Gitiles
Code Review Sign In
gerrit.nordix.org / onap / oom / 276812c91c17e56f02760f2da657c598abbc881e^! / . / kubernetes
commit276812c91c17e56f02760f2da657c598abbc881e[log] [tgz]
authorMichaelMorris <michael.morris@est.tech>Tue Apr 28 09:34:17 2020 +0100
committerMichaelMorris <michael.morris@est.tech>Wed Apr 29 09:01:38 2020 +0100
tree61abff97ec143070d66660e4ffc4949f74756294
parentf69c491ed06b017fe439ff8ff48ac896e93d0f52 [diff]
Set sdc onboarding volume mount permissions

Set the permissions of files in the sdc onboarding backend persistent volume for package certs to enable access by the process in the pod which now runs as non-root user (since SDC-2798)

Signed-off-by: MichaelMorris <michael.morris@est.tech>
Issue-ID: SDC-2981
Change-Id: I6113f14ca9933e2fec2b565768ed5afbe3c18f21

diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
index 3db3685..108c781 100644
--- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml

@@ -70,6 +70,19 @@
             mountPath: /config-input/
           - name: sdc-environments-output
             mountPath: /config-output/
+      - name: volume-permissions
+        image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command:
+          - /bin/sh
+          - -c
+          - |
+            chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+          - name: {{ include "common.fullname" . }}-cert-storage
+            mountPath: "/onboard/cert"
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"

diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
index 946cb34..4cfebbf 100644
--- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml

@@ -103,6 +103,9 @@
     volumeReclaimPolicy: Retain
     mountSubPath: /sdc/onbaording/cert
 
+securityContext:
+  fsGroup: 35953
+  runAsUser: 352070
 
 ingress:
   enabled: false

diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index 5701a91..2694b5d 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml

@@ -28,6 +28,8 @@
     wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
   ubuntuInitRepository: oomk8s
   ubuntuInitImage: ubuntu-init:1.0.0
+  busyboxRepository: registry.hub.docker.com
+  busyboxImage: library/busybox:latest
   cassandra:
    #This flag allows SDC to instantiate its own cluster, serviceName
    #should be sdc-cs if this flag is enabled