Set sdc onboarding volume mount permissions

Set the permissions of files in the sdc onboarding backend persistent volume for package certs to enable access by the process in the pod which now runs as non-root user (since SDC-2798)

Signed-off-by: MichaelMorris <michael.morris@est.tech>
Issue-ID: SDC-2981
Change-Id: I6113f14ca9933e2fec2b565768ed5afbe3c18f21

diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
index 3db3685..108c781 100644 (file)
--- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml
@@ -70,6 +70,19 @@ spec:
             mountPath: /config-input/
           - name: sdc-environments-output
             mountPath: /config-output/
+      - name: volume-permissions
+        image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command:
+          - /bin/sh
+          - -c
+          - |
+            chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+          - name: {{ include "common.fullname" . }}-cert-storage
+            mountPath: "/onboard/cert"
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"

diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
index 946cb34..4cfebbf 100644 (file)
--- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
+++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml
@@ -103,6 +103,9 @@ cert:
     volumeReclaimPolicy: Retain
     mountSubPath: /sdc/onbaording/cert
 
+securityContext:
+  fsGroup: 35953
+  runAsUser: 352070
 
 ingress:
   enabled: false

diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index 5701a91..2694b5d 100644 (file)
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -28,6 +28,8 @@ global:
     wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
   ubuntuInitRepository: oomk8s
   ubuntuInitImage: ubuntu-init:1.0.0
+  busyboxRepository: registry.hub.docker.com
+  busyboxImage: library/busybox:latest
   cassandra:
    #This flag allows SDC to instantiate its own cluster, serviceName
    #should be sdc-cs if this flag is enabled