[ESR] Force esr-gui to run as non-root

Use securityContext to run esr-gui as a non-root user.
Unfortunately esr-gui docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to copy tomcat
directory to volume to make sure that tomcat is able to create
additional directories after it starts.

Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae

diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485..9c70d32 100644 (file)
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+      - command:
+        - cp
+        args:
+        - -r
+        - -T
+        - /home/esr/tomcat
+        - /opt/tomcat
+        securityContext:
+          privileged: true
+        image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: create-tomcat-dir
+        volumeMounts:
+        - name: tomcat-workdir
+          mountPath: /opt/tomcat
+
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
           env:
             - name: MSB_ADDR
               value: {{ tpl .Values.msbaddr . }}
+          volumeMounts:
+            - name: tomcat-workdir
+              mountPath: /home/esr/tomcat/
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
-        nodeSelector:
+          nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
         {{- end -}}
         {{- if .Values.affinity }}
-        affinity:
+          affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
+
+      volumes:
+      - name: tomcat-workdir
+        emptyDir: {}
+
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"