From 39df0a6bda37855905215203755df14a29919e7b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 10 Jan 2024 07:13:34 -0800 Subject: [PATCH] add feeds workspace dir to fixPermissions init container (#183) * add feeds workspace dir to fixPermissions init container * bump chart version * use sh not bash Signed-off-by: Brady Todhunter --------- Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- .../enterprise_feeds_deployment.yaml | 19 +++++++++++++++---- stable/anchore-engine/values.yaml | 1 + 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 0177e49b..9a76a4e9 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.4 +version: 1.28.5 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 7f5c3786..2299b5f3 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -63,19 +63,30 @@ spec: {{- end }} imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} - {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} + {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer image: alpine securityContext: runAsUser: 0 volumeMounts: + {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }} - name: {{ $component }}-scratch mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} - command: - - sh - - -c + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }} + - name: data + mountPath: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} + subPath: {{ .Values.anchoreEnterpriseFeeds.persistence.subPath }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }} - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} ) + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }} + - (chmod 0775 {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} ) + {{- end }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ff33b138..69c974bf 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -915,6 +915,7 @@ anchoreEnterpriseFeeds: # persistence controls the mounting of an external volume for feed driver download workspace. persistence: enabled: true + fixGroupPermissions: false resourcePolicy: keep # set resource-policy Helm annotation on PVC. Can be nil or "keep" ## A manually managed Persistent Volume and Claim