[ESR] Force esr-gui to run as non-root

Use securityContext to run esr-gui as a non-root user.
Unfortunately esr-gui docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to copy tomcat
directory to volume to make sure that tomcat is able to create
additional directories after it starts.

Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae
(cherry picked from commit 4c62d4db068a64494fd19870977c3eaa0b63c670)

diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485..9c70d32 100644 (file)
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+      - command:
+        - cp
+        args:
+        - -r
+        - -T
+        - /home/esr/tomcat
+        - /opt/tomcat
+        securityContext:
+          privileged: true
+        image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: create-tomcat-dir
+        volumeMounts:
+        - name: tomcat-workdir
+          mountPath: /opt/tomcat
+
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
           env:
             - name: MSB_ADDR
               value: {{ tpl .Values.msbaddr . }}
+          volumeMounts:
+            - name: tomcat-workdir
+              mountPath: /home/esr/tomcat/
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
-        nodeSelector:
+          nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
         {{- end -}}
         {{- if .Values.affinity }}
-        affinity:
+          affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
+
+      volumes:
+      - name: tomcat-workdir
+        emptyDir: {}
+
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"