From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Thu, 14 May 2020 17:41:20 +0000 (+0200)
Subject: [ESR] Force esr-gui to run as non-root
X-Git-Tag: 7.0.0~437^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=4c62d4db068a64494fd19870977c3eaa0b63c670;hp=c32ee22a8436a184d710db9d06da85c4ca385efc;p=oom.git

[ESR] Force esr-gui to run as non-root

Use securityContext to run esr-gui as a non-root user.
Unfortunately esr-gui docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to copy tomcat
directory to volume to make sure that tomcat is able to create
additional directories after it starts.

Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae
---

diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485ddf..9c70d327d7 100644
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+      - command:
+        - cp
+        args:
+        - -r
+        - -T
+        - /home/esr/tomcat
+        - /opt/tomcat
+        securityContext:
+          privileged: true
+        image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: create-tomcat-dir
+        volumeMounts:
+        - name: tomcat-workdir
+          mountPath: /opt/tomcat
+
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
           env:
             - name: MSB_ADDR
               value: {{ tpl .Values.msbaddr . }}
+          volumeMounts:
+            - name: tomcat-workdir
+              mountPath: /home/esr/tomcat/
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
-        nodeSelector:
+          nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
         {{- end -}}
         {{- if .Values.affinity }}
-        affinity:
+          affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
+
+      volumes:
+      - name: tomcat-workdir
+        emptyDir: {}
+
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"