end }}{{- /* if or .Values.sssd.conf .Values.sssd.secretRef */}}
 {{- end }}{{- /* if .Values.controller.external */}}

config/crd/bases/slinky.slurm.net_controllers.yaml

@@ -4,20 +4,24 @@
 package builder
 
 import (
+	"context"
 	_ "embed"
 	"fmt"
 	"path"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	slinkyv1beta1 "github.com/SlinkyProject/slurm-operator/api/v1beta1"
 	"github.com/SlinkyProject/slurm-operator/internal/builder/labels"
 	"github.com/SlinkyProject/slurm-operator/internal/builder/metadata"
+	"github.com/SlinkyProject/slurm-operator/internal/utils/crypto"
 )
 
 const (
@@ -106,6 +110,7 @@ func (b *Builder) BuildController(controller *slinkyv1beta1.Controller) (*appsv1
 }
 
 func (b *Builder) controllerPodTemplate(controller *slinkyv1beta1.Controller) (corev1.PodTemplateSpec, error) {
+	ctx := context.TODO()
 	key := controller.Key()
 
 	size := len(controller.Spec.ConfigFileRefs) + len(controller.Spec.PrologScriptRefs) + len(controller.Spec.EpilogScriptRefs) + len(controller.Spec.PrologSlurmctldScriptRefs) + len(controller.Spec.EpilogSlurmctldScriptRefs)
@@ -126,14 +131,29 @@ func (b *Builder) controllerPodTemplate(controller *slinkyv1beta1.Controller) (c
 		extraConfigMapNames = append(extraConfigMapNames, ref.Name)
 	}
 
+	// Build annotations with SSSD hash if configured
+	annotations := map[string]string{
+		annotationDefaultContainer: labels.ControllerApp,
+	}
+	if controller.Spec.SssdConfRef.Name != "" {
+		sssdSecret := &corev1.Secret{}
+		sssdSecretKey := controller.SssdSecretKey()
+		if err := b.client.Get(ctx, sssdSecretKey, sssdSecret); err != nil {
+			if !apierrors.IsNotFound(err) {
+				return corev1.PodTemplateSpec{}, fmt.Errorf("failed to get object (%s): %w", klog.KObj(sssdSecret), err)
+			}
+		}
+		sssdConfRefKey := controller.SssdSecretRef().Key
+		sssdConfHash := crypto.CheckSum([]byte(sssdSecret.StringData[sssdConfRefKey]))
+		annotations[annotationSssdConfHash] = sssdConfHash
+	}
+
 	objectMeta := metadata.NewBuilder(key).
 		WithAnnotations(controller.Annotations).
 		WithLabels(controller.Labels).
 		WithMetadata(controller.Spec.Template.Metadata).
 		WithLabels(labels.NewBuilder().WithControllerLabels(controller).Build()).
-		WithAnnotations(map[string]string{
-			annotationDefaultContainer: labels.ControllerApp,
-		}).
+		WithAnnotations(annotations).
 		Build()
 
 	spec := controller.Spec
@@ -147,19 +167,16 @@ func (b *Builder) controllerPodTemplate(controller *slinkyv1beta1.Controller) (c
 		},
 		base: corev1.PodSpec{
 			AutomountServiceAccountToken: ptr.To(false),
+			SecurityContext: &corev1.PodSecurityContext{
+				FSGroup: ptr.To[int64](401),
+			},
 			Containers: []corev1.Container{
-				b.slurmctldContainer(spec.Slurmctld.Container, controller.ClusterName()),
+				b.slurmctldContainer(spec.Slurmctld.Container, controller),
 			},
 			InitContainers: []corev1.Container{
 				b.reconfigureContainer(spec.Reconfigure),
 				b.logfileContainer(spec.LogFile, slurmctldLogFilePath),
 			},
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsNonRoot: ptr.To(true),
-				RunAsUser:    ptr.To(slurmUserUid),
-				RunAsGroup:   ptr.To(slurmUserGid),
-				FSGroup:      ptr.To(slurmUserGid),
-			},
 			Volumes: controllerVolumes(controller, extraConfigMapNames),
 		},
 		merge: template.PodSpec,
@@ -174,7 +191,7 @@ func controllerVolumes(controller *slinkyv1beta1.Controller, extra []string) []c
 			Name: slurmEtcVolume,
 			VolumeSource: corev1.VolumeSource{
 				Projected: &corev1.ProjectedVolumeSource{
-					DefaultMode: ptr.To[int32](0o610),
+					DefaultMode: ptr.To[int32](0o640),
 					Sources: []corev1.VolumeProjection{
 						{
 							ConfigMap: &corev1.ConfigMapProjection{
@@ -189,7 +206,7 @@ func controllerVolumes(controller *slinkyv1beta1.Controller, extra []string) []c
 									Name: controller.AuthSlurmRef().Name,
 								},
 								Items: []corev1.KeyToPath{
-									{Key: controller.AuthSlurmRef().Key, Path: slurmKeyFile},
+									{Key: controller.AuthSlurmRef().Key, Path: slurmKeyFile, Mode: ptr.To[int32](0o600)},
 								},
 							},
 						},
@@ -199,7 +216,7 @@ func controllerVolumes(controller *slinkyv1beta1.Controller, extra []string) []c
 									Name: controller.AuthJwtHs256Ref().Name,
 								},
 								Items: []corev1.KeyToPath{
-									{Key: controller.AuthJwtHs256Ref().Key, Path: JwtHs256KeyFile},
+									{Key: controller.AuthJwtHs256Ref().Key, Path: JwtHs256KeyFile, Mode: ptr.To[int32](0o600)},
 								},
 							},
 						},
@@ -226,14 +243,57 @@ func controllerVolumes(controller *slinkyv1beta1.Controller, extra []string) []c
 		}
 		out[0].Projected.Sources = append(out[0].Projected.Sources, volumeProjection)
 	}
+	// Add SSSD volume if configured (optional)
+	if controller.Spec.SssdConfRef.Name != "" {
+		sssdVolume := corev1.Volume{
+			Name: sssdConfVolume,
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					DefaultMode: ptr.To[int32](0o600),
+					Sources: []corev1.VolumeProjection{
+						{
+							Secret: &corev1.SecretProjection{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: controller.SssdSecretRef().Name,
+								},
+								Items: []corev1.KeyToPath{
+									{Key: controller.SssdSecretRef().Key, Path: sssdConfFile, Mode: ptr.To[int32](0o600)},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+		out = append(out, sssdVolume)
+	}
 	return out
 }
 
 func clusterSpoolDir(clustername string) string {
 	return path.Join(slurmctldSpoolDir, clustername)
 }
 
-func (b *Builder) slurmctldContainer(merge corev1.Container, clusterName string) corev1.Container {
+func (b *Builder) slurmctldContainer(merge corev1.Container, controller *slinkyv1beta1.Controller) corev1.Container {
+	clusterName := controller.ClusterName()
+	volumeMounts := []corev1.VolumeMount{
+		{Name: slurmEtcVolume, MountPath: slurmEtcDir, ReadOnly: true},
+		{Name: slurmPidFileVolume, MountPath: slurmPidFileDir},
+		{Name: slurmctldStateSaveVolume, MountPath: clusterSpoolDir(clusterName)},
+		{Name: slurmAuthSocketVolume, MountPath: slurmctldAuthSocketDir},
+		{Name: slurmLogFileVolume, MountPath: slurmLogFileDir},
+	}
+	// Add SSSD mount if configured (optional)
+	// Mount to staging dir (not /etc/sssd/) so entrypoint can copy with correct permissions
+	if controller.Spec.SssdConfRef.Name != "" {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      sssdConfVolume,
+			MountPath: "/run/sssd-mounted/sssd.conf",
+			SubPath:   sssdConfFile,
+			ReadOnly:  true,
+		})
+	}
+
 	opts := ContainerOpts{
 		base: corev1.Container{
 			Name: labels.ControllerApp,
@@ -272,18 +332,7 @@ func (b *Builder) slurmctldContainer(merge corev1.Container, clusterName string)
 				FailureThreshold: 6,
 				PeriodSeconds:    10,
 			},
-			SecurityContext: &corev1.SecurityContext{
-				RunAsNonRoot: ptr.To(true),
-				RunAsUser:    ptr.To(slurmUserUid),
-				RunAsGroup:   ptr.To(slurmUserGid),
-			},
-			VolumeMounts: []corev1.VolumeMount{
-				{Name: slurmEtcVolume, MountPath: slurmEtcDir, ReadOnly: true},
-				{Name: slurmPidFileVolume, MountPath: slurmPidFileDir},
-				{Name: slurmctldStateSaveVolume, MountPath: clusterSpoolDir(clusterName)},
-				{Name: slurmAuthSocketVolume, MountPath: slurmctldAuthSocketDir},
-				{Name: slurmLogFileVolume, MountPath: slurmLogFileDir},
-			},
+			VolumeMounts: volumeMounts,
 		},
 		merge: merge,
 	}

helm/slurm-operator-crds/templates/slinky.slurm.net_controllers.yaml

@@ -96,17 +96,13 @@ func TestBuilder_BuildController(t *testing.T) {
 				t.Errorf("Template.Labels = %v , Selector.MatchLabels = %v",
 					got.Spec.Template.Labels, got.Spec.Selector.MatchLabels)
 
-			case ptr.Deref(got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot, false) != true:
-				t.Errorf("got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot = %v , want = %v",
-					got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot, true)
+			case got.Spec.Template.Spec.Containers[0].SecurityContext != nil:
+				t.Errorf("got.Spec.Template.Spec.Containers[0].SecurityContext = %v , want = nil",
+					got.Spec.Template.Spec.Containers[0].SecurityContext)
 
-			case ptr.Deref(got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser, 0) != slurmUserUid:
-				t.Errorf("got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser = %v , want = %v",
-					got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser, slurmUserUid)
-
-			case ptr.Deref(got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsGroup, 0) != slurmUserGid:
-				t.Errorf("got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsGroup = %v , want = %v",
-					got.Spec.Template.Spec.Containers[0].SecurityContext.RunAsGroup, slurmUserGid)
+			case ptr.Deref(got.Spec.Template.Spec.SecurityContext.FSGroup, 0) != slurmUserGid:
+				t.Errorf("got.Spec.Template.Spec.SecurityContext.FSGroup = %v , want = %v",
+					got.Spec.Template.Spec.SecurityContext.FSGroup, slurmUserGid)
 
 			case got.Spec.Template.Spec.Containers[0].Name != labels.ControllerApp:
 				t.Errorf("Template.Spec.Containers[0].Name = %v , want = %v",