diff --git a/charts/team-ns/templates/knative-services.yaml b/charts/team-ns/templates/knative-services.yaml index 2103eac569..c1a3db85d6 100644 --- a/charts/team-ns/templates/knative-services.yaml +++ b/charts/team-ns/templates/knative-services.yaml @@ -72,9 +72,9 @@ spec: {{- with $k.resources }} resources: {{- . | toYaml | nindent 12 }} {{- end }} - # {{- with $k.securityContext }} - # securityContext: {{- . | toYaml | nindent 12 }} - # {{- end }} + {{- with $k.securityContext }} + securityContext: {{- . | toYaml | nindent 12 }} + {{- end }} {{- if or $k.files $k.secretMounts }} volumeMounts: {{- range $dir, $files := $vols }} diff --git a/schemas/generated-crd-schemas.tar.gz b/schemas/generated-crd-schemas.tar.gz index 18a31e8e9b..8aa8e81a6c 100644 Binary files a/schemas/generated-crd-schemas.tar.gz and b/schemas/generated-crd-schemas.tar.gz differ diff --git a/src/server/index.ts b/src/server/index.ts index e5ed3ca2e1..e5fc21eead 100644 --- a/src/server/index.ts +++ b/src/server/index.ts @@ -1,12 +1,11 @@ /* eslint-disable @typescript-eslint/no-misused-promises, @typescript-eslint/require-await */ import express, { Request, Response } from 'express' -import { existsSync, symlinkSync } from 'fs' +import { existsSync, mkdirSync, symlinkSync } from 'fs' import { Server } from 'http' import { commit } from '../cmd/commit' import { validateValues } from '../cmd/validate-values' import { decrypt, encrypt } from '../common/crypt' -import { env } from '../common/envalid' -import { rootDir, terminal } from '../common/utils' +import { terminal } from '../common/utils' const debug = terminal('server') const app = express() @@ -16,20 +15,6 @@ export const stopServer = (): void => { server?.close() } -const symlinkEnvDir = (): void => { - const envPath = `${rootDir}/env` - if (!existsSync(env.ENV_DIR)) { - console.warn(`Values at ${env.ENV_DIR} are not mounted yet!`) - return - } - if (!existsSync(envPath)) symlinkSync(env.ENV_DIR, envPath) -} - -app.use((req, res, next) => { - symlinkEnvDir() - next() -}) - app.get('/', async (req: Request, res: Response): Promise> => { return res.send({ status: 'ok' }) }) @@ -72,8 +57,19 @@ app.get('/commit', async (req: Request, res: Response) => { } }) -export const startServer = (): void => { +export const startServer = async (): Promise => { server = app.listen(17771, '0.0.0.0') + const k8sEnvDirPath = '/tmp/otomi-values' + const dockerEnvDir = '/home/app/stack/env' + // accomodate k8s deployment with shared values dir, and make symlink to /home/app/stack/env + if (k8sEnvDirPath && !existsSync(k8sEnvDirPath)) { + debug.info('Creating k8s values folder for symlink: ', k8sEnvDirPath) + mkdirSync(k8sEnvDirPath) + if (!existsSync(dockerEnvDir)) { + debug.info(`Creating symlink from ${k8sEnvDirPath} to ${dockerEnvDir}`) + symlinkSync(k8sEnvDirPath, dockerEnvDir) + } + } debug.log(`Container listening on http://0.0.0.0:17771`) } diff --git a/tests/fixtures/env/teams/jobs.demo.yaml b/tests/fixtures/env/teams/jobs.demo.yaml index e2f0420158..14f23cafd7 100644 --- a/tests/fixtures/env/teams/jobs.demo.yaml +++ b/tests/fixtures/env/teams/jobs.demo.yaml @@ -15,6 +15,11 @@ teamConfig: runAsNonRoot: true runAsUser: 1002 runAsGroup: 1002 + fsGroup: 1002 + securityContext: + runAsNonRoot: true + runAsUser: 1002 + runAsGroup: 1002 image: repository: busybox tag: latest diff --git a/tests/fixtures/env/teams/services.demo.yaml b/tests/fixtures/env/teams/services.demo.yaml index c6b9b4e5d8..d2618d496e 100644 --- a/tests/fixtures/env/teams/services.demo.yaml +++ b/tests/fixtures/env/teams/services.demo.yaml @@ -27,6 +27,8 @@ teamConfig: ownHost: true auth: true ksvc: + securityContext: + runAsUser: 1002 image: repository: otomi/nodejs-helloworld tag: v1.2.12 diff --git a/values-schema.yaml b/values-schema.yaml index e22a0e0358..6b33af4f1f 100644 --- a/values-schema.yaml +++ b/values-schema.yaml @@ -477,34 +477,33 @@ definitions: nullable: true type: object title: Kubernetes secrets + podSecurityContext: + allOf: + - $ref: '#/definitions/securityContext' + - properties: + fsGroup: + description: Supplementary group ID. Volumes that support ownership management are modified to be owned and writable by this ID. + type: integer + fsGroupChangePolicy: + description: + 'Defines behavior for changing ownership and permission of the volume before being exposed inside a Pod. This field only applies to volume types that support fsGroup controlled ownership and permissions. + This field has two possible values: + - OnRootMismatch: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume. + - Always: Always change permission and ownership of the volume when volume is mounted.' + type: string + enum: + - Always + - OnRootMismatch + description: Security context for the pod. + title: Pod security context podSpec: allOf: - properties: annotations: $ref: '#/definitions/annotations' title: Pod annotations - podSecurityContext: - allOf: - - $ref: '#/definitions/securityContext' - - properties: - fsGroup: - description: Supplementary group ID. Volumes that support ownership management are modified to be owned and writable by this ID. - type: integer - fsGroupChangePolicy: - description: - 'Defines behavior for changing ownership and permission of the volume before being exposed inside a Pod. This field only applies to volume types that support fsGroup controlled ownership and permissions. - This field has two possible values: - - OnRootMismatch: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume. - - Always: Always change permission and ownership of the volume when volume is mounted.' - type: string - enum: - - Always - - OnRootMismatch - description: Security context for the pod. - title: Pod security context - required: - - podSecurityContext type: object + - $ref: '#/definitions/podSecurityContext' - $ref: '#/definitions/containerSpec' type: object portNumber: @@ -582,6 +581,11 @@ definitions: $ref: '#/definitions/resource' description: Requested resources (guaranteed). title: Pod resources + runAsUser: + type: integer + minimum": 0 + maximum": 65535 + default: 1001 scaling: additionalProperties: false description: Min and max number of replicas. @@ -685,14 +689,11 @@ definitions: additionalProperties: uniqueItems: true properties: + runAsUser: + $ref: '#/definitions/runAsUser' runAsNonRoot: type: boolean default: true - runAsUser: - type: integer - minimum": 0 - maximum": 65535 - default: 1001 runAsGroup: type: integer minimum": 0 @@ -738,7 +739,18 @@ definitions: anyOf: - description: Details for a knative service that will be deployed and operated. allOf: - - $ref: '#/definitions/podSpec' + - properties: + annotations: + $ref: '#/definitions/annotations' + title: Pod annotations + type: object + - properties: + securityContext: + additionalProperties: + uniqueItems: true + runAsUser: + $ref: '#/definitions/runAsUser' + - $ref: '#/definitions/containerSpec' - properties: autoCD: additionalProperties: false @@ -790,7 +802,7 @@ definitions: description: Scales to zero after 60 seconds and needs approximately 8 seconds to start back up. title: Scale to zero type: boolean - - description: Choose this when the ks.vc is already deployed + - description: Choose this when the ksvc is already deployed properties: predeployed: default: true