From 5ab596937a355b9496887d42b5e51899b51fd8eb Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Mon, 7 Jun 2021 21:27:25 +0800 Subject: [PATCH] Fix rootless image usage with enhanced security-context (#160) I've noticed that the commented `securityContext` is not really useable with the rootless image due to different directory structure compared to the default image. Important for the `readOnlyRootFilesystem` is to declare the `TMPDIR` environment variable, so that the tmp directory (which is readonly in this case) won't be used. Instead, another writeable directory can be used. Another thing is the explicit hint that all these security options cannot be used with the default (root-based) image, because of its design. ~~Although this PR would fix the referenced issue, I am not totally happy with the current implementation. It would be more straight forward to use the same mount points for both image variants. Unfortunately, this is not possible right now due to hard coded paths in the default (root) image startup scripts.~~ ~~Anyone have suggestions on how this could be more simple?~~ ------- **Sum-up:** As mentioned in Discord, this PR tried to make too many changes. The necessary changes made in 1f331a7e6577fc798196a84a957330aca0d663cd will fix an error that occurs due to restricted access to the `/tmp` directory in a rootless image with all the `securityContext` options enabled. I also updated the default image to 1.14.2. Fixes: #158 Co-authored-by: JustusBunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/160 Reviewed-by: luhahn Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- templates/gitea/statefulset.yaml | 4 +++- values.yaml | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index e73cc3e..78a0b18 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -80,6 +80,8 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea + - name: TMPDIR + value: /tmp/gitea {{- if .Values.statefulset.env }} {{- toYaml .Values.statefulset.env | nindent 12 }} {{- end }} @@ -137,7 +139,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - name: temp - mountPath: /tmp/gitea + mountPath: /tmp - name: data mountPath: /data {{- if .Values.extraVolumeMounts }} diff --git a/values.yaml b/values.yaml index a04e765..dc73b04 100644 --- a/values.yaml +++ b/values.yaml @@ -8,12 +8,13 @@ clusterDomain: cluster.local image: repository: gitea/gitea - tag: 1.14.1 + tag: 1.14.2 pullPolicy: Always rootless: false # only possible when running 1.14 or later imagePullSecrets: [] +# only usable with rootless image due to image design securityContext: {} # allowPrivilegeEscalation: false # capabilities: