fix (storage) : use operator podSecurityContext for PVC cleanup job on OpenShift

[rohanKanojia]

What does this PR do?

Apply workspace.Config.Workspace.PodSecurityContext to the cleanup Job pod spec, matching the workspace deployment behavior.

What issues does this PR fix or reference?

https://redhat.atlassian.net/browse/CRW-10864

Is it tested? How?

Deploy DevWorkspaceOperator and follow these steps:

• Enable cleanup cronjob in DWOC and set podSecurityContext:

kubectl apply -f - <<EOF
apiVersion: controller.devfile.io/v1alpha1
kind: DevWorkspaceOperatorConfig
metadata:
  name: devworkspace-operator-config
  namespace: openshift-operators
config:
  workspace:
    cleanupCronJob:
      enable: true
      retainTime: 2592000
      schedule: "0 0 1 * *"
    podSecurityContext:
      fsGroupChangePolicy: OnRootMismatch
EOF

• Create test namespace

oc new-project test-cleanup-podsecuritycontext

• Create two DevWorkspaces

kubectl apply -f - <<EOF
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: test-cleanup-ws-a
  namespace: test-cleanup-podsecuritycontext
  labels:
    controller.devfile.io/creator: "test-user"
spec:
  started: true
  routingClass: basic
  template:
    attributes:
      controller.devfile.io/storage-type: common
    projects:
      - name: web-nodejs-sample
        git:
          remotes:
            origin: "https://github.com/che-samples/web-nodejs-sample.git"
    components:
      - name: dev
        container:
          image: quay.io/devfile/universal-developer-image:latest
          memoryLimit: 512Mi
          command: ["tail", "-f", "/dev/null"]
---
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: test-cleanup-ws-b
  namespace: test-cleanup-podsecuritycontext
  labels:
    controller.devfile.io/creator: "test-user"
spec:
  started: true
  routingClass: basic
  template:
    attributes:
      controller.devfile.io/storage-type: common
    projects:
      - name: web-nodejs-sample
        git:
          remotes:
            origin: "https://github.com/che-samples/web-nodejs-sample.git"
    components:
      - name: dev
        container:
          image: quay.io/devfile/universal-developer-image:latest
          memoryLimit: 512Mi
          command: ["tail", "-f", "/dev/null"]
EOF

• Wait until both workspaces are running
• Delete workspace A only (triggers PVC cleanup Job while B still uses the PVC) . You need to keep monitoring for cleanup job in a separate tab, as it disappears quickly

kubectl delete devworkspace test-cleanup-ws-a -n test-cleanup-podsecuritycontext

• Check the Cleanup CronJob contains podSecurityContext:

Expected:

oc get jobs -o yaml
...
        securityContext:
          fsGroupChangePolicy: OnRootMismatch

Behavior on main:

oc get jobs -o yaml

        securityContext: {}

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Tests

  • Added test coverage to ensure pod security context configuration is correctly applied in cleanup job operations.

• Refactor

  • Simplified security context handling in cleanup operations by using a unified configuration approach for more consistent behavior.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes OpenShift-specific conditional logic from the cleanup job pod security context setup. The cleanup Job now always uses the workspace configuration's pod security context directly, eliminating the prior dependency on the infrastructure package. A new test validates this behavior.

Changes

Pod Security Context Simplification

Layer / File(s)	Summary
Cleanup job security context simplification and test pkg/provision/storage/cleanup.go, pkg/provision/storage/cleanup_test.go	Removes infrastructure.IsOpenShift() conditional check and computed securityContext variable from cleanup Job pod spec setup. Pod spec now directly uses workspace.Config.Workspace.PodSecurityContext. New test TestGetSpecCommonPVCCleanupJobUsesConfigPodSecurityContext verifies the cleanup job correctly applies the configured security context.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• ibuziuk
• akurinnoy
• btjd

Poem

A cleanup job springs forth without the OpenShift chains,
Security context flows direct from config's veins,
No more branching paths—simplicity reigns supreme,
The test stands guard, a faithful dream. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: applying operator podSecurityContext to the PVC cleanup job on OpenShift, which matches the core modification removing OpenShift-specific logic and always using the configured PodSecurityContext.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/provision/storage/cleanup_test.go`:
- Line 2: Update the copyright header string in this Go source to reflect the
current year: change the header text that reads "// Copyright (c) 2019-2025 Red
Hat, Inc." to "// Copyright (c) 2019-2026 Red Hat, Inc." so it matches the
required pattern for Go files (the header followed by the Apache License 2.0
text); ensure the exact header line in the file is replaced accordingly.
- Around line 18-33: Reorder the import block in cleanup_test.go into three
groups separated by single blank lines: first put standard library imports
(context, testing), then third-party + Kubernetes imports
(github.com/stretchr/testify/assert, sigs.k8s.io/controller-runtime/pkg/log/zap,
sigs.k8s.io/controller-runtime/pkg/client/fake, k8s.io/api/core/v1,
k8s.io/apimachinery/pkg/apis/meta/v1, and any other non-local packages), and
finally project-local imports (github.com/devfile/api/v2/...,
github.com/devfile/devworkspace-operator/...,
github.com/devfile/devworkspace-operator/pkg/..., etc.); run make fmt or
goimports to enforce formatting. Ensure the import names shown in the diff
(context, testing, dw, assert, corev1, metav1, fake, zap and project packages
like common, constants, infrastructure, sync, v1alpha1) are placed into the
correct groups.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f316ac07-7b25-41eb-9d5b-7755d159173f

📥 Commits

Reviewing files that changed from the base of the PR and between 113b402 and 0199538.

📒 Files selected for processing (2)

• pkg/provision/storage/cleanup.go
• pkg/provision/storage/cleanup_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update the copyright year in the file header.

Line 2 still uses 2019-2025; this should be 2019-2026 for current-year compliance.

As per coding guidelines: **/*.go: All Go source files MUST start with the copyright header: '// Copyright (c) 2019-{CURRENT_YEAR} Red Hat, Inc.' followed by Apache License 2.0 license text.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/storage/cleanup_test.go` at line 2, Update the copyright header
string in this Go source to reflect the current year: change the header text
that reads "// Copyright (c) 2019-2025 Red Hat, Inc." to "// Copyright (c)
2019-2026 Red Hat, Inc." so it matches the required pattern for Go files (the
header followed by the Apache License 2.0 text); ensure the exact header line in
the file is replaced accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reorder imports into the required three groups.

Lines 18-33 currently mix third-party/Kubernetes and project-local imports in one block; split into: standard library, third-party+Kubernetes, then project-local (or run make fmt).

As per coding guidelines: **/*.go: Organize imports into three groups separated by blank lines: (1) standard library, (2) third-party + Kubernetes, (3) project-local. Run 'make fmt' to enforce automatically.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/storage/cleanup_test.go` around lines 18 - 33, Reorder the
import block in cleanup_test.go into three groups separated by single blank
lines: first put standard library imports (context, testing), then third-party +
Kubernetes imports (github.com/stretchr/testify/assert,
sigs.k8s.io/controller-runtime/pkg/log/zap,
sigs.k8s.io/controller-runtime/pkg/client/fake, k8s.io/api/core/v1,
k8s.io/apimachinery/pkg/apis/meta/v1, and any other non-local packages), and
finally project-local imports (github.com/devfile/api/v2/...,
github.com/devfile/devworkspace-operator/...,
github.com/devfile/devworkspace-operator/pkg/..., etc.); run make fmt or
goimports to enforce formatting. Ensure the import names shown in the diff
(context, testing, dw, assert, corev1, metav1, fake, zap and project packages
like common, constants, infrastructure, sync, v1alpha1) are placed into the
correct groups.