fix(helm): file permission issues when running as non-root user

Specify the user group for the garage (and init) process and ensure
that the persistent storage is mounted with the correct file system
group
This commit is contained in:
Patrick Jahns 2022-11-16 21:46:43 +01:00 committed by Maximilien Richer
parent da6f7b0dda
commit fd03b184b3
Signed by untrusted user: maximilien
GPG key ID: 04FD5063D6D43365
2 changed files with 8 additions and 5 deletions

View file

@ -41,6 +41,8 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ include "garage.rpcSecretName" . }} name: {{ include "garage.rpcSecretName" . }}
key: rpcSecret key: rpcSecret
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts: volumeMounts:
- name: configmap - name: configmap
mountPath: /mnt/garage.toml mountPath: /mnt/garage.toml

View file

@ -92,18 +92,19 @@ serviceAccount:
podAnnotations: {} podAnnotations: {}
podSecurityContext: {} podSecurityContext:
# fsGroup: 2000 runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
securityContext: securityContext:
# The default security context is heavily restricted # The default security context is heavily restricted
# feel free to tune it to your requirements # feel free to tune it to your requirements
capabilities: capabilities:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
service: service:
# You can rely on any service to expose your cluster # You can rely on any service to expose your cluster