New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Deploy ArgoCD on cluster with security context (#3060) #3097
Conversation
99ca4f4
to
b534bc6
Compare
@jannfis do you know why the version of Kustomize is 2.0.3 ? |
Codecov Report
@@ Coverage Diff @@
## master #3097 +/- ##
======================================
Coverage 38.3% 38.3%
======================================
Files 168 168
Lines 18206 18206
Branches 272 272
======================================
Hits 6974 6974
Misses 10358 10358
Partials 874 874 Continue to review full report at Codecov.
|
e0e682d
to
064d61b
Compare
Hello @jessesuen and @jannfis, I'm looking for a way to not duplicate patches between Thank you for your help |
Hi @Leletir, hm, indeed I think it was just forgotten to update Kustomize version in the build tools image to the version that is also included in recent versions of ArgoCD (v3.2.1 currently). I have just submitted #3099 to bring it up-to-date, I'm not sure whether there is a reason behind it that I do not know of :) However, please restrain from modifying |
Hi @jannfis, thank you for your PR ! I completely agree with you on this point, but I have no idea how to not duplicate the patches between |
@Leletir we are still using kustomize 2 because of some users install argocd using https://github.com/replicatedhq/ship or |
Hello @alexmt, you're right kubectl 1.16 is still using kustomize 2.0.3. So do you have any idea how I can avoid to duplicate the patches between ha et security context? |
Hi @Leletir, sorry for the late reply. Unfortunately, I don't know of an elegant or easy way to deduplicate the Kustomize overlays in the current scenario. I think the way you've done is what's possible with 2.0.x, so I'd be fine with this change. We can (and should) change the overlays once we can incorporate the 3.x branch of Kustomize. How does that sound to you? |
I agree with you on this point. |
Hm, I checked As for integration into |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alexmt do you have any objections to add a third set of installation manifests as in this PR? If not, I'll merge this change. I think it's something many people would want to have working out-of-the-box.
Hi @Leletir, sorry for the delay with this PR. Can you please merge latest upstream master into your branch and update this PR, because we recently merged #3147 that touched quite a lot of the HA manifests - otherwise merging this change would break, I think (or at least leave us with a broken security enabled HA manifest). |
Hello @jannfis, no problem, I'll have a look this weekend. |
Instead of: securityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999 I think https://github.com/argoproj/argo-cd/pull/3108/files should be merged and the security context should instead be: securityContext:
runAsNonRoot: true This has the advantage of not coordinating the userid/groupid to the Dockerfile. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above comment. I think this is preferred:
securityContext:
runAsNonRoot: true
Agreed, @jessesuen - actually makes sense. |
Totally agree on this one |
Checklist: