[CONSUL] Make consul run as non-root

Use our recently build consul image (still based on the same old
consul version) and modify the deployment to make sure that it is able
to run as non-root user.

Yes, I know that moving consul-server to component would be more
proper solution but as this commit is supposed to be cherry-picked to
guilin I've tried to make as little changes as possible.

Issue-ID: REQ-362
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Idfc09ee225d4f89bb699683fa5e4ae3b86491c08
diff --git a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
index 882e98f..16fda3a 100644
--- a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
+++ b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml
@@ -41,7 +41,10 @@
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
       containers:
       - name: {{ include "common.name" . }}
-        image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
+        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+        securityContext:
+          runAsUser: {{ .Values.securityContext.runAsUser }}
+          runAsGroup: {{ .Values.securityContext.runAsGroup }}
         command: ["/usr/local/bin/docker-entrypoint.sh"]
         args:
         - "agent"
diff --git a/kubernetes/consul/charts/consul-server/values.yaml b/kubernetes/consul/charts/consul-server/values.yaml
index 0039aa6..48a26ef 100644
--- a/kubernetes/consul/charts/consul-server/values.yaml
+++ b/kubernetes/consul/charts/consul-server/values.yaml
@@ -17,12 +17,13 @@
 #################################################################
 global:
   nodePortPrefix: 302
+  repository: nexus3.onap.org:10001
 
 #################################################################
 # Application configuration defaults.
 #################################################################
 # application image
-image: consul:1.0.6
+image: onap/oom/consul:2.1.0
 pullPolicy: Always
 
 # flag to enable debugging - application support required
@@ -86,3 +87,8 @@
       cpu: 1
       memory: 2Gi
   unlimited: {}
+
+securityContext:
+  fsGroup: 1000
+  runAsUser: 100
+  runAsGroup: 1000
diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml
index be15ecb..31546ab 100644
--- a/kubernetes/consul/templates/deployment.yaml
+++ b/kubernetes/consul/templates/deployment.yaml
@@ -39,15 +39,36 @@
     spec:
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
-      containers:
-      - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
+      initContainers:
+      - name: {{ include "common.name" . }}-chown
+        image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
         command:
-        - /bin/sh
-        - "-c"
+        - sh
+        args:
+        - -c
         - |
-          apk update && apk add jq
-          cp /tmp/consul/config/* /consul/config
-          /usr/local/bin/docker-entrypoint.sh agent -client 0.0.0.0 -enable-script-checks -retry-join {{ .Values.consulServer.nameOverride }}
+          cp -r -L /tmp/consul/config/* /consul/config/
+          chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config
+          ls -la /consul/config
+        volumeMounts:
+        - mountPath: /tmp/consul/config
+          name: consul-agent-config
+        - mountPath: /consul/config
+          name: consul-agent-config-dir
+      containers:
+      - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+        securityContext:
+          runAsUser: {{ .Values.securityContext.runAsUser }}
+          runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        command:
+        - docker-entrypoint.sh
+        args:
+        - agent
+        - -client
+        - 0.0.0.0
+        - -enable-script-checks
+        - -retry-join
+        - {{ .Values.consulServer.nameOverride }}
         name: {{ include "common.name" . }}
         env:
           - name: SDNC_ODL_COUNT
@@ -55,14 +76,16 @@
           - name: SDNC_IS_PRIMARY_CLUSTER
             value: "{{ .Values.sdnc.config.isPrimaryCluster }}"
         volumeMounts:
-        - mountPath: /tmp/consul/config
-          name: consul-agent-config
+        - mountPath: /consul/config
+          name: consul-agent-config-dir
         - mountPath: /consul/scripts
           name: consul-agent-scripts-config
         - mountPath: /consul/certs
           name: consul-agent-certs-config
         resources: {{ include "common.resources" . | nindent 10 }}
       volumes:
+      - name: consul-agent-config-dir
+        emptyDir: {}
       - configMap:
           name: {{ include "common.fullname" . }}-configmap
         name: consul-agent-config
diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml
index faebd8d..639e4eb 100644
--- a/kubernetes/consul/values.yaml
+++ b/kubernetes/consul/values.yaml
@@ -17,18 +17,23 @@
 #################################################################
 global:
   nodePortPrefix: 302
+  busyboxRepository: registry.hub.docker.com
+  busyboxImage: library/busybox:latest
 
 #################################################################
 # Application configuration defaults.
 #################################################################
 # application image
-image: oomk8s/consul:1.0.0
+image: onap/oom/consul:2.1.0
 pullPolicy: Always
 
 #subchart name
 consulServer:
   nameOverride: consul-server
 
+consulUID: 100
+consulGID: 1000
+
 # flag to enable debugging - application support required
 debugEnabled: false
 
@@ -99,3 +104,8 @@
   config:
     isPrimaryCluster: true
   replicaCount: 1
+
+securityContext:
+  fsGroup: 1000
+  runAsUser: 100
+  runAsGroup: 1000