From 8a68fda3f3974b46fa9c16bf062fd4d6508e885b Mon Sep 17 00:00:00 2001 From: Ween Jiann Date: Mon, 10 May 2021 11:40:45 +0800 Subject: [PATCH] Added volume permissions initcontainer (#335) --- charts/invoiceninja/Chart.yaml | 4 ++-- charts/invoiceninja/README.md | 12 +++++++++++ charts/invoiceninja/templates/_helpers.tpl | 9 ++++++++- charts/invoiceninja/templates/deployment.yaml | 20 +++++++++++++++++++ charts/invoiceninja/values.yaml | 18 +++++++++++++++++ 5 files changed, 60 insertions(+), 3 deletions(-) diff --git a/charts/invoiceninja/Chart.yaml b/charts/invoiceninja/Chart.yaml index 62ef6c7..e0c609e 100644 --- a/charts/invoiceninja/Chart.yaml +++ b/charts/invoiceninja/Chart.yaml @@ -13,11 +13,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.2 +version: 0.3.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 5.1.41 +appVersion: 5.1.42 keywords: - invoiceninja home: https://invoiceninja.github.io/dockerfiles diff --git a/charts/invoiceninja/README.md b/charts/invoiceninja/README.md index 3c27b4d..e3d445f 100644 --- a/charts/invoiceninja/README.md +++ b/charts/invoiceninja/README.md @@ -115,6 +115,18 @@ The following table shows the configuration options for the Invoice Ninja helm c | `extraVolumeMounts` | Additional volume mounts | `[]` | | `extraVolumes` | Additional volumes | `[]` | +### Volume Permissions parameters + +| Parameter | Description | Default | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `"10"` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `volumePermissions.resources` | Init container volume-permissions resource | `{}` | + ### Exposure parameters | Parameter | Description | Default | diff --git a/charts/invoiceninja/templates/_helpers.tpl b/charts/invoiceninja/templates/_helpers.tpl index 94c3c8b..2e3a98d 100644 --- a/charts/invoiceninja/templates/_helpers.tpl +++ b/charts/invoiceninja/templates/_helpers.tpl @@ -9,7 +9,14 @@ Return the proper image name Return the proper Docker Image Registry Secret Names */}} {{- define "invoiceninja.imagePullSecrets" -}} -{{- include "common.images.pullSecrets" (dict "images" (list .Values.image ) "global" .Values.global) -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "invoiceninja.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} {{- end -}} {{/* diff --git a/charts/invoiceninja/templates/deployment.yaml b/charts/invoiceninja/templates/deployment.yaml index 63b7f07..1f795b7 100644 --- a/charts/invoiceninja/templates/deployment.yaml +++ b/charts/invoiceninja/templates/deployment.yaml @@ -81,6 +81,26 @@ spec: envFrom: - configMapRef: name: {{ include "common.names.fullname" . }} + {{- if and .Values.podSecurityContext .Values.volumePermissions.enabled (or .Values.persistence.public.enabled .Values.persistence.storage.enabled) }} + - name: volume-permissions + image: {{ include "invoiceninja.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /var/www/app/{public,storage} + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/www/app/public + name: public + - mountPath: /var/www/app/storage + name: storage + {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} diff --git a/charts/invoiceninja/values.yaml b/charts/invoiceninja/values.yaml index d629b0b..2cc67de 100644 --- a/charts/invoiceninja/values.yaml +++ b/charts/invoiceninja/values.yaml @@ -165,6 +165,24 @@ containerSecurityContext: # - ALL # readOnlyRootFilesystem: true +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + ## Number of replicas (requires ReadWriteMany PVC support) ## replicaCount: 1