From d7aeaf22e27f77fcdfc0dbabfc070d8872ef020b Mon Sep 17 00:00:00 2001
From: Shengwen YU <yshengwen@vmware.com>
Date: Mon, 24 Apr 2023 01:10:09 +0800
Subject: [PATCH] feat: update database-ss initContainers (#1470)

Signed-off-by: Shengwen Yu <yshengwen@vmware.com>
---
 Chart.yaml                          |  4 +--
 templates/database/database-ss.yaml | 47 ++++++++++++++++++++++-------
 values.yaml                         | 41 ++++++++++++++-----------
 3 files changed, 62 insertions(+), 30 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index ab75ed638..8a641a00e 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: harbor
-version: 1.3.18
-appVersion: 1.10.17
+version: 1.3.19-rc1
+appVersion: 1.10.18-rc1
 description: An open source trusted cloud native registry that stores, signs, and scans content
 keywords:
 - docker
diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
index 9a4bc7b15..2d588385e 100644
--- a/templates/database/database-ss.yaml
+++ b/templates/database/database-ss.yaml
@@ -25,28 +25,48 @@ spec:
 {{ toYaml .Values.database.podAnnotations | indent 8 }}
 {{- end }}
     spec:
+      securityContext:
+        runAsUser: 999
+        fsGroup: 999
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       initContainers:
-      - name: "change-permission-of-directory"
-        image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.internal.initContainerImage.tag }}
+      # as we change the data directory to a sub folder to support psp, the init container here
+      # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756
+      # for more detail.
+      # we may remove it after several releases
+      - name: "data-migrator"
+        image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/bin/sh"]
-        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data"]
+        args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
+{{- if ((((.Values.database).internal).initContainer).migrator).resources }}
+        resources:
+{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }}
+{{- end }}
         volumeMounts:
-        - name: database-data
-          mountPath: /var/lib/postgresql/data
-          subPath: {{ $database.subPath }}
-      - name: "remove-lost-found"
+          - name: database-data
+            mountPath: /var/lib/postgresql/data
+            subPath: {{ $database.subPath }}
+      # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
+      # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
+      # use this init container to correct the permission
+      # as "fsGroup" applied before the init container running, the container has enough permission to execute the command
+      - name: "data-permissions-ensurer"
         image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
+        command: ["/bin/sh"]
+        args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
+{{- if ((((.Values.database).internal).initContainer).permissions).resources }}
+        resources:
+{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
+{{- end }}
         volumeMounts:
-        - name: database-data
-          mountPath: /var/lib/postgresql/data
-          subPath: {{ $database.subPath }}
+          - name: database-data
+            mountPath: /var/lib/postgresql/data
+            subPath: {{ $database.subPath }}
       containers:
       - name: database
         image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
@@ -70,6 +90,11 @@ spec:
         envFrom:
           - secretRef:
               name: "{{ template "harbor.database" . }}"
+        env:
+          # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
+          # more detail refer to https://github.com/goharbor/harbor-helm/issues/756
+          - name: PGDATA
+            value: "/var/lib/postgresql/data/pgdata"
         volumeMounts:
         - name: database-data
           mountPath: /var/lib/postgresql/data
diff --git a/values.yaml b/values.yaml
index 772237356..66a6030f8 100644
--- a/values.yaml
+++ b/values.yaml
@@ -276,7 +276,7 @@ proxy:
 nginx:
   image:
     repository: goharbor/nginx-photon
-    tag: v1.10.17
+    tag: v1.10.18-rc1
   replicas: 1
   # resources:
   #  requests:
@@ -291,7 +291,7 @@ nginx:
 portal:
   image:
     repository: goharbor/harbor-portal
-    tag: v1.10.17
+    tag: v1.10.18-rc1
   replicas: 1
 # resources:
 #  requests:
@@ -306,7 +306,7 @@ portal:
 core:
   image:
     repository: goharbor/harbor-core
-    tag: v1.10.17
+    tag: v1.10.18-rc1
   replicas: 1
   ## Liveness probe values
   livenessProbe:
@@ -343,7 +343,7 @@ core:
 jobservice:
   image:
     repository: goharbor/harbor-jobservice
-    tag: v1.10.17
+    tag: v1.10.18-rc1
   replicas: 1
   maxJobWorkers: 10
   # The logger for jobs: "file", "database" or "stdout"
@@ -366,7 +366,7 @@ registry:
   registry:
     image:
       repository: goharbor/registry-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
 
     # resources:
     #  requests:
@@ -375,7 +375,7 @@ registry:
   controller:
     image:
       repository: goharbor/harbor-registryctl
-      tag: v1.10.17
+      tag: v1.10.18-rc1
 
     # resources:
     #  requests:
@@ -413,7 +413,7 @@ chartmuseum:
   absoluteUrl: false
   image:
     repository: goharbor/chartmuseum-photon
-    tag: v1.10.17
+    tag: v1.10.18-rc1
   replicas: 1
   # resources:
   #  requests:
@@ -430,7 +430,7 @@ clair:
   clair:
     image:
       repository: goharbor/clair-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
     # resources:
     #  requests:
     #    memory: 256Mi
@@ -438,7 +438,7 @@ clair:
   adapter:
     image:
       repository: goharbor/clair-adapter-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
     # resources:
     #  requests:
     #    memory: 256Mi
@@ -458,7 +458,7 @@ notary:
   server:
     image:
       repository: goharbor/notary-server-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
     replicas: 1
     # resources:
     #  requests:
@@ -467,7 +467,7 @@ notary:
   signer:
     image:
       repository: goharbor/notary-signer-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
     replicas: 1
     # resources:
     #  requests:
@@ -493,11 +493,7 @@ database:
   internal:
     image:
       repository: goharbor/harbor-db
-      tag: v1.10.17
-    # the image used by the init container
-    initContainerImage:
-      repository: busybox
-      tag: latest
+      tag: v1.10.18-rc1
     # The initial superuser password for internal database
     password: "changeit"
     # resources:
@@ -507,6 +503,17 @@ database:
     nodeSelector: {}
     tolerations: []
     affinity: {}
+    initContainer:
+      migrator: {}
+      # resources:
+      #  requests:
+      #    memory: 128Mi
+      #    cpu: 100m
+      permissions: {}
+      # resources:
+      #  requests:
+      #    memory: 128Mi
+      #    cpu: 100m
   external:
     host: "192.168.0.1"
     port: "5432"
@@ -541,7 +548,7 @@ redis:
   internal:
     image:
       repository: goharbor/redis-photon
-      tag: v1.10.17
+      tag: v1.10.18-rc1
     # resources:
     #  requests:
     #    memory: 256Mi