Merge pull request #558 from rstudio/tylfin/ppm-fsGroup

Fix: Set the `securityContext.fsGroup` to default `999` guid
rstudio · Sep 26, 2024 · 3c4e196 · 3c4e196
2 parents 744a402 + d0ad0f9
commit 3c4e196
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 5 deletions.
diff --git a/charts/rstudio-pm/Chart.yaml b/charts/rstudio-pm/Chart.yaml
@@ -1,6 +1,6 @@
 name: rstudio-pm
 description: Official Helm chart for Posit Package Manager
-version: 0.5.33
+version: 0.5.34
 apiVersion: v2
 appVersion: 2024.08.2
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png

diff --git a/charts/rstudio-pm/NEWS.md b/charts/rstudio-pm/NEWS.md
@@ -1,4 +1,9 @@
 # Changelog
+
+## 0.5.34
+
+- Add `pod.securityContext.fsGroup = 999` value to set file permissions correctly when using shared storage.
+
 ## 0.5.33
 
 - Update default Post Package Manager version to 2024.08.2-9

diff --git a/charts/rstudio-pm/README.md b/charts/rstudio-pm/README.md
@@ -1,6 +1,6 @@
 # Posit Package Manager
 
-![Version: 0.5.33](https://img.shields.io/badge/Version-0.5.33-informational?style=flat-square) ![AppVersion: 2024.08.2](https://img.shields.io/badge/AppVersion-2024.08.2-informational?style=flat-square)
+![Version: 0.5.34](https://img.shields.io/badge/Version-0.5.34-informational?style=flat-square) ![AppVersion: 2024.08.2](https://img.shields.io/badge/AppVersion-2024.08.2-informational?style=flat-square)
 
 #### _Official Helm chart for Posit Package Manager_
 
@@ -24,11 +24,11 @@ To ensure a stable production deployment:
 
 ## Installing the chart
 
-To install the chart with the release name `my-release` at version 0.5.33:
+To install the chart with the release name `my-release` at version 0.5.34:
 
 ```{.bash}
 helm repo add rstudio https://helm.rstudio.com
-helm upgrade --install my-release rstudio/rstudio-pm --version=0.5.33
+helm upgrade --install my-release rstudio/rstudio-pm --version=0.5.34
 ```
 
 To explore other chart versions, look at:
@@ -222,7 +222,7 @@ The Helm `config` values are converted into the `rstudio-pm.gcfg` service config
 | nameOverride | string | `""` | the name of the chart deployment (can be overridden) |
 | nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition |
 | pod.annotations | object | `{}` | annotations is a map of keys / values that will be added as annotations to the pods |
-| pod.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"{{ if .Values.enableSandboxing }}Unconfined{{ else }}RuntimeDefault{{ end }}"}}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the main Package Manager container. Evaluated as a template. |
+| pod.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"fsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"{{ if .Values.enableSandboxing }}Unconfined{{ else }}RuntimeDefault{{ end }}"}}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the main Package Manager container. Evaluated as a template. |
 | pod.env | list | `[]` | env is an array of maps that is injected as-is into the "env:" component of the pod.container spec |
 | pod.labels | object | `{}` | Additional labels to add to the rstudio-pm pods |
 | pod.lifecycle | object | `{}` | Container [lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) |

diff --git a/charts/rstudio-pm/values.yaml b/charts/rstudio-pm/values.yaml
@@ -129,6 +129,7 @@ pod:
   # -- the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the main Package Manager container. Evaluated as a template.
   containerSecurityContext:
     runAsUser: 999
+    fsGroup: 999
     runAsNonRoot: true
     allowPrivilegeEscalation: false
     capabilities: