From fd03b184b33337e3f1de06a5cadd3c5bcc0a3536 Mon Sep 17 00:00:00 2001
From: Patrick Jahns <kontakt@patrickjahns.de>
Date: Wed, 16 Nov 2022 21:46:43 +0100
Subject: [PATCH] fix(helm): file permission issues when running as non-root
 user

Specify the user group for the garage (and init) process and ensure
that the persistent storage is mounted with the correct file system
group
---
 script/helm/garage/templates/workload.yaml |  2 ++
 script/helm/garage/values.yaml             | 11 ++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/script/helm/garage/templates/workload.yaml b/script/helm/garage/templates/workload.yaml
index da5d386f..718f7bea 100644
--- a/script/helm/garage/templates/workload.yaml
+++ b/script/helm/garage/templates/workload.yaml
@@ -41,6 +41,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "garage.rpcSecretName" . }}
                   key: rpcSecret
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
             - name: configmap
               mountPath: /mnt/garage.toml
diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml
index d7e7ddbf..701a5680 100644
--- a/script/helm/garage/values.yaml
+++ b/script/helm/garage/values.yaml
@@ -92,18 +92,19 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  runAsNonRoot: true
 
 securityContext:
   # The default security context is heavily restricted
   # feel free to tune it to your requirements
   capabilities:
     drop:
-    - ALL
+      - ALL
   readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
 
 service:
   # You can rely on any service to expose your cluster