fix(helm): file permission issues when running as non-root user

Specify the user group for the garage (and init) process and ensure that the persistent storage is mounted with the correct file system group
2022-11-16 21:46:43 +01:00 · 2022-11-16 21:46:43 +01:00 · fd03b184b3
parent da6f7b0dda
commit fd03b184b3
2 changed files with 8 additions and 5 deletions
--- a/script/helm/garage/templates/workload.yaml
+++ b/script/helm/garage/templates/workload.yaml
@ -41,6 +41,8 @@ spec:
                secretKeyRef:
                  name: {{ include "garage.rpcSecretName" . }}
                  key: rpcSecret
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
          volumeMounts:
            - name: configmap
              mountPath: /mnt/garage.toml
--- a/script/helm/garage/values.yaml
+++ b/script/helm/garage/values.yaml
@ -92,18 +92,19 @@ serviceAccount:

 podAnnotations: {}

-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  runAsNonRoot: true

 securityContext:
  # The default security context is heavily restricted
  # feel free to tune it to your requirements
  capabilities:
    drop:
-    - ALL
+      - ALL
  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000

 service:
  # You can rely on any service to expose your cluster