From e3b30aac58435e9a88dcf8a5e318c3a09bb77c93 Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Thu, 14 May 2020 19:41:20 +0200
Subject: [PATCH] [ESR] Force esr-gui to run as non-root

Use securityContext to run esr-gui as a non-root user.
Unfortunately esr-gui docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to copy tomcat
directory to volume to make sure that tomcat is able to create
additional directories after it starts.

Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae
(cherry picked from commit 4c62d4db068a64494fd19870977c3eaa0b63c670)
---
 .../esr/charts/esr-gui/templates/deployment.yaml   | 33 ++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485ddf..9c70d327d7 100644
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+      - command:
+        - cp
+        args:
+        - -r
+        - -T
+        - /home/esr/tomcat
+        - /opt/tomcat
+        securityContext:
+          privileged: true
+        image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: create-tomcat-dir
+        volumeMounts:
+        - name: tomcat-workdir
+          mountPath: /opt/tomcat
+
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
           env:
             - name: MSB_ADDR
               value: {{ tpl .Values.msbaddr . }}
+          volumeMounts:
+            - name: tomcat-workdir
+              mountPath: /home/esr/tomcat/
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
-        nodeSelector:
+          nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
         {{- end -}}
         {{- if .Values.affinity }}
-        affinity:
+          affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
+
+      volumes:
+      - name: tomcat-workdir
+        emptyDir: {}
+
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
-- 
2.16.6