add feeds workspace dir to fixPermissions init container (#183)

* add feeds workspace dir to fixPermissions init container * bump chart version * use sh not bash Signed-off-by: Brady Todhunter <[email protected]> --------- Signed-off-by: Brady Todhunter <[email protected]>
anchore · Jan 10, 2024 · 39df0a6 · 39df0a6
1 parent 505afad
commit 39df0a6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.28.4
+version: 1.28.5
 appVersion: 1.1.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml
@@ -63,19 +63,30 @@ spec:
       {{- end }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
-    {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
+    {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }}
       initContainers:
         - name: mode-fixer
           image: alpine
           securityContext:
             runAsUser: 0
           volumeMounts:
+          {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }}
             - name: {{ $component }}-scratch
               mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
-          command:
-            - sh
-            - -c
+          {{- end }}
+          {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }}
+            - name: data
+              mountPath: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}
+              subPath: {{ .Values.anchoreEnterpriseFeeds.persistence.subPath }}
+          {{- end }}
+          command: ["/bin/sh", "-c"]
+          args:
+          {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }}
             - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} )
+          {{- end }}
+          {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }}
+            - (chmod 0775 {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} )
+          {{- end }}
       {{- end }}
       containers:
       {{- if .Values.cloudsql.enabled  }}

diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml
@@ -915,6 +915,7 @@ anchoreEnterpriseFeeds:
   # persistence controls the mounting of an external volume for feed driver download workspace.
   persistence:
     enabled: true
+    fixGroupPermissions: false
     resourcePolicy: keep  # set resource-policy Helm annotation on PVC. Can be nil or "keep"
 
     ## A manually managed Persistent Volume and Claim