fix: security context for ksvc, symlink creation for server

redkubes · Sep 1, 2021 · 9a7ad1e · 9a7ad1e
1 parent 262ee5c
commit 9a7ad1e
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 49 deletions.
diff --git a/charts/team-ns/templates/knative-services.yaml b/charts/team-ns/templates/knative-services.yaml
@@ -72,9 +72,9 @@ spec:
           {{- with $k.resources }}
           resources: {{- . | toYaml | nindent 12 }}
           {{- end }}
-          # {{- with $k.securityContext }}
-          # securityContext: {{- . | toYaml | nindent 12 }}
-          # {{- end }}
+          {{- with $k.securityContext }}
+          securityContext: {{- . | toYaml | nindent 12 }}
+          {{- end }}
 {{- if or $k.files $k.secretMounts }}
           volumeMounts:
   {{- range $dir, $files := $vols }}

diff --git a/schemas/generated-crd-schemas.tar.gz b/schemas/generated-crd-schemas.tar.gz
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -1,12 +1,11 @@
 /* eslint-disable @typescript-eslint/no-misused-promises, @typescript-eslint/require-await */
 import express, { Request, Response } from 'express'
-import { existsSync, symlinkSync } from 'fs'
+import { existsSync, mkdirSync, symlinkSync } from 'fs'
 import { Server } from 'http'
 import { commit } from '../cmd/commit'
 import { validateValues } from '../cmd/validate-values'
 import { decrypt, encrypt } from '../common/crypt'
-import { env } from '../common/envalid'
-import { rootDir, terminal } from '../common/utils'
+import { terminal } from '../common/utils'
 
 const debug = terminal('server')
 const app = express()
@@ -16,20 +15,6 @@ export const stopServer = (): void => {
   server?.close()
 }
 
-const symlinkEnvDir = (): void => {
-  const envPath = `${rootDir}/env`
-  if (!existsSync(env.ENV_DIR)) {
-    console.warn(`Values at ${env.ENV_DIR} are not mounted yet!`)
-    return
-  }
-  if (!existsSync(envPath)) symlinkSync(env.ENV_DIR, envPath)
-}
-
-app.use((req, res, next) => {
-  symlinkEnvDir()
-  next()
-})
-
 app.get('/', async (req: Request, res: Response): Promise<Response<any>> => {
   return res.send({ status: 'ok' })
 })
@@ -72,8 +57,19 @@ app.get('/commit', async (req: Request, res: Response) => {
   }
 })
 
-export const startServer = (): void => {
+export const startServer = async (): Promise<void> => {
   server = app.listen(17771, '0.0.0.0')
+  const k8sEnvDirPath = '/tmp/otomi-values'
+  const dockerEnvDir = '/home/app/stack/env'
+  // accomodate k8s deployment with shared values dir, and make symlink to /home/app/stack/env
+  if (k8sEnvDirPath && !existsSync(k8sEnvDirPath)) {
+    debug.info('Creating k8s values folder for symlink: ', k8sEnvDirPath)
+    mkdirSync(k8sEnvDirPath)
+    if (!existsSync(dockerEnvDir)) {
+      debug.info(`Creating symlink from ${k8sEnvDirPath} to ${dockerEnvDir}`)
+      symlinkSync(k8sEnvDirPath, dockerEnvDir)
+    }
+  }
   debug.log(`Container listening on http://0.0.0.0:17771`)
 }
 

diff --git a/tests/fixtures/env/teams/jobs.demo.yaml b/tests/fixtures/env/teams/jobs.demo.yaml
@@ -15,6 +15,11 @@ teamConfig:
                       runAsNonRoot: true
                       runAsUser: 1002
                       runAsGroup: 1002
+                      fsGroup: 1002
+                  securityContext:
+                      runAsNonRoot: true
+                      runAsUser: 1002
+                      runAsGroup: 1002
                   image:
                       repository: busybox
                       tag: latest

diff --git a/tests/fixtures/env/teams/services.demo.yaml b/tests/fixtures/env/teams/services.demo.yaml
@@ -27,6 +27,8 @@ teamConfig:
                   ownHost: true
                   auth: true
                   ksvc:
+                      securityContext:
+                          runAsUser: 1002
                       image:
                           repository: otomi/nodejs-helloworld
                           tag: v1.2.12

diff --git a/values-schema.yaml b/values-schema.yaml
@@ -477,34 +477,33 @@ definitions:
     nullable: true
     type: object
     title: Kubernetes secrets
+  podSecurityContext:
+    allOf:
+      - $ref: '#/definitions/securityContext'
+      - properties:
+          fsGroup:
+            description: Supplementary group ID. Volumes that support ownership management are modified to be owned and writable by this ID.
+            type: integer
+          fsGroupChangePolicy:
+            description:
+              'Defines behavior for changing ownership and permission of the volume before being exposed inside a Pod. This field only applies to volume types that support fsGroup controlled ownership and permissions.
+              This field has two possible values:
+              - OnRootMismatch: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume.
+              - Always: Always change permission and ownership of the volume when volume is mounted.'
+            type: string
+            enum:
+              - Always
+              - OnRootMismatch
+    description: Security context for the pod.
+    title: Pod security context
   podSpec:
     allOf:
       - properties:
           annotations:
             $ref: '#/definitions/annotations'
             title: Pod annotations
-          podSecurityContext:
-            allOf:
-              - $ref: '#/definitions/securityContext'
-              - properties:
-                  fsGroup:
-                    description: Supplementary group ID. Volumes that support ownership management are modified to be owned and writable by this ID.
-                    type: integer
-                  fsGroupChangePolicy:
-                    description:
-                      'Defines behavior for changing ownership and permission of the volume before being exposed inside a Pod. This field only applies to volume types that support fsGroup controlled ownership and permissions.
-                      This field has two possible values:
-                      - OnRootMismatch: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume.
-                      - Always: Always change permission and ownership of the volume when volume is mounted.'
-                    type: string
-                    enum:
-                      - Always
-                      - OnRootMismatch
-            description: Security context for the pod.
-            title: Pod security context
-        required:
-          - podSecurityContext
         type: object
+      - $ref: '#/definitions/podSecurityContext'
       - $ref: '#/definitions/containerSpec'
     type: object
   portNumber:
@@ -582,6 +581,11 @@ definitions:
         $ref: '#/definitions/resource'
         description: Requested resources (guaranteed).
     title: Pod resources
+  runAsUser:
+    type: integer
+    minimum": 0
+    maximum": 65535
+    default: 1001
   scaling:
     additionalProperties: false
     description: Min and max number of replicas.
@@ -685,14 +689,11 @@ definitions:
     additionalProperties:
       uniqueItems: true
     properties:
+      runAsUser:
+        $ref: '#/definitions/runAsUser'
       runAsNonRoot:
         type: boolean
         default: true
-      runAsUser:
-        type: integer
-        minimum": 0
-        maximum": 65535
-        default: 1001
       runAsGroup:
         type: integer
         minimum": 0
@@ -738,7 +739,18 @@ definitions:
         anyOf:
           - description: Details for a knative service that will be deployed and operated.
             allOf:
-              - $ref: '#/definitions/podSpec'
+              - properties:
+                  annotations:
+                    $ref: '#/definitions/annotations'
+                    title: Pod annotations
+                type: object
+              - properties:
+                  securityContext:
+                    additionalProperties:
+                      uniqueItems: true
+                  runAsUser:
+                    $ref: '#/definitions/runAsUser'
+              - $ref: '#/definitions/containerSpec'
               - properties:
                   autoCD:
                     additionalProperties: false
@@ -790,7 +802,7 @@ definitions:
                     description: Scales to zero after 60 seconds and needs approximately 8 seconds to start back up.
                     title: Scale to zero
                     type: boolean
-          - description: Choose this when the ks.vc is already deployed
+          - description: Choose this when the ksvc is already deployed
             properties:
               predeployed:
                 default: true