From 16e93cf5e5b3c3fe19204570b7d74b6f782eacb7 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Fri, 17 Nov 2023 13:36:55 +0100 Subject: [PATCH] Fix Kapitan plugin securityContext on non-Openshift clusters --- component/argocd.jsonnet | 5 +++++ tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml | 1 + tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml | 1 + 3 files changed, 7 insertions(+) diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index 07924a26..72012fb9 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -147,6 +147,11 @@ local repoServer = { image: common.render_image('kapitan', include_tag=true), securityContext: { runAsNonRoot: true, + // On non-OpenShift we use user 999, since the main repo-server + // container also uses user 999 and we need to make sure that the main + // repo-server container has write permissions on the cmp-server + // socket created by this container. + [if !isOpenshift then 'runAsUser']: 999, }, volumeMounts_: { 'var-files': { diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml index 15fc998b..83f63559 100644 --- a/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml @@ -74,6 +74,7 @@ spec: ports: [] securityContext: runAsNonRoot: true + runAsUser: 100 stdin: false tty: false volumeMounts: diff --git a/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml index aa7fdbbe..e2430b11 100644 --- a/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml @@ -58,6 +58,7 @@ spec: ports: [] securityContext: runAsNonRoot: true + runAsUser: 100 stdin: false tty: false volumeMounts: