OSSM-4632 Avoid nil value in runAsGroup in injection template (#1310) (…

…#1318) * Avoid nill value in runAsGroup in injection template * update files with make gen * adding more replace to avoid nil values in injection template * Update build/patch-charts.sh * Fix delete and modified files because of the use of MacOs * Merge patch-charts.sh changes * updating the injection templates files --------- Co-authored-by: Francisco Herrera <frherrer@redhat.com> Co-authored-by: Marko Lukša <mluksa@redhat.com>
maistra · Sep 25, 2023 · d0542ee · d0542ee
1 parent e603acb
commit d0542ee
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/build/patch-charts.sh b/build/patch-charts.sh
@@ -392,10 +392,10 @@ function patchSidecarInjector() {
         - SETUID
   }' "${HELM_DIR}/istio-control/istio-discovery/files/injection-template.yaml"
 
-  sed_wrap -i -e 's/runAsUser: 1337/runAsUser: {{ .ProxyUID }}/g' \
-    -e 's/runAsGroup: 1337/runAsGroup: {{ .ProxyUID }}/g' \
-    -e 's/fsGroup: 1337/fsGroup: {{ .ProxyGID }}/g' "${HELM_DIR}/istio-control/istio-discovery/files/injection-template.yaml"
-  sed_wrap -i -e 's/fsGroup: 1337/fsGroup: {{ .ProxyGID }}/g' "${HELM_DIR}/istio-control/istio-discovery/files/gateway-injection-template.yaml"
+  sed_wrap -i -E -e 's/(^ *)(runAsUser: )1337/\1{{- if .ProxyUID }}\n\1\2{{ .ProxyUID }}\n\1{{- end }}/g' \
+    -e 's/(^ *)(runAsGroup: )1337/\1{{- if .ProxyUID }}\n\1\2{{ .ProxyUID }}\n\1{{- end }}/g' \
+    -e 's/(^ *)(fsGroup: )1337/\1{{- if .ProxyGID }}\n\1\2{{ .ProxyGID }}\n\1{{- end }}/g' "${HELM_DIR}/istio-control/istio-discovery/files/injection-template.yaml"
+  sed_wrap -i -E -e 's/(^ *)(fsGroup: )1337/\1{{- if .ProxyGID }}\n\1\2{{ .ProxyGID }}\n\1{{- end }}/g' "${HELM_DIR}/istio-control/istio-discovery/files/gateway-injection-template.yaml"
 
   sed_wrap -i -e '/- name: istio-proxy/,/resources:/ {
     / *- ALL/a\

diff --git a/resources/helm/v2.4/istio-control/istio-discovery/files/gateway-injection-template.yaml b/resources/helm/v2.4/istio-control/istio-discovery/files/gateway-injection-template.yaml
@@ -226,5 +226,7 @@ spec:
   {{- end }}
   {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
   securityContext:
+    {{- if .ProxyGID }}
     fsGroup: {{ .ProxyGID }}
+    {{- end }}
   {{- end }}
diff --git a/resources/helm/v2.4/istio-control/istio-discovery/files/injection-template.yaml b/resources/helm/v2.4/istio-control/istio-discovery/files/injection-template.yaml
@@ -230,8 +230,12 @@ spec:
         - SETUID
       privileged: true
       readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+      {{- if .ProxyUID }}
       runAsGroup: {{ .ProxyUID }}
+      {{- end }}
+      {{- if .ProxyGID }}
       fsGroup: {{ .ProxyGID }}
+      {{- end }}
       runAsNonRoot: false
       runAsUser: 0
       {{- else }}
@@ -254,16 +258,22 @@ spec:
         - SETUID
       privileged: {{ .Values.global.proxy.privileged }}
       readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+      {{- if .ProxyUID }}
       runAsGroup: {{ .ProxyUID }}
+      {{- end }}
+      {{- if .ProxyGID }}
       fsGroup: {{ .ProxyGID }}
+      {{- end }}
       {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
       runAsNonRoot: false
       runAsUser: 0
       {{- else -}}
       runAsNonRoot: true
+      {{- if .ProxyUID }}
       runAsUser: {{ .ProxyUID }}
       {{- end }}
       {{- end }}
+      {{- end }}
     resources:
   {{ template "resources" . }}
     volumeMounts:
@@ -402,5 +412,7 @@ spec:
   {{- end }}
   {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
   securityContext:
+    {{- if .ProxyGID }}
     fsGroup: {{ .ProxyGID }}
+    {{- end }}
   {{- end }}