fix (storage) : use operator podSecurityContext for PVC cleanup job on OpenShift

[rohanKanojia]

What does this PR do?

Apply workspace.Config.Workspace.PodSecurityContext to the cleanup Job pod spec, matching the workspace deployment behavior.

What issues does this PR fix or reference?

https://redhat.atlassian.net/browse/CRW-10864

Is it tested? How?

Deploy DevWorkspaceOperator and follow these steps:

• Enable cleanup cronjob in DWOC and set podSecurityContext:

kubectl apply -f - <<EOF
apiVersion: controller.devfile.io/v1alpha1
kind: DevWorkspaceOperatorConfig
metadata:
  name: devworkspace-operator-config
  namespace: openshift-operators
config:
  workspace:
    cleanupCronJob:
      enable: true
      retainTime: 2592000
      schedule: "0 0 1 * *"
    podSecurityContext:
      fsGroupChangePolicy: OnRootMismatch
EOF

• Create test namespace

oc new-project test-cleanup-podsecuritycontext

• Create two DevWorkspaces

kubectl apply -f - <<EOF
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: test-cleanup-ws-a
  namespace: test-cleanup-podsecuritycontext
  labels:
    controller.devfile.io/creator: "test-user"
spec:
  started: true
  routingClass: basic
  template:
    attributes:
      controller.devfile.io/storage-type: common
    projects:
      - name: web-nodejs-sample
        git:
          remotes:
            origin: "https://github.com/che-samples/web-nodejs-sample.git"
    components:
      - name: dev
        container:
          image: quay.io/devfile/universal-developer-image:latest
          memoryLimit: 512Mi
          command: ["tail", "-f", "/dev/null"]
---
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: test-cleanup-ws-b
  namespace: test-cleanup-podsecuritycontext
  labels:
    controller.devfile.io/creator: "test-user"
spec:
  started: true
  routingClass: basic
  template:
    attributes:
      controller.devfile.io/storage-type: common
    projects:
      - name: web-nodejs-sample
        git:
          remotes:
            origin: "https://github.com/che-samples/web-nodejs-sample.git"
    components:
      - name: dev
        container:
          image: quay.io/devfile/universal-developer-image:latest
          memoryLimit: 512Mi
          command: ["tail", "-f", "/dev/null"]
EOF

• Wait until both workspaces are running
• Delete workspace A only (triggers PVC cleanup Job while B still uses the PVC) . You need to keep monitoring for cleanup job in a separate tab, as it disappears quickly

kubectl delete devworkspace test-cleanup-ws-a -n test-cleanup-podsecuritycontext

• Check the Cleanup CronJob contains podSecurityContext:

Expected:

oc get jobs -o yaml
...
        securityContext:
          fsGroupChangePolicy: OnRootMismatch

Behavior on main:

oc get jobs -o yaml

        securityContext: {}

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Tests

  • Added a unit test verifying the cleanup job pod uses the workspace-configured pod security context exactly as provided.

• Refactor

  • Simplified cleanup job security context logic to always use the workspace configuration, removing environment-specific branching for more consistent behavior.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bf0268fd-f481-46ae-89c5-42e61cf77e6e

📥 Commits

Reviewing files that changed from the base of the PR and between 0199538 and 2dd5da1.

📒 Files selected for processing (2)

• pkg/provision/storage/cleanup.go
• pkg/provision/storage/cleanup_test.go

---

📝 Walkthrough

Walkthrough

This PR removes OpenShift-specific conditional logic from the cleanup job pod security context setup and sets the Job pod spec SecurityContext directly from the workspace configuration. A new unit test verifies the cleanup job uses the configured PodSecurityContext.

Changes

Pod Security Context Simplification

Layer / File(s)	Summary
Cleanup job security context simplification and test pkg/provision/storage/cleanup.go, pkg/provision/storage/cleanup_test.go	Removes the infrastructure import and the infrastructure.IsOpenShift() conditional that computed a securityContext. The cleanup Job pod spec now assigns Spec.Template.Spec.SecurityContext directly from workspace.Config.Workspace.PodSecurityContext. Adds TestGetSpecCommonPVCCleanupJobUsesConfigPodSecurityContext to assert this behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Backup CronJob should apply DevWorkspaceOperatorConfig podSecurityContext #1636 — Both changes ensure Job pod specs use the resolved DevWorkspaceOperatorConfig podSecurityContext.

Suggested labels

lgtm, approved

Suggested reviewers

• ibuziuk
• akurinnoy
• btjd
• dkwon17

Poem

I hop through code with nimble feet,
Removing branches, making paths neat,
Security set from config true,
A test nods yes — the job will do. 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: applying operator podSecurityContext to the PVC cleanup job on OpenShift, which directly matches the core objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/storage/cleanup_test.go`:
- Line 2: Update the copyright header string in this Go source to reflect the
current year: change the header text that reads "// Copyright (c) 2019-2025 Red
Hat, Inc." to "// Copyright (c) 2019-2026 Red Hat, Inc." so it matches the
required pattern for Go files (the header followed by the Apache License 2.0
text); ensure the exact header line in the file is replaced accordingly.
- Around line 18-33: Reorder the import block in cleanup_test.go into three
groups separated by single blank lines: first put standard library imports
(context, testing), then third-party + Kubernetes imports
(github.com/stretchr/testify/assert, sigs.k8s.io/controller-runtime/pkg/log/zap,
sigs.k8s.io/controller-runtime/pkg/client/fake, k8s.io/api/core/v1,
k8s.io/apimachinery/pkg/apis/meta/v1, and any other non-local packages), and
finally project-local imports (github.com/devfile/api/v2/...,
github.com/devfile/devworkspace-operator/...,
github.com/devfile/devworkspace-operator/pkg/..., etc.); run make fmt or
goimports to enforce formatting. Ensure the import names shown in the diff
(context, testing, dw, assert, corev1, metav1, fake, zap and project packages
like common, constants, infrastructure, sync, v1alpha1) are placed into the
correct groups.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f316ac07-7b25-41eb-9d5b-7755d159173f

📥 Commits

Reviewing files that changed from the base of the PR and between 113b402 and 0199538.

📒 Files selected for processing (2)

• pkg/provision/storage/cleanup.go
• pkg/provision/storage/cleanup_test.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.79%. Comparing base (3aa293d) to head (2dd5da1).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1638      +/-   ##
==========================================
+ Coverage   36.92%   37.79%   +0.87%     
==========================================
  Files         168      168              
  Lines       14744    14755      +11     
==========================================
+ Hits         5444     5577     +133     
+ Misses       8949     8814     -135     
- Partials      351      364      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[tolusha]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[tolusha]

Comprehensive PR Review Summary

I've completed a thorough multi-phase review of this PR (standard code review, deep design analysis, and system-level impact assessment). Overall verdict: Ready to merge ✅

Key Strengths

✅ Design quality: Eliminates platform-specific branching that violated the operator's configuration model
✅ Test coverage: Good regression test for the primary bug scenario with realistic OpenShift fields
✅ Consistency: Cleanup jobs now follow the same contract as workspace deployments
✅ Security: No privilege escalation - applies exactly what the cluster admin configured
✅ Impact: Minimal system-level impact, fixes a bug where config was silently ignored

Optional Suggestions for Future Enhancement

1. Consider adding nil-config test case

The current test validates that a custom PodSecurityContext is correctly applied. Consider adding a second test case where PodSecurityContext is nil to verify the default-config path:

Suggested test case

```go
func TestGetSpecCommonPVCCleanupJobWithNilPodSecurityContext(t *testing.T) {
infrastructure.InitializeForTesting(infrastructure.Kubernetes)

namespace := "test-ns"
pvcName := "claim-devworkspace"
fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(
	&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}},
).Build()

workspace := &common.DevWorkspaceWithConfig{
	DevWorkspace: &dw.DevWorkspace{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "test-workspace",
			Namespace: namespace,
			Labels: map[string]string{
				constants.DevWorkspaceCreatorLabel: "test-creator",
			},
		},
		Status: dw.DevWorkspaceStatus{
			DevWorkspaceId: "test-workspace-id",
		},
	},
	Config: &v1alpha1.OperatorConfiguration{
		Workspace: &v1alpha1.WorkspaceConfig{
			PVCName:            pvcName,
			PodSecurityContext: nil, // No custom security context
		},
	},
}

clusterAPI := sync.ClusterAPI{
	Client: fakeClient,
	Scheme: scheme,
	Logger: zap.New(zap.UseDevMode(true)),
	Ctx:    context.Background(),
}

job, err := getSpecCommonPVCCleanupJob(workspace, clusterAPI)
assert.NoError(t, err)
assert.Nil(t, job.Spec.Template.Spec.SecurityContext)

}
```

This would:

• Complete the test coverage matrix (nil vs. non-nil security context)
• Guard against future regressions where someone might re-introduce platform-specific logic
• Validate backward compatibility for deployments without custom security settings

2. Optional: Document the design decision

Consider adding a brief comment in cleanup.go at the SecurityContext assignment explaining why there's no platform-specific branching, since the old code clearly thought it was needed. This helps future developers understand the design decision.

Review Details

Verdicts across all review phases:

• Standard review: ✅ Approve - Clean, minimal fix with good test coverage
• Deep review: ✅ Design is Sound - Aligns with operator's configuration model
• Impact review: ✅ No concerns - Minimal system-level impact

The suggestions above are optional improvements. The PR is production-ready as-is.

---

Review conducted by Claude Code PR Review (standard + deep + impact analysis)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia, tolusha
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment