From cc0248363fd7ac0e98b380810b625f3c5325b446 Mon Sep 17 00:00:00 2001 From: Arteon Prifti Date: Fri, 26 Jul 2024 11:14:33 +0200 Subject: [PATCH 1/2] Add podSecurityContext to fix /data volume permissions Signed-off-by: Arteon Prifti --- .../templates/api-server/deployment.yaml | 1 + .../templates/api-server/statefulset.yaml | 3 ++- charts/dependency-track/values.schema.json | 5 ++++- charts/dependency-track/values.yaml | 22 ++----------------- 4 files changed, 9 insertions(+), 22 deletions(-) diff --git a/charts/dependency-track/templates/api-server/deployment.yaml b/charts/dependency-track/templates/api-server/deployment.yaml index f815ae8..cc17784 100644 --- a/charts/dependency-track/templates/api-server/deployment.yaml +++ b/charts/dependency-track/templates/api-server/deployment.yaml @@ -28,6 +28,7 @@ spec: {{- toYaml .Values.apiServer.initContainers | nindent 6 }} {{- end }} serviceAccount: {{ include "dependencytrack.serviceAccountName" . }} + securityContext: {{- toYaml .Values.apiServer.podSecurityContext | nindent 8 }} containers: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml index ed5c701..897866f 100644 --- a/charts/dependency-track/templates/api-server/statefulset.yaml +++ b/charts/dependency-track/templates/api-server/statefulset.yaml @@ -29,6 +29,7 @@ spec: {{- toYaml .Values.apiServer.initContainers | nindent 6 }} {{- end }} serviceAccount: {{ include "dependencytrack.serviceAccountName" . }} + securityContext: {{- toYaml .Values.apiServer.podSecurityContext | nindent 8 }} containers: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} @@ -138,4 +139,4 @@ spec: accessModes: - ReadWriteOnce {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/dependency-track/values.schema.json b/charts/dependency-track/values.schema.json index 0c610e4..f78a06a 100644 --- a/charts/dependency-track/values.schema.json +++ b/charts/dependency-track/values.schema.json @@ -132,6 +132,9 @@ }, "nodeSelector": { "type": "object" + }, + "podSecurityContext": { + "type": "object" } } }, @@ -341,4 +344,4 @@ } } } -} \ No newline at end of file +} diff --git a/charts/dependency-track/values.yaml b/charts/dependency-track/values.yaml index 7d6a249..0bb9b67 100644 --- a/charts/dependency-track/values.yaml +++ b/charts/dependency-track/values.yaml @@ -84,26 +84,8 @@ apiServer: scrapeTimeout: 30s initContainers: [] nodeSelector: {} - # Use the following to fix permissions on the /data volume. - # initContainers: - # - name: fix-permissions - # image: docker.io/library/busybox - # command: - # - sh - # - -c - # - | - # chown -R 1000:1000 /data - # volumeMounts: - # - name: data - # mountPath: /data - # securityContext: - # capabilities: - # add: - # - CHOWN - # runAsNonRoot: false - # runAsUser: 0 - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + fsGroup: 1000 frontend: replicaCount: 1 From c388a340496627773d9bccaf2abdb5211fbc5746 Mon Sep 17 00:00:00 2001 From: Arteon Prifti Date: Fri, 26 Jul 2024 12:41:38 +0200 Subject: [PATCH 2/2] template using with Signed-off-by: Arteon Prifti --- charts/dependency-track/templates/api-server/deployment.yaml | 4 +++- charts/dependency-track/templates/api-server/statefulset.yaml | 4 +++- charts/dependency-track/values.yaml | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/dependency-track/templates/api-server/deployment.yaml b/charts/dependency-track/templates/api-server/deployment.yaml index cc17784..bbe7077 100644 --- a/charts/dependency-track/templates/api-server/deployment.yaml +++ b/charts/dependency-track/templates/api-server/deployment.yaml @@ -28,7 +28,9 @@ spec: {{- toYaml .Values.apiServer.initContainers | nindent 6 }} {{- end }} serviceAccount: {{ include "dependencytrack.serviceAccountName" . }} - securityContext: {{- toYaml .Values.apiServer.podSecurityContext | nindent 8 }} + {{- with .Values.apiServer.podSecurityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml index 897866f..c9e9083 100644 --- a/charts/dependency-track/templates/api-server/statefulset.yaml +++ b/charts/dependency-track/templates/api-server/statefulset.yaml @@ -29,7 +29,9 @@ spec: {{- toYaml .Values.apiServer.initContainers | nindent 6 }} {{- end }} serviceAccount: {{ include "dependencytrack.serviceAccountName" . }} - securityContext: {{- toYaml .Values.apiServer.podSecurityContext | nindent 8 }} + {{- with .Values.apiServer.podSecurityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} diff --git a/charts/dependency-track/values.yaml b/charts/dependency-track/values.yaml index 0bb9b67..1cf4597 100644 --- a/charts/dependency-track/values.yaml +++ b/charts/dependency-track/values.yaml @@ -84,6 +84,7 @@ apiServer: scrapeTimeout: 30s initContainers: [] nodeSelector: {} + # deactivate this for openshift podSecurityContext: fsGroup: 1000