diff --git a/zammad/Chart.yaml b/zammad/Chart.yaml index e7134944..9c309df1 100644 --- a/zammad/Chart.yaml +++ b/zammad/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: zammad -version: 9.1.0 -appVersion: 6.0.0-66 +version: 10.0.0 +appVersion: 6.1.0-22 description: Zammad is a web based open source helpdesk/customer support system with many features to manage customer communication via several channels like telephone, facebook, twitter, chat and e-mails. home: https://zammad.org icon: https://raw.githubusercontent.com/zammad/zammad-documentation/main/images/zammad_logo_600x520.png diff --git a/zammad/README.md b/zammad/README.md index 07c4e1c0..08e71b09 100644 --- a/zammad/README.md +++ b/zammad/README.md @@ -114,6 +114,14 @@ Open your browser on ## Upgrading +### From chart version 9.x to 10.0.0 + +- all containers uses `readOnlyRootFilesystem: true` again +- volumePermissions init container config has been moved to initContainers section + - if you used it before you have to adapt your config + - it's also enabled by default now to workaround rails world writable tmp dir issues + - if you don't like to use it you might want to set tmpDirVolume.emptyDir.medium to "Memory" instead + ### From chart version 8.x to 9.0.0 - Zammads PVC changed to only hold contents of /opt/zammad/var & /opt/zammad/storage instead of the whole Zammad content diff --git a/zammad/templates/configmap-init.yaml b/zammad/templates/configmap-init.yaml index 69a46eff..cc2c4d89 100644 --- a/zammad/templates/configmap-init.yaml +++ b/zammad/templates/configmap-init.yaml @@ -36,5 +36,4 @@ data: if [ -n "${AUTOWIZARD_JSON}" ]; then echo "${AUTOWIZARD_JSON}" | base64 -d > /opt/zammad/var/auto_wizard.json fi - rm -f /opt/zammad/tmp/pids/*.pid echo "zammad init complete :)" diff --git a/zammad/templates/statefulset.yaml b/zammad/templates/statefulset.yaml index f4385d9a..25b63b17 100644 --- a/zammad/templates/statefulset.yaml +++ b/zammad/templates/statefulset.yaml @@ -20,7 +20,7 @@ spec: {{- include "zammad.labels" . | nindent 8 }} spec: {{- with .Values.image.imagePullSecrets }} - imagePullSecrets: + imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.serviceAccount.create }} @@ -42,24 +42,27 @@ spec: {{- with .Values.initContainers }} {{- toYaml . | nindent 8}} {{- end }} - {{- if .Values.volumePermissions.enabled }} - - name: data-chmod - image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}" - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy }} + {{- if .Values.zammadConfig.initContainers.volumePermissions.enabled }} + - name: zammad-volume-permissions + image: "{{ .Values.zammadConfig.initContainers.volumePermissions.image.repository }}:{{ .Values.zammadConfig.initContainers.volumePermissions.image.tag }}" + imagePullPolicy: {{ .Values.zammadConfig.initContainers.volumePermissions.image.pullPolicy }} command: - /bin/sh - -cx - | - chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad + chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} -R /opt/zammad/var + chmod 770 /opt/zammad/tmp {{- with .Values.zammadConfig.initContainers.volumePermissions.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.zammadConfig.volumePermissions }} + {{- with .Values.zammadConfig.initContainers.volumePermissions.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp - name: {{ template "zammad.fullname" . }}-var mountPath: /opt/zammad/var {{- end }} @@ -97,12 +100,14 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var - name: {{ template "zammad.fullname" . }}-init mountPath: /docker-entrypoint.sh readOnly: true subPath: zammad-init + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var - name: postgresql-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -137,12 +142,14 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var - name: {{ template "zammad.fullname" . }}-init mountPath: /docker-entrypoint.sh readOnly: true subPath: postgresql-init + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var {{- if .Values.zammadConfig.elasticsearch.initialisation }} - name: elasticsearch-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -185,12 +192,14 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var - name: {{ template "zammad.fullname" . }}-init mountPath: /docker-entrypoint.sh readOnly: true subPath: elasticsearch-init + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var {{- end }} containers: {{- with .Values.sidecars }} @@ -227,8 +236,6 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ include "zammad.fullname" . }}-var - mountPath: /opt/zammad/var - name: {{ include "zammad.fullname" . }}-nginx mountPath: /etc/nginx/nginx.conf subPath: nginx.conf @@ -237,12 +244,14 @@ spec: mountPath: /etc/nginx/sites-enabled/default subPath: default readOnly: true - - name: {{ include "zammad.fullname" . }}-tmp + - name: {{ template "zammad.fullname" . }}-tmp mountPath: /tmp - name: {{ include "zammad.fullname" . }}-tmp mountPath: /var/log/nginx - name: {{ template "zammad.fullname" . }}-var mountPath: /opt/zammad/storage + - name: {{ include "zammad.fullname" . }}-var + mountPath: /opt/zammad/var - name: {{ .Chart.Name }}-railsserver image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -302,10 +311,12 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp - name: {{ template "zammad.fullname" . }}-var mountPath: /opt/zammad/storage + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var - name: {{ .Chart.Name }}-scheduler image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -345,10 +356,12 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp - name: {{ template "zammad.fullname" . }}-var mountPath: /opt/zammad/storage + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var - name: {{ .Chart.Name }}-websocket image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -403,22 +416,24 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - - name: {{ template "zammad.fullname" . }}-var - mountPath: /opt/zammad/var + - name: {{ template "zammad.fullname" . }}-tmp + mountPath: /opt/zammad/tmp - name: {{ template "zammad.fullname" . }}-var mountPath: /opt/zammad/storage + - name: {{ template "zammad.fullname" . }}-var + mountPath: /opt/zammad/var {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} volumes: - - name: {{ template "zammad.fullname" . }}-nginx - configMap: - name: {{ template "zammad.fullname" . }}-nginx - name: {{ template "zammad.fullname" . }}-init configMap: name: {{ template "zammad.fullname" . }}-init defaultMode: 0755 + - name: {{ template "zammad.fullname" . }}-nginx + configMap: + name: {{ template "zammad.fullname" . }}-nginx - name: {{ include "zammad.fullname" . }}-tmp {{- toYaml .Values.zammadConfig.tmpDirVolume | nindent 10 }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} diff --git a/zammad/values.yaml b/zammad/values.yaml index 1d96e935..c1d049dd 100644 --- a/zammad/values.yaml +++ b/zammad/values.yaml @@ -189,6 +189,9 @@ zammadConfig: tmpDirVolume: emptyDir: sizeLimit: 100Mi + # enable "medium: Memory" to Work around problems with world writable tmp dir permissions if volumePermissions.enabled is set to false + # see: https://github.com/kubernetes/kubernetes/issues/76158 & https://github.com/kubernetes/kubernetes/issues/110835 + # medium: Memory websocket: livenessProbe: @@ -251,9 +254,14 @@ zammadConfig: capabilities: drop: - ALL - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true privileged: false volumePermissions: + enabled: true + image: + repository: alpine + tag: "3.18.3" + pullPolicy: IfNotPresent resources: {} # requests: # cpu: 100m @@ -266,6 +274,7 @@ zammadConfig: capabilities: drop: - ALL + privileged: true runAsNonRoot: false runAsUser: 0 zammad: @@ -278,10 +287,11 @@ zammadConfig: # memory: 512Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true privileged: false - runAsNonRoot: false - runAsUser: 0 # additional environment vars added to all zammad services extraEnv: [] @@ -329,13 +339,6 @@ autoWizard: podAnnotations: {} # my-annotation: "value" -volumePermissions: - enabled: false - image: - repository: alpine - tag: "3.18.3" - pullPolicy: IfNotPresent - # Configuration for persistence persistence: enabled: true