Chore: change filebrowser database path.

Author: JeroenKappe

config/deployment/templates/chantico.yaml

@@ -26,6 +26,10 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: manager
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: manager
           image: {{ .Values.controller.image }}
@@ -68,6 +72,8 @@ spec:
             capabilities:
               drop:
                 - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: chantico-volume
               mountPath: /data
@@ -78,7 +84,5 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.imagePullSecretName }}
       serviceAccountName: chantico-controller-manager
-      securityContext:
-        runAsNonRoot: true
       terminationGracePeriodSeconds: 10
 {{- end }}

config/deployment/templates/filebrowser.yaml

@@ -13,9 +13,23 @@ spec:
       labels:
         app: chantico-filebrowser
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: filebrowser
         image: filebrowser/filebrowser:v2.32.2
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - containerPort: 80
         volumeMounts:
@@ -25,9 +39,9 @@ spec:
         - sh
         - -c
         - |
-          /filebrowser config init;
-          /filebrowser users add admin admin;
-          /filebrowser
+          /filebrowser config init --database /srv/.filebrowser.db;
+          /filebrowser users add admin admin --database /srv/.filebrowser.db;
+          /filebrowser --database /srv/.filebrowser.db
       volumes:
       - name: chantico-volume-mount
         persistentVolumeClaim:

config/deployment/templates/prometheus.yaml

@@ -29,9 +29,25 @@ spec:
           subPath: "prometheus"
         ports:
         - containerPort: 9090
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       initContainers:
       - image: busybox
         name: prometheus-initialization
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         command: ["/bin/sh"]
         args:
           - -c

config/deployment/templates/snmp.yaml

@@ -16,7 +16,11 @@ spec:
         app: chantico-snmp
     spec:
       securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
         fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - image: ricardbejarano/snmp_exporter:0.26.0
         name: snmp
@@ -26,9 +30,25 @@ spec:
           subPath: "snmp/yml/snmp.yml"
         ports:
         - containerPort: 9116
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       initContainers:
       - image: busybox
         name: structure-initialization
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         command: ["/bin/sh"]
         args:
           - -c

docs/how-tos/how-to-install-chantico.md

@@ -40,7 +40,7 @@ The GitLab repository of Chantico hosts several relevant images, including the o
 
 1. Install CRDs
 
-The CRDs used by Chantico are typically already in place under `config/deployment/crd`. If you want to (re)install them there, do so with the following make command:
+Install the CRDs within `config/deployment/crd` to the cluster:
 ```
 make install
 ```