Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: add securityContext and fix rabbitMQ cookie #233

Open
wants to merge 11 commits into
base: dev
Choose a base branch
from
Open

build: add securityContext and fix rabbitMQ cookie #233

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
c70bcc9
ci: modify deployment files for k8s ci: modify deployment files for k8s
viktoriaas Jun 5, 2020
243ac7a
ci: Added ingress for K8S and separate file for ServiceAcoount and Ro…
viktoriaas Jun 5, 2020
b4e921b
ingre--kubernetes: add app-root label
viktoriaas Mar 10, 2021
6a69755
Merge remote-tracking branch 'refs/remotes/origin/dev' into dev
viktoriaas Mar 10, 2021
4102a54
ingress-kubernetes: add app-root label
viktoriaas Mar 10, 2021
8889981
Merge branch 'elixir-cloud-aai:dev' into dev
viktoriaas Mar 17, 2022
0127f49
add securityContext, chmod cookie, fix mongo initc if
viktoriaas Mar 17, 2022
3918cba
modify README, comment securityContext
viktoriaas Mar 21, 2022
d707b3d
better initContainer sec context handling
viktoriaas Mar 21, 2022
0610dd8
fix typo
viktoriaas Mar 21, 2022
87bfa8e
comment chmoding cookie
viktoriaas Mar 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion deployment/templates/flower/flower-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,7 @@ spec:
command: ['flower']
args: ['--broker=amqp://guest:guest@rabbitmq:5672//', '--port=5555', '--basic_auth={{ .Values.flower.basicAuth }}']
name: flower

{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 -}}
{{- end }}
2 changes: 1 addition & 1 deletion deployment/templates/mongodb/mongodb-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ spec:
labels:
app: {{ .Values.mongodb.appName }}
spec:
{{ if eq .Values.clusterType "kubernetes" }}
{{ if and (eq .Values.clusterType "kubernetes") (eq ( .Values.mongodb.securityContext.runAsUser | int) 0) }}
lvarin marked this conversation as resolved.
Show resolved Hide resolved
initContainers:
- name: volume-permissions
image: busybox
Expand Down
10 changes: 10 additions & 0 deletions deployment/templates/rabbitmq/rabbitmq-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,21 @@ spec:
containers:
- name: rabbitmq
image: {{ .Values.rabbitmq.image }}
command:
- /bin/sh
- -c
- |
chmod g-rw /var/lib/rabbitmq/.erlang.cookie;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this for? why is it necessary?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I already explained in issue #233 . If rabbitMQ deployment is restarted (e.g. due to cluster failure) rabbitMQ cookie has incorrect permissions after restart ( rw-rw---- instead of rw-------). This is solved by chmod in main container before calling rabbitmq.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is to put the information about this workaround in the code itself (deployment/templates/rabbitmq/rabbitmq-deployment.yaml). Otherwise no one will ever find this information.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment added, is it ok now?

/opt/rabbitmq/sbin/rabbitmq-server
volumeMounts:
- mountPath: /var/lib/rabbitmq
name: rabbitmq-volume
volumes:
- name: rabbitmq-volume
persistentVolumeClaim:
claimName: {{ .Values.rabbitmq.appName }}-volume
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 -}}
{{- end }}

5 changes: 4 additions & 1 deletion deployment/templates/wes/celery-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,7 @@ spec:
items:
- key: netrc
path: .netrc

{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 -}}
{{- end }}
4 changes: 4 additions & 0 deletions deployment/templates/wes/wes-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,9 @@ spec:
value: {{ .Values.wes.appName }}
restartPolicy: Never
serviceAccountName: {{ .Values.wes.appName }}-autoadmin
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 -}}
{{- end }}
status: {}

5 changes: 4 additions & 1 deletion deployment/templates/wes/wes-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,4 +97,7 @@ spec:
defaultMode: 420
name: app-config
name: app-config

{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 -}}
{{- end }}
3 changes: 3 additions & 0 deletions deployment/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ clusterType: openshift # either 'kubernetes' or 'openshift'
tlsSecret: mytls-secret # put name of tlsSecret
storageAccessMode: ReadWriteOnce # mongodb-pvc.yaml/rabbitmq-pvc.yaml, change to ReadWriteMany if storageClass can do RWX

securityContext:
lvarin marked this conversation as resolved.
Show resolved Hide resolved
runAsUser: 1000

extra_config:
folder: /etc/app_config
file: app_config.yaml
Expand Down