[ESR] Force esr-server to run as non-root

Use securityContext to run esr-server as a non-root user.
Unfortunately esr-server docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to make sure
that conf dir is writable for this user because this docker modifies
its configuration files from docker_entrypoint.sh

Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: If6eba45c9571753fa9e5ce4f386c2e391788c734
(cherry picked from commit 1e6740ddde8f7040b204e63bc457c1f6bea90523)

diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
index d670428..995a409 100644 (file)
--- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+      - command:
+        - cp
+        args:
+        - -r
+        - -T
+        - /home/esr/conf
+        - /opt/conf
+        securityContext:
+          privileged: true
+        image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: create-conf-dir
+        volumeMounts:
+        - name: conf-dir
+          mountPath: /opt/conf
+
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -60,6 +81,8 @@ spec:
             readOnly: true
           - mountPath: /home/esr/works/logs
             name: {{ include "common.fullname" . }}-logs
+          - mountPath: /home/esr/conf
+            name: conf-dir
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -72,6 +95,9 @@ spec:
         {{- end }}
         # Filebeat sidecar container
         - name: {{ include "common.name" . }}-filebeat-onap
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
           image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           volumeMounts:
@@ -99,5 +125,8 @@ spec:
           emptyDir: {}
         - name:  {{ include "common.fullname" . }}-logs
           emptyDir: {}
+        - name: conf-dir
+          emptyDir: {}
+
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"