Fixes #212, fixes #203, fixes #200 - Switch to Zammad 6.1. (#215)

* Fixes #212, fixes #200 - Switch to Zammad 6.1. * Solve #203 - attachment upload * set rofs to true again & fix tmp dir issues Signed-off-by: André Bauer <andre.bauer@staffbase.com> --------- Signed-off-by: André Bauer <andre.bauer@staffbase.com> Co-authored-by: André Bauer <monotek@users.noreply.github.com>
zammad · Sep 26, 2023 · cedb1d7 · cedb1d7
1 parent 8e678b4
commit cedb1d7
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 38 deletions.
diff --git a/zammad/Chart.yaml b/zammad/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: zammad
-version: 9.1.0
-appVersion: 6.0.0-66
+version: 10.0.0
+appVersion: 6.1.0-22
 description: Zammad is a web based open source helpdesk/customer support system with many features to manage customer communication via several channels like telephone, facebook, twitter, chat and e-mails.
 home: https://zammad.org
 icon: https://raw.githubusercontent.com/zammad/zammad-documentation/main/images/zammad_logo_600x520.png

diff --git a/zammad/README.md b/zammad/README.md
@@ -114,6 +114,14 @@ Open your browser on <http://localhost:8080>
 
 ## Upgrading
 
+### From chart version 9.x to 10.0.0
+
+- all containers uses `readOnlyRootFilesystem: true` again
+- volumePermissions init container config has been moved to initContainers section
+  - if you used it before you have to adapt your config
+  - it's also enabled by default now to workaround rails world writable tmp dir issues
+  - if you don't like to use it you might want to set tmpDirVolume.emptyDir.medium to "Memory" instead
+
 ### From chart version 8.x to 9.0.0
 
 - Zammads PVC changed to only hold contents of /opt/zammad/var & /opt/zammad/storage instead of the whole Zammad content

diff --git a/zammad/templates/configmap-init.yaml b/zammad/templates/configmap-init.yaml
@@ -36,5 +36,4 @@ data:
     if [ -n "${AUTOWIZARD_JSON}" ]; then
         echo "${AUTOWIZARD_JSON}" | base64 -d > /opt/zammad/var/auto_wizard.json
     fi
-    rm -f /opt/zammad/tmp/pids/*.pid
     echo "zammad init complete :)"
diff --git a/zammad/templates/statefulset.yaml b/zammad/templates/statefulset.yaml
@@ -20,7 +20,7 @@ spec:
         {{- include "zammad.labels" . | nindent 8 }}
     spec:
       {{- with .Values.image.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if .Values.serviceAccount.create }}
@@ -42,24 +42,27 @@ spec:
         {{- with .Values.initContainers }}
         {{- toYaml . | nindent 8}}
         {{- end }}
-        {{- if .Values.volumePermissions.enabled }}
-        - name: data-chmod
-          image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}"
-          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy }}
+        {{- if .Values.zammadConfig.initContainers.volumePermissions.enabled }}
+        - name: zammad-volume-permissions
+          image: "{{ .Values.zammadConfig.initContainers.volumePermissions.image.repository }}:{{ .Values.zammadConfig.initContainers.volumePermissions.image.tag }}"
+          imagePullPolicy: {{ .Values.zammadConfig.initContainers.volumePermissions.image.pullPolicy }}
           command:
             - /bin/sh
             - -cx
             - |
-              chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad
+              chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad/var
+              chmod 770 /opt/zammad/tmp
           {{- with .Values.zammadConfig.initContainers.volumePermissions.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.zammadConfig.volumePermissions }}
+          {{- with .Values.zammadConfig.initContainers.volumePermissions.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/var
         {{- end }}
@@ -97,12 +100,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
             - name: {{ template "zammad.fullname" . }}-init
               mountPath: /docker-entrypoint.sh
               readOnly: true
               subPath: zammad-init
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: postgresql-init
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -137,12 +142,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
             - name: {{ template "zammad.fullname" . }}-init
               mountPath: /docker-entrypoint.sh
               readOnly: true
               subPath: postgresql-init
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         {{- if .Values.zammadConfig.elasticsearch.initialisation }}
         - name: elasticsearch-init
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -185,12 +192,14 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-          - name: {{ template "zammad.fullname" . }}-var
-            mountPath: /opt/zammad/var
           - name: {{ template "zammad.fullname" . }}-init
             mountPath: /docker-entrypoint.sh
             readOnly: true
             subPath: elasticsearch-init
+          - name: {{ template "zammad.fullname" . }}-tmp
+            mountPath: /opt/zammad/tmp
+          - name: {{ template "zammad.fullname" . }}-var
+            mountPath: /opt/zammad/var
         {{- end }}
       containers:
         {{- with .Values.sidecars }}
@@ -227,8 +236,6 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ include "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
             - name: {{ include "zammad.fullname" . }}-nginx
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf
@@ -237,12 +244,14 @@ spec:
               mountPath: /etc/nginx/sites-enabled/default
               subPath: default
               readOnly: true
-            - name: {{ include "zammad.fullname" . }}-tmp
+            - name: {{ template "zammad.fullname" . }}-tmp
               mountPath: /tmp
             - name: {{ include "zammad.fullname" . }}-tmp
               mountPath: /var/log/nginx
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
+            - name: {{ include "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-railsserver
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -302,10 +311,12 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-scheduler
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -345,10 +356,12 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
         - name: {{ .Chart.Name }}-websocket
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -403,22 +416,24 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - name: {{ template "zammad.fullname" . }}-var
-              mountPath: /opt/zammad/var
+            - name: {{ template "zammad.fullname" . }}-tmp
+              mountPath: /opt/zammad/tmp
             - name: {{ template "zammad.fullname" . }}-var
               mountPath: /opt/zammad/storage
+            - name: {{ template "zammad.fullname" . }}-var
+              mountPath: /opt/zammad/var
       {{- with .Values.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: {{ template "zammad.fullname" . }}-nginx
-          configMap:
-            name: {{ template "zammad.fullname" . }}-nginx
         - name: {{ template "zammad.fullname" . }}-init
           configMap:
             name: {{ template "zammad.fullname" . }}-init
             defaultMode: 0755
+        - name: {{ template "zammad.fullname" . }}-nginx
+          configMap:
+            name: {{ template "zammad.fullname" . }}-nginx
         - name: {{ include "zammad.fullname" . }}-tmp
           {{- toYaml .Values.zammadConfig.tmpDirVolume | nindent 10 }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}

diff --git a/zammad/values.yaml b/zammad/values.yaml
@@ -189,6 +189,9 @@ zammadConfig:
   tmpDirVolume:
     emptyDir:
       sizeLimit: 100Mi
+      # enable "medium: Memory" to Work around problems with world writable tmp dir permissions if volumePermissions.enabled is set to false
+      # see: https://github.com/kubernetes/kubernetes/issues/76158 & https://github.com/kubernetes/kubernetes/issues/110835
+      # medium: Memory
 
   websocket:
     livenessProbe:
@@ -251,9 +254,14 @@ zammadConfig:
         capabilities:
           drop:
             - ALL
-        readOnlyRootFilesystem: false
+        readOnlyRootFilesystem: true
         privileged: false
     volumePermissions:
+      enabled: true
+      image:
+        repository: alpine
+        tag: "3.18.3"
+        pullPolicy: IfNotPresent
       resources: {}
         # requests:
         #   cpu: 100m
@@ -266,6 +274,7 @@ zammadConfig:
         capabilities:
           drop:
             - ALL
+        privileged: true
         runAsNonRoot: false
         runAsUser: 0
     zammad:
@@ -278,10 +287,11 @@ zammadConfig:
         #   memory: 512Mi
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
         readOnlyRootFilesystem: true
         privileged: false
-        runAsNonRoot: false
-        runAsUser: 0
 
 # additional environment vars added to all zammad services
 extraEnv: []
@@ -329,13 +339,6 @@ autoWizard:
 podAnnotations: {}
   # my-annotation: "value"
 
-volumePermissions:
-  enabled: false
-  image:
-    repository: alpine
-    tag: "3.18.3"
-    pullPolicy: IfNotPresent
-
 # Configuration for persistence
 persistence:
   enabled: true