set rofs to true again & fix tmp dir issues

Signed-off-by: André Bauer <andre.bauer@staffbase.com>
zammad · Sep 26, 2023 · 0318325 · 0318325
1 parent d018399
commit 0318325
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 54 deletions.
diff --git a/zammad/README.md b/zammad/README.md
@@ -114,6 +114,11 @@ Open your browser on <http://localhost:8080>
 
 ## Upgrading
 
+### From chart version 9.x to 10.0.0
+
+- all containers uses `readOnlyRootFilesystem: true` again
+- volumpermissions init container has been enabled by default to workaround rails world writable tmp dir issues
+
 ### From chart version 8.x to 9.0.0
 
 - Zammads PVC changed to only hold contents of /opt/zammad/var & /opt/zammad/storage instead of the whole Zammad content

diff --git a/zammad/templates/configmap-init.yaml b/zammad/templates/configmap-init.yaml
@@ -36,5 +36,4 @@ data:
     if [ -n "${AUTOWIZARD_JSON}" ]; then
         echo "${AUTOWIZARD_JSON}" | base64 -d > /opt/zammad/var/auto_wizard.json
     fi
-    rm -f /opt/zammad/tmp/pids/*.pid
     echo "zammad init complete :)"
diff --git a/zammad/templates/statefulset.yaml b/zammad/templates/statefulset.yaml
@@ -42,24 +42,27 @@ spec:
         {{- with .Values.initContainers }}
         {{- toYaml . | nindent 8}}
         {{- end }}
-        {{- if .Values.volumePermissions.enabled }}
-        - name: data-chmod
-          image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}"
-          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy }}
+        {{- if .Values.zammadConfig.initContainers.volumePermissions.enabled }}
+        - name: zammad-volume-permissions
+          image: "{{ .Values.zammadConfig.initContainers.volumePermissions.image.repository }}:{{ .Values.zammadConfig.initContainers.volumePermissions.image.tag }}"
+          imagePullPolicy: {{ .Values.zammadConfig.initContainers.volumePermissions.image.pullPolicy }}
           command:
             - /bin/sh
             - -cx
             - |
-              chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad
+              chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad/var
+              chmod 770 /opt/zammad/tmp
           {{- with .Values.zammadConfig.initContainers.volumePermissions.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.zammadConfig.volumePermissions }}
+          {{- with .Values.zammadConfig.initContainers.volumePermissions.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/var
         {{- end }}
@@ -97,12 +100,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
             - name: {{ template "zammad.fullname" . }}-init
               mountPath: /docker-entrypoint.sh
               readOnly: true
               subPath: zammad-init
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: postgresql-init
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -137,12 +142,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
             - name: {{ template "zammad.fullname" . }}-init
               mountPath: /docker-entrypoint.sh
               readOnly: true
               subPath: postgresql-init
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         {{- if .Values.zammadConfig.elasticsearch.initialisation }}
         - name: elasticsearch-init
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -185,12 +192,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-          - name: {{ template "zammad.fullname" . }}-var
-            mountPath: /opt/zammad/var
           - name: {{ template "zammad.fullname" . }}-init
             mountPath: /docker-entrypoint.sh
             readOnly: true
             subPath: elasticsearch-init
+          - name: {{ template "zammad.fullname" . }}-tmp
+            mountPath: /opt/zammad/tmp
+          - name: {{ template "zammad.fullname" . }}-var
+            mountPath: /opt/zammad/var
         {{- end }}
       containers:
         {{- with .Values.sidecars }}
@@ -227,12 +236,6 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ include "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
-            - name: {{ template "zammad.fullname" . }}-tmp
-              mountPath: /opt/zammad/tmp
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /tmp
             - name: {{ include "zammad.fullname" . }}-nginx
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf
@@ -241,10 +244,14 @@ spec:
               mountPath: /etc/nginx/sites-enabled/default
               subPath: default
               readOnly: true
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ include "zammad.fullname" . }}-tmp
               mountPath: /var/log/nginx
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
+            - name: {{ include "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-railsserver
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -304,14 +311,12 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /opt/zammad/tmp
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-scheduler
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -351,14 +356,12 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /opt/zammad/tmp
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-websocket
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -413,26 +416,24 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /opt/zammad/tmp
-            - name: {{ include "zammad.fullname" . }}-tmp
-              mountPath: /tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
       {{- with .Values.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: {{ template "zammad.fullname" . }}-nginx
-          configMap:
-            name: {{ template "zammad.fullname" . }}-nginx
         - name: {{ template "zammad.fullname" . }}-init
           configMap:
             name: {{ template "zammad.fullname" . }}-init
             defaultMode: 0755
+        - name: {{ template "zammad.fullname" . }}-nginx
+          configMap:
+            name: {{ template "zammad.fullname" . }}-nginx
         - name: {{ include "zammad.fullname" . }}-tmp
           {{- toYaml .Values.zammadConfig.tmpDirVolume | nindent 10 }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}

diff --git a/zammad/values.yaml b/zammad/values.yaml
@@ -189,10 +189,6 @@ zammadConfig:
   tmpDirVolume:
     emptyDir:
       sizeLimit: 100Mi
-      # Work around problems with world writable permissions
-      # https://github.com/kubernetes/kubernetes/issues/76158
-      # https://github.com/kubernetes/kubernetes/issues/110835
-      medium: Memory
 
   websocket:
     livenessProbe:
@@ -255,9 +251,14 @@ zammadConfig:
         capabilities:
           drop:
             - ALL
-        readOnlyRootFilesystem: false
+        readOnlyRootFilesystem: true
         privileged: false
     volumePermissions:
+      enabled: true
+      image:
+        repository: alpine
+        tag: "3.18.3"
+        pullPolicy: IfNotPresent
       resources: {}
         # requests:
         #   cpu: 100m
@@ -270,6 +271,7 @@ zammadConfig:
         capabilities:
           drop:
             - ALL
+        privileged: true
         runAsNonRoot: false
         runAsUser: 0
     zammad:
@@ -282,10 +284,11 @@ zammadConfig:
         #   memory: 512Mi
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
         readOnlyRootFilesystem: true
         privileged: false
-        runAsNonRoot: false
-        runAsUser: 0
 
 # additional environment vars added to all zammad services
 extraEnv: []
@@ -333,13 +336,6 @@ autoWizard:
 podAnnotations: {}
   # my-annotation: "value"
 
-volumePermissions:
-  enabled: false
-  image:
-    repository: alpine
-    tag: "3.18.3"
-    pullPolicy: IfNotPresent
-
 # Configuration for persistence
 persistence:
   enabled: true