summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-11-25 16:54:36 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-12-01 15:39:12 +0000
commit775b166148ff8f4abb2e667a9824a66f5bd674c0 (patch)
treea05e4e7f4452dcf0be0a97aaadf50456ac73e098
parent30d1d3a6eff0985ac1553da015c04f063d1607cc (diff)
[CONSUL] Make consul run as non-root
Use our recently build consul image (still based on the same old consul version) and modify the deployment to make sure that it is able to run as non-root user. Yes, I know that moving consul-server to component would be more proper solution but as this commit is supposed to be cherry-picked to guilin I've tried to make as little changes as possible. Issue-ID: REQ-362 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Idfc09ee225d4f89bb699683fa5e4ae3b86491c08
-rw-r--r--kubernetes/consul/charts/consul-server/templates/statefulset.yaml3
-rw-r--r--kubernetes/consul/charts/consul-server/values.yaml9
-rw-r--r--kubernetes/consul/templates/deployment.yaml41
-rw-r--r--kubernetes/consul/values.yaml12
4 files changed, 52 insertions, 13 deletions
diff --git a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
index 430b6dd1bd..872ef13f95 100644
--- a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
+++ b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
@@ -42,6 +42,9 @@ spec:
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
command: ["/usr/local/bin/docker-entrypoint.sh"]
args:
- "agent"
diff --git a/kubernetes/consul/charts/consul-server/values.yaml b/kubernetes/consul/charts/consul-server/values.yaml
index 81472e71eb..d4c03e54ca 100644
--- a/kubernetes/consul/charts/consul-server/values.yaml
+++ b/kubernetes/consul/charts/consul-server/values.yaml
@@ -25,8 +25,8 @@ global:
# Application configuration defaults.
#################################################################
# application image
-repository: docker.io
-image: consul:1.0.6
+repository: nexus3.onap.org:10001
+image: onap/oom/consul:2.1.0
pullPolicy: Always
# flag to enable debugging - application support required
@@ -90,3 +90,8 @@ resources:
cpu: 1
memory: 2Gi
unlimited: {}
+
+securityContext:
+ fsGroup: 1000
+ runAsUser: 100
+ runAsGroup: 1000
diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml
index 51c6eb72d5..eece2b704f 100644
--- a/kubernetes/consul/templates/deployment.yaml
+++ b/kubernetes/consul/templates/deployment.yaml
@@ -39,15 +39,36 @@ spec:
spec:
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
- containers:
- - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ initContainers:
+ - name: {{ include "common.name" . }}-chown
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
command:
- - /bin/sh
- - "-c"
+ - sh
+ args:
+ - -c
- |
- apk update && apk add jq
- cp /tmp/consul/config/* /consul/config
- /usr/local/bin/docker-entrypoint.sh agent -client 0.0.0.0 -enable-script-checks -retry-join {{ .Values.consulServer.nameOverride }}
+ cp -r -L /tmp/consul/config/* /consul/config/
+ chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config
+ ls -la /consul/config
+ volumeMounts:
+ - mountPath: /tmp/consul/config
+ name: consul-agent-config
+ - mountPath: /consul/config
+ name: consul-agent-config-dir
+ containers:
+ - image: {{ include "common.repository" . }}/{{ .Values.image }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ command:
+ - docker-entrypoint.sh
+ args:
+ - agent
+ - -client
+ - 0.0.0.0
+ - -enable-script-checks
+ - -retry-join
+ - {{ .Values.consulServer.nameOverride }}
name: {{ include "common.name" . }}
env:
- name: SDNC_ODL_COUNT
@@ -55,14 +76,16 @@ spec:
- name: SDNC_IS_PRIMARY_CLUSTER
value: "{{ .Values.sdnc.config.isPrimaryCluster }}"
volumeMounts:
- - mountPath: /tmp/consul/config
- name: consul-agent-config
+ - mountPath: /consul/config
+ name: consul-agent-config-dir
- mountPath: /consul/scripts
name: consul-agent-scripts-config
- mountPath: /consul/certs
name: consul-agent-certs-config
resources: {{ include "common.resources" . | nindent 10 }}
volumes:
+ - name: consul-agent-config-dir
+ emptyDir: {}
- configMap:
name: {{ include "common.fullname" . }}-configmap
name: consul-agent-config
diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml
index 512c4c3dac..54eee3624b 100644
--- a/kubernetes/consul/values.yaml
+++ b/kubernetes/consul/values.yaml
@@ -25,14 +25,17 @@ global:
# Application configuration defaults.
#################################################################
# application image
-repository: docker.io
-image: oomk8s/consul:1.0.0
+repository: nexus3.onap.org:10001
+image: onap/oom/consul:2.1.0
pullPolicy: Always
#subchart name
consulServer:
nameOverride: consul-server
+consulUID: 100
+consulGID: 1000
+
# flag to enable debugging - application support required
debugEnabled: false
@@ -103,3 +106,8 @@ sdnc:
config:
isPrimaryCluster: true
replicaCount: 1
+
+securityContext:
+ fsGroup: 1000
+ runAsUser: 100
+ runAsGroup: 1000