Latest docker image fails on go template

[jetersen]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.41.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

Container starts

Actual Behavior

error: cannot fork/exec command [gomplate -f /etc/dex/config.yaml -o /tmp/dex.config.yaml-219408420]: exit status 1 (output: "Error: fsys for path .gomplate.yaml: resolve local path \".gomplate.yaml\": getwd: stat .: permission denied
Usage:
  gomplate [flags]

Flags:
  -d, --datasource datasource        datasource in alias=URL form. Specify multiple times to add multiple sources.
  -H, --datasource-header header     HTTP header field in 'alias=Name: value' form to be provided on HTTP-based data sources. Multiples can be set.
  -c, --context datasource           pre-load a datasource into the context, in alias=URL form. Use the special alias `.` to set the root context.
      --plugin strings               plug in an external command as a function in name=path form. Can be specified multiple times
  -f, --file file                    Template file to process. Omit to use standard input, or use --in or --input-dir (default [-])
  -i, --in string                    Template string to process (alternative to --file and --input-dir)
      --input-dir directory          directory which is examined recursively for templates (alternative to --file and --in)
      --exclude strings              glob of files to not parse
      --exclude-processing strings   glob of files to be copied without parsing
      --include strings              glob of files to parse
  -o, --out file                     output file name. Omit to use standard output. (default [-])
  -t, --template strings             Additional template file(s)
      --output-dir directory         directory to store the processed templates. Only used for --input-dir (default \".\")
      --output-map string            Template string to map the input file to an output path
      --chmod string                 set the mode for output file(s). Omit to inherit from input file(s)
      --exec-pipe                    pipe the output to the post-run exec command
      --left-delim delimiter         override the default left-delimiter [$GOMPLATE_LEFT_DELIM] (default \"{{\")
      --right-delim delimiter        override the default right-delimiter [$GOMPLATE_RIGHT_DELIM] (default \"}}\")
      --missing-key string           Control the behavior during execution if a map is indexed with a key that is not present in the map. error (default) - return an error, zero - fallback to zero value, default/invalid - print <no value> (default \"error\")
      --experimental                 enable experimental features [$GOMPLATE_EXPERIMENTAL]
  -V, --verbose                      output extra information about what gomplate is doing
      --config string                config file (overridden by commandline flags) (default \".gomplate.yaml\")
  -h, --help                         help for gomplate
  -v, --version                      version for gomplate

{\"time\":\"2024-08-05T09:26:29.990852688Z\",\"level\":\"ERROR\",\"msg\":\"\",\"err\":\"fsys for path .gomplate.yaml: resolve local path \\\".gomplate.yaml\\\": getwd: stat .: permission denied\"}
")

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response

[nabokihms]

@jetersen could you please share your helm chart values? Tests pass for the helm chart with defaults. Is there a chance your set readonly fs capabilities (for some folders only)?

[jetersen]

They haven't changed for a long time but here you go:

We are using sub charts hence dex:

dex:
  envFrom:
    - secretRef:
        name: dex-oidc-config

  volumes:
    - name: google-auth
      secret:
        secretName: dex-google-auth
        defaultMode: 420

  volumeMounts:
    - name: google-auth
      mountPath: /secrets/google-auth.json
      subPath: google-auth.json
      readOnly: true

  config:
    connectors:
      - type: google
        id: google
        name: Google
        config:
          issuer: https://accounts.google.com
          clientID: $GOOGLE_CLIENT_ID
          clientSecret: $GOOGLE_CLIENT_SECRET
          redirectURI: https://dex.company.co.uk/callback
          hostedDomains:
            - company.co.uk
          domainToAdminEmail:
            company.co.uk: admin@company.co.uk
          serviceAccountFilePath: /secrets/google-auth.json

    oauth2:
      skipApprovalScreen: true

    issuer: https://dex.company.co.uk/

    storage:
      type: kubernetes
      config:
        inCluster: true

    staticClients:
      - name: argocd
        id: argocd
        secretEnv: CLIENT_ARGOCD_SECRET
        redirectURIs:
          - https://argocd.company.co.uk/auth/callback
      - name: argocd-cli
        id: argocd-cli
        redirectURIs:
          - http://localhost:8085/auth/callback
        public: true
      - name: grafana
        id: grafana
        secretEnv: CLIENT_GRAFANA_SECRET
        redirectURIs:
          - https://grafana.company.co.uk/login/generic_oauth

  image:
    repository: ghcr.io/dexidp/dex
    tag: v2.41.0-distroless

  ingress:
    enabled: true
    annotations:
      kubernetes.io/tls-acme: "true"
    className: nginx-public
    hosts:
      - host: dex.company.co.uk
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: dex-tls-certificate
        hosts:
          - dex.company.co.uk

  podDisruptionBudget:
    enabled: true
    minAvailable: 1

  replicaCount: 2

  resources:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 100m
      memory: 128Mi

  securityContext:
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    runAsUser: 1001

[jetersen]

Perhaps the runUser does not have access to tmp? 😅 But it has been working in the past.

[nabokihms]

Probably, in the past gomplate didn't require the ./.gomplate.yaml filepath access.

[nabokihms]

I got the problem, the fix will be in the v2.41.1

[nabokihms]

For now my plan is to create the user and set its home directory to the one they own. I already checked that it fixes the problem.

[jetersen]

Sounds good to me

[nabokihms]

@jetersen could you please confirm that v2.41.1 works for you?

[jetersen]

@nabokihms looks good! Thanks for the fix 👍