summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-11-04 08:46:43 +0000
committerGerrit Code Review <gerrit@onap.org>2020-11-04 08:46:43 +0000
commitc28ecc68065746659cdf858946cf09cd60d3629c (patch)
tree85b80ac8f9f2de2b283fb371d6a4d6cff97d212c
parent8a9bb06970d6ee75df5f5e53743e0222eabb4b75 (diff)
parent4aa45c75ac68a5358d480b59fb47f918fa410086 (diff)
Merge changes Ic1302ac2,I43584b7f
* changes: [CONSUL] Make consul server run as non-root [CONSUL] Make consul run as non-root
-rw-r--r--kubernetes/consul/charts/consul-server/templates/statefulset.yaml4
-rw-r--r--kubernetes/consul/templates/deployment.yaml37
-rw-r--r--kubernetes/consul/values.yaml7
3 files changed, 38 insertions, 10 deletions
diff --git a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
index 430b6dd1bd..d572ec2d54 100644
--- a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
+++ b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
@@ -42,8 +42,10 @@ spec:
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
- command: ["/usr/local/bin/docker-entrypoint.sh"]
+ command:
+ - sh
args:
+ - /usr/local/bin/docker-entrypoint.sh
- "agent"
- "-bootstrap-expect={{ .Values.replicaCount }}"
- "-enable-script-checks"
diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml
index 51c6eb72d5..6f1c57967f 100644
--- a/kubernetes/consul/templates/deployment.yaml
+++ b/kubernetes/consul/templates/deployment.yaml
@@ -39,15 +39,34 @@ spec:
spec:
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
+ initContainers:
+ - name: {{ include "common.name" . }}-chown
+ image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ cp -r -L /tmp/consul/config/* /consul/config/
+ chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config
+ ls -la /consul/config
+ volumeMounts:
+ - mountPath: /tmp/consul/config
+ name: consul-agent-config
+ - mountPath: /consul/config
+ name: consul-agent-config-dir
containers:
- image: "{{ include "common.repository" . }}/{{ .Values.image }}"
command:
- - /bin/sh
- - "-c"
- - |
- apk update && apk add jq
- cp /tmp/consul/config/* /consul/config
- /usr/local/bin/docker-entrypoint.sh agent -client 0.0.0.0 -enable-script-checks -retry-join {{ .Values.consulServer.nameOverride }}
+ - sh
+ args:
+ - /usr/local/bin/docker-entrypoint.sh
+ - agent
+ - -client
+ - 0.0.0.0
+ - -enable-script-checks
+ - -retry-join
+ - {{ .Values.consulServer.nameOverride }}
name: {{ include "common.name" . }}
env:
- name: SDNC_ODL_COUNT
@@ -55,14 +74,16 @@ spec:
- name: SDNC_IS_PRIMARY_CLUSTER
value: "{{ .Values.sdnc.config.isPrimaryCluster }}"
volumeMounts:
- - mountPath: /tmp/consul/config
- name: consul-agent-config
+ - mountPath: /consul/config
+ name: consul-agent-config-dir
- mountPath: /consul/scripts
name: consul-agent-scripts-config
- mountPath: /consul/certs
name: consul-agent-certs-config
resources: {{ include "common.resources" . | nindent 10 }}
volumes:
+ - name: consul-agent-config-dir
+ emptyDir: {}
- configMap:
name: {{ include "common.fullname" . }}-configmap
name: consul-agent-config
diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml
index 512c4c3dac..8f17dc637f 100644
--- a/kubernetes/consul/values.yaml
+++ b/kubernetes/consul/values.yaml
@@ -20,19 +20,24 @@ global:
readinessImage: onap/oom/readiness:3.0.1
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ busyboxRepository: registry.hub.docker.com
+ busyboxImage: library/busybox:latest
#################################################################
# Application configuration defaults.
#################################################################
# application image
repository: docker.io
-image: oomk8s/consul:1.0.0
+image: oomk8s/consul:2.0.0
pullPolicy: Always
#subchart name
consulServer:
nameOverride: consul-server
+consulUID: 100
+consulGID: 1000
+
# flag to enable debugging - application support required
debugEnabled: false