summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichaelMorris <michael.morris@est.tech>2020-04-28 09:34:17 +0100
committerMichaelMorris <michael.morris@est.tech>2020-04-29 09:01:38 +0100
commit276812c91c17e56f02760f2da657c598abbc881e (patch)
tree61abff97ec143070d66660e4ffc4949f74756294
parentf69c491ed06b017fe439ff8ff48ac896e93d0f52 (diff)
Set sdc onboarding volume mount permissions
Set the permissions of files in the sdc onboarding backend persistent volume for package certs to enable access by the process in the pod which now runs as non-root user (since SDC-2798) Signed-off-by: MichaelMorris <michael.morris@est.tech> Issue-ID: SDC-2981 Change-Id: I6113f14ca9933e2fec2b565768ed5afbe3c18f21
-rw-r--r--kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml13
-rw-r--r--kubernetes/sdc/charts/sdc-onboarding-be/values.yaml3
-rw-r--r--kubernetes/sdc/values.yaml2
3 files changed, 18 insertions, 0 deletions
diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
index 3db3685b86..108c781f54 100644
--- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
@@ -70,6 +70,19 @@ spec:
mountPath: /config-input/
- name: sdc-environments-output
mountPath: /config-output/
+ - name: volume-permissions
+ image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - /bin/sh
+ - -c
+ - |
+ chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-cert-storage
+ mountPath: "/onboard/cert"
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
index 946cb3491f..4cfebbf72f 100644
--- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
@@ -103,6 +103,9 @@ cert:
volumeReclaimPolicy: Retain
mountSubPath: /sdc/onbaording/cert
+securityContext:
+ fsGroup: 35953
+ runAsUser: 352070
ingress:
enabled: false
diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index 5701a91f27..2694b5de80 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -28,6 +28,8 @@ global:
wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
ubuntuInitRepository: oomk8s
ubuntuInitImage: ubuntu-init:1.0.0
+ busyboxRepository: registry.hub.docker.com
+ busyboxImage: library/busybox:latest
cassandra:
#This flag allows SDC to instantiate its own cluster, serviceName
#should be sdc-cs if this flag is enabled