Run SDC pods as non-root

[oom.git] / kubernetes / sdc / charts / sdc-cs / templates / job.yaml

diff --git a/kubernetes/sdc/charts/sdc-cs/templates/job.yaml b/kubernetes/sdc/charts/sdc-cs/templates/job.yaml
index da2ec3d..4e4aad4 100644 (file)
--- a/kubernetes/sdc/charts/sdc-cs/templates/job.yaml
+++ b/kubernetes/sdc/charts/sdc-cs/templates/job.yaml
@@ -1,3 +1,18 @@
+# Copyright © 2017 Amdocs, AT&T, Bell Canada
+# Modifications Copyright © 2018  ZTE
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -6,14 +21,15 @@ metadata:
   labels:
     app: {{ include "common.name" . }}-job
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ .Release.Name }}
+    release: {{ include "common.release" . }}
     heritage: {{ .Release.Service }}
 spec:
+  backoffLimit: 20
   template:
     metadata:
       labels:
         app: {{ include "common.name" . }}-job
-        release: {{ .Release.Name }}
+        release: {{ include "common.release" . }}
     spec:
       restartPolicy: Never
       initContainers:
@@ -24,7 +40,11 @@ spec:
         - /root/ready.py
         args:
         - --container-name
+        {{- if .Values.global.cassandra.localCluster }}
         - sdc-cs
+        {{- else }}
+        - cassandra
+        {{- end }}
         env:
         - name: NAMESPACE
           valueFrom:
@@ -33,28 +53,38 @@ spec:
               fieldPath: metadata.namespace
       containers:
       - name: {{ include "common.name" . }}-job
-        image: "{{ .Values.global.repository | default .Values.repository }}/{{ .Values.cassandraInitImage }}"
+        image: "{{ include "common.repository" . }}/{{ .Values.cassandraInitImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         volumeMounts:
         - name: {{ include "common.fullname" . }}-environments
-          mountPath: /root/chef-solo/environments/
+          mountPath: /home/sdc/chef-solo/environments/
+        - name: {{ include "common.fullname" . }}-chef-cache
+          mountPath: /home/sdc/chef-solo/cache
         env:
         - name: ENVNAME
           value: {{ .Values.global.env.name }}
+        - name: RELEASE
+          value: {{ .Values.config.release }}
         - name: SDC_USER
           valueFrom:
-            secretKeyRef: {name: {{ include "common.fullname" . }}, key: sdc_user}
+            secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}
         - name: SDC_PASSWORD
           valueFrom:
-            secretKeyRef: {name: {{ include "common.fullname" . }}, key: sdc_password}
+            secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}
         - name: CS_PASSWORD
           valueFrom:
-            secretKeyRef: {name: {{ include "common.fullname" . }}, key: cs_password}
+            secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_password}
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
       volumes:
-        - name: {{ include "common.fullname" . }}-environments
-          configMap:
-            name: {{ .Release.Name }}-sdc-environments-configmap
-            defaultMode: 0755
+      - name: {{ include "common.fullname" . }}-environments
+        configMap:
+          name: {{ include "common.release" . }}-sdc-environments-configmap
+          defaultMode: 0755
+      - name: {{ include "common.fullname" . }}-chef-cache
+        emptyDir: {}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
       restartPolicy: Never