diff --git a/library/common-test/Chart.yaml b/library/common-test/Chart.yaml index defba7b8..bcaf2a54 100644 --- a/library/common-test/Chart.yaml +++ b/library/common-test/Chart.yaml @@ -3,7 +3,7 @@ appVersion: "" dependencies: - name: common repository: file://../common - version: ~12.13.0 + version: ~12.14.0 deprecated: false description: Helper chart to test different use cases of the common library home: https://github.com/truecharts/apps/tree/master/charts/library/common-test diff --git a/library/common-test/tests/addons/autoperms_test.yaml b/library/common-test/tests/addons/autoperms_test.yaml new file mode 100644 index 00000000..fcd0597e --- /dev/null +++ b/library/common-test/tests/addons/autoperms_test.yaml @@ -0,0 +1,709 @@ +suite: auto perms test +templates: + - common.yaml +tests: + - it: should render permissions job + set: + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: {} + persistence: + test1: + enabled: true + type: hostPath + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test1 + hostPath: /testhost1 + test2: + enabled: true + type: hostPath + autoPermissions: + chown: true + chmod: 770 + recursive: false + mountPath: /test2 + hostPath: /testhost2 + test3: + enabled: true + type: hostPath + autoPermissions: + chmod: 770 + mountPath: /test3 + hostPath: /testhost3 + test4: + enabled: true + type: hostPath + autoPermissions: + chown: true + mountPath: /test4 + hostPath: /testhost4 + # Should not appear + test5: + enabled: true + type: hostPath + mountPath: /test5 + hostPath: /testhost5 + test6: + enabled: true + type: hostPath + targetSelectAll: true + mountPath: /test6 + hostPath: /testhost6 + autoPermissions: + chown: true + chmod: 770 + recursive: true + user: 1000 + group: 1000 + test7: + enabled: true + type: emptyDir + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test7 + test8: + enabled: true + type: pvc + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test8 + test9: + enabled: true + type: nfs + server: 1.1.1.1 + path: /share + autoPermissions: + chown: true + mountPath: /test9 + asserts: + - documentIndex: &jobDoc 0 + isKind: + of: Job + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].securityContext + value: + runAsUser: 0 + runAsGroup: 568 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test1 + hostPath: + path: /testhost1 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test2 + hostPath: + path: /testhost2 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test3 + hostPath: + path: /testhost3 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test4 + hostPath: + path: /testhost4 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test6 + hostPath: + path: /testhost6 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test7 + emptyDir: {} + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test8 + persistentVolumeClaim: + claimName: release-name-common-test-test8 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test9 + nfs: + server: 1.1.1.1 + path: /share + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: tmp + emptyDir: {} + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test1 + mountPath: /mounts/test1 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test2 + mountPath: /mounts/test2 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test3 + mountPath: /mounts/test3 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test4 + mountPath: /mounts/test4 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test6 + mountPath: /mounts/test6 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test7 + mountPath: /mounts/test7 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test8 + mountPath: /mounts/test8 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test9 + mountPath: /mounts/test9 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: tmp + mountPath: /tmp + readOnly: false + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].command + value: + - /bin/sh + - -c + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting permissions for /mounts/test1..." + before=$(stat -c "%a" /mounts/test1) + chmod -$ 770 /mounts/test1 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test1)]" + echo "" + echo "Automatically correcting ownership for /mounts/test1..." + before=$(stat -c "%u:%g" /mounts/test1) + chown -$ -f :568 /mounts/test1 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test1)]" + echo "" + echo "Automatically correcting permissions for /mounts/test2..." + before=$(stat -c "%a" /mounts/test2) + chmod 770 /mounts/test2 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test2)]" + echo "" + echo "Automatically correcting ownership for /mounts/test2..." + before=$(stat -c "%u:%g" /mounts/test2) + chown -f :568 /mounts/test2 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test2)]" + echo "" + echo "Automatically correcting permissions for /mounts/test3..." + before=$(stat -c "%a" /mounts/test3) + chmod 770 /mounts/test3 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test3)]" + echo "" + echo "Automatically correcting ownership for /mounts/test4..." + before=$(stat -c "%u:%g" /mounts/test4) + chown -f :568 /mounts/test4 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test4)]" + echo "" + echo "Automatically correcting permissions for /mounts/test6..." + before=$(stat -c "%a" /mounts/test6) + chmod -$ 770 /mounts/test6 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test6)]" + echo "" + echo "Automatically correcting ownership for /mounts/test6..." + before=$(stat -c "%u:%g" /mounts/test6) + chown -$ -f 1000:1000 /mounts/test6 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test6)]" + echo "" + echo "Automatically correcting permissions for /mounts/test7..." + before=$(stat -c "%a" /mounts/test7) + chmod -$ 770 /mounts/test7 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test7)]" + echo "" + echo "Automatically correcting ownership for /mounts/test7..." + before=$(stat -c "%u:%g" /mounts/test7) + chown -$ -f :568 /mounts/test7 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test7)]" + echo "" + echo "Automatically correcting permissions for /mounts/test8..." + before=$(stat -c "%a" /mounts/test8) + chmod -$ 770 /mounts/test8 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test8)]" + echo "" + echo "Automatically correcting ownership for /mounts/test8..." + before=$(stat -c "%u:%g" /mounts/test8) + chown -$ -f :568 /mounts/test8 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test8)]" + echo "" + echo "Automatically correcting ownership for /mounts/test9..." + before=$(stat -c "%u:%g" /mounts/test9) + chown -f :568 /mounts/test9 || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test9)]" + echo "" + echo "Finished auto permissions job..." + + - it: should render permissions job in ixChartContext + set: + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: {} + ixChartContext: + some: context + persistence: + test1: + enabled: true + type: hostPath + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test1 + hostPath: /testhost1 + test2: + enabled: true + type: hostPath + autoPermissions: + chown: true + chmod: 770 + recursive: false + mountPath: /test2 + hostPath: /testhost2 + test3: + enabled: true + type: hostPath + autoPermissions: + chmod: 770 + mountPath: /test3 + hostPath: /testhost3 + test4: + enabled: true + type: hostPath + autoPermissions: + chown: true + mountPath: /test4 + hostPath: /testhost4 + # Should not appear + test5: + enabled: true + type: hostPath + mountPath: /test5 + hostPath: /testhost5 + test6: + enabled: true + type: hostPath + targetSelectAll: true + mountPath: /test6 + hostPath: /testhost6 + autoPermissions: + chown: true + chmod: 770 + recursive: true + user: 1000 + group: 1000 + test7: + enabled: true + type: emptyDir + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test7 + test8: + enabled: true + type: pvc + autoPermissions: + chown: true + chmod: 770 + recursive: true + mountPath: /test8 + test9: + enabled: true + type: nfs + server: 1.1.1.1 + path: /share + autoPermissions: + chown: true + mountPath: /test9 + asserts: + - documentIndex: *jobDoc + isKind: + of: Job + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].securityContext + value: + runAsUser: 0 + runAsGroup: 568 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test1 + hostPath: + path: /testhost1 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test2 + hostPath: + path: /testhost2 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test3 + hostPath: + path: /testhost3 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test4 + hostPath: + path: /testhost4 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test6 + hostPath: + path: /testhost6 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test7 + emptyDir: {} + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test8 + persistentVolumeClaim: + claimName: release-name-common-test-test8 + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: test9 + nfs: + server: 1.1.1.1 + path: /share + - documentIndex: *jobDoc + contains: + path: spec.template.spec.volumes + content: + name: tmp + emptyDir: {} + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test1 + mountPath: /mounts/test1 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test2 + mountPath: /mounts/test2 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test3 + mountPath: /mounts/test3 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test4 + mountPath: /mounts/test4 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test6 + mountPath: /mounts/test6 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test7 + mountPath: /mounts/test7 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test8 + mountPath: /mounts/test8 + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: tmp + mountPath: /tmp + readOnly: false + - documentIndex: *jobDoc + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test9 + mountPath: /mounts/test9 + readOnly: false + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].command + value: + - /bin/sh + - -c + - documentIndex: *jobDoc + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting permissions for /mounts/test1..." + before=$(stat -c "%a" /mounts/test1) + chmod -$ 770 /mounts/test1 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test1)]" + echo "" + echo "Automatically correcting ownership for /mounts/test1..." + before=$(stat -c "%u:%g" /mounts/test1) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -$ -c "/mounts/test1" -p "/mounts/test1" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test1)]" + echo "" + echo "Automatically correcting permissions for /mounts/test2..." + before=$(stat -c "%a" /mounts/test2) + chmod 770 /mounts/test2 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test2)]" + echo "" + echo "Automatically correcting ownership for /mounts/test2..." + before=$(stat -c "%u:%g" /mounts/test2) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -c "/mounts/test2" -p "/mounts/test2" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test2)]" + echo "" + echo "Automatically correcting permissions for /mounts/test3..." + before=$(stat -c "%a" /mounts/test3) + chmod 770 /mounts/test3 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test3)]" + echo "" + echo "Automatically correcting ownership for /mounts/test4..." + before=$(stat -c "%u:%g" /mounts/test4) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -c "/mounts/test4" -p "/mounts/test4" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test4)]" + echo "" + echo "Automatically correcting permissions for /mounts/test6..." + before=$(stat -c "%a" /mounts/test6) + chmod -$ 770 /mounts/test6 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test6)]" + echo "" + echo "Automatically correcting ownership for /mounts/test6..." + before=$(stat -c "%u:%g" /mounts/test6) + /usr/sbin/nfs4xdr_winacl -a chown -G 1000 -$ -c "/mounts/test6" -p "/mounts/test6" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test6)]" + echo "" + echo "Automatically correcting permissions for /mounts/test7..." + before=$(stat -c "%a" /mounts/test7) + chmod -$ 770 /mounts/test7 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test7)]" + echo "" + echo "Automatically correcting ownership for /mounts/test7..." + before=$(stat -c "%u:%g" /mounts/test7) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -$ -c "/mounts/test7" -p "/mounts/test7" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test7)]" + echo "" + echo "Automatically correcting permissions for /mounts/test8..." + before=$(stat -c "%a" /mounts/test8) + chmod -$ 770 /mounts/test8 || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" /mounts/test8)]" + echo "" + echo "Automatically correcting ownership for /mounts/test8..." + before=$(stat -c "%u:%g" /mounts/test8) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -$ -c "/mounts/test8" -p "/mounts/test8" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test8)]" + echo "" + echo "Automatically correcting ownership for /mounts/test9..." + before=$(stat -c "%u:%g" /mounts/test9) + /usr/sbin/nfs4xdr_winacl -a chown -G 568 -c "/mounts/test9" -p "/mounts/test9" || echo "Failed setting ownership using winacl..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/test9)]" + echo "" + echo "Finished auto permissions job..." + +# Failures + - it: should fail trying to set ownership on non hostPath + set: + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: {} + persistence: + test: + enabled: true + type: device + autoPermissions: + chown: true + asserts: + - failedTemplate: + errorMessage: Auto Permissions - Allowed persistent types for auto permissions are [hostPath, pvc, emptyDir, nfs, ixVolume], but got [device] on [test] + + - it: should fail trying to set permissions on readOnly + set: + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: {} + persistence: + test: + enabled: true + type: pvc + readOnly: true + autoPermissions: + chmod: 770 + asserts: + - failedTemplate: + errorMessage: Auto Permissions - You cannot change permissions/ownership automatically on [test] with readOnly enabled diff --git a/library/common-test/tests/addons/vpn_test.yaml b/library/common-test/tests/addons/vpn_test.yaml index 416d5eb1..9776e47b 100644 --- a/library/common-test/tests/addons/vpn_test.yaml +++ b/library/common-test/tests/addons/vpn_test.yaml @@ -345,13 +345,52 @@ tests: port: 8080 asserts: - hasDocuments: - count: 2 - - documentIndex: &DeploymentDocument 0 + count: 3 + - documentIndex: &JobDocument 0 + isKind: + of: Job + - documentIndex: &DeploymentDocument 1 isKind: of: Deployment - - documentIndex: &ServiceDocument 1 + - documentIndex: &ServiceDocument 2 isKind: of: Service + - documentIndex: *JobDocument + equal: + path: metadata.name + value: release-name-common-test-autopermissions + - documentIndex: *JobDocument + contains: + path: spec.template.spec.volumes + content: + name: vpnconfig + hostPath: + path: /path/to/file + type: File + - documentIndex: *JobDocument + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: vpnconfig + mountPath: /mounts/vpnconfig + readOnly: false + - documentIndex: *JobDocument + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting ownership for /mounts/vpnconfig..." + before=$(stat -c "%u:%g" /mounts/vpnconfig) + chown -f 568:568 /mounts/vpnconfig || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/vpnconfig)]" + echo "" + echo "Finished auto permissions job..." - documentIndex: *DeploymentDocument equal: path: spec.template.spec.containers[0].name @@ -401,11 +440,49 @@ tests: port: 8080 asserts: - hasDocuments: - count: 2 - - documentIndex: &DeploymentDocument 0 + count: 3 + - documentIndex: &JobDocument 0 + isKind: + of: Job + - documentIndex: *JobDocument + equal: + path: metadata.name + value: release-name-common-test-autopermissions + - documentIndex: *JobDocument + contains: + path: spec.template.spec.volumes + content: + name: vpnfolder + hostPath: + path: /path/to/folder + - documentIndex: *JobDocument + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: vpnfolder + mountPath: /mounts/vpnfolder + readOnly: false + - documentIndex: *JobDocument + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting ownership for /mounts/vpnfolder..." + before=$(stat -c "%u:%g" /mounts/vpnfolder) + chown -f 568:568 /mounts/vpnfolder || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/vpnfolder)]" + echo "" + echo "Finished auto permissions job..." + - documentIndex: &DeploymentDocument 1 isKind: of: Deployment - - documentIndex: &ServiceDocument 1 + - documentIndex: &ServiceDocument 2 isKind: of: Service - documentIndex: *DeploymentDocument @@ -607,13 +684,52 @@ tests: port: 8080 asserts: - hasDocuments: - count: 2 - - documentIndex: &DeploymentDocument 0 + count: 3 + - documentIndex: &JobDocument 0 + isKind: + of: Job + - documentIndex: &DeploymentDocument 1 isKind: of: Deployment - - documentIndex: &ServiceDocument 1 + - documentIndex: &ServiceDocument 2 isKind: of: Service + - documentIndex: *JobDocument + equal: + path: metadata.name + value: release-name-common-test-autopermissions + - documentIndex: *JobDocument + contains: + path: spec.template.spec.volumes + content: + name: vpnconfig + hostPath: + path: /path/to/file + type: File + - documentIndex: *JobDocument + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: vpnconfig + mountPath: /mounts/vpnconfig + readOnly: false + - documentIndex: *JobDocument + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting ownership for /mounts/vpnconfig..." + before=$(stat -c "%u:%g" /mounts/vpnconfig) + chown -f 568:568 /mounts/vpnconfig || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/vpnconfig)]" + echo "" + echo "Finished auto permissions job..." - documentIndex: *DeploymentDocument equal: path: spec.template.spec.containers[0].name @@ -663,13 +779,52 @@ tests: port: 8080 asserts: - hasDocuments: - count: 2 - - documentIndex: &DeploymentDocument 0 + count: 3 + - documentIndex: &JobDocument 0 + isKind: + of: Job + - documentIndex: &DeploymentDocument 1 isKind: of: Deployment - - documentIndex: &ServiceDocument 1 + - documentIndex: &ServiceDocument 2 isKind: of: Service + - documentIndex: *JobDocument + equal: + path: metadata.name + value: release-name-common-test-autopermissions + - documentIndex: *JobDocument + contains: + path: spec.template.spec.volumes + content: + name: vpnconfig + hostPath: + path: /path/to/file + type: File + - documentIndex: *JobDocument + contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: vpnconfig + mountPath: /mounts/vpnconfig + readOnly: false + - documentIndex: *JobDocument + equal: + path: spec.template.spec.containers[0].args + value: + - |- + echo "Starting auto permissions job..." + touch /tmp/healthy + + echo "Automatically correcting ownership and permissions..." + echo "Automatically correcting ownership for /mounts/vpnconfig..." + before=$(stat -c "%u:%g" /mounts/vpnconfig) + chown -f 568:568 /mounts/vpnconfig || echo "Failed setting ownership using chown..." + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" /mounts/vpnconfig)]" + echo "" + echo "Finished auto permissions job..." - documentIndex: *DeploymentDocument equal: path: spec.template.spec.containers[0].name diff --git a/library/common-test/tests/container/securityContext_test.yaml b/library/common-test/tests/container/securityContext_test.yaml index 8d420747..71f08cf6 100644 --- a/library/common-test/tests/container/securityContext_test.yaml +++ b/library/common-test/tests/container/securityContext_test.yaml @@ -1003,3 +1003,51 @@ tests: asserts: - failedTemplate: errorMessage: Container - Expected to be [bool], but got [not-bool] of type [string] + + - it: should fail with duplicate capabilities.add + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + capabilities: + add: + - CHOWN + - CHOWN + asserts: + - failedTemplate: + errorMessage: Container - Expected items of to be unique, but got [CHOWN, CHOWN] + + - it: should fail with duplicate capabilities.drop + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + capabilities: + drop: + - CHOWN + - CHOWN + asserts: + - failedTemplate: + errorMessage: Container - Expected items of to be unique, but got [CHOWN, CHOWN] diff --git a/library/common-test/tests/initContainer/autoperms_test.yaml b/library/common-test/tests/initContainer/autoperms_test.yaml deleted file mode 100644 index 6d27bafc..00000000 --- a/library/common-test/tests/initContainer/autoperms_test.yaml +++ /dev/null @@ -1,328 +0,0 @@ -suite: auto perms test -templates: - - common.yaml -tests: - - it: should render permissions job - set: - workload: - workload-name: - enabled: true - primary: true - type: Deployment - podSpec: {} - persistence: - test1: - enabled: true - type: hostPath - autoPermissions: - chown: true - chmod: 770 - recursive: true - mountPath: /test1 - hostPath: /testhost1 - test2: - enabled: true - type: hostPath - autoPermissions: - chown: true - chmod: 770 - recursive: false - mountPath: /test2 - hostPath: /testhost2 - test3: - enabled: true - type: hostPath - autoPermissions: - chmod: 770 - mountPath: /test3 - hostPath: /testhost3 - test4: - enabled: true - type: hostPath - autoPermissions: - chown: true - mountPath: /test4 - hostPath: /testhost4 - # Should not appear - test5: - enabled: true - type: hostPath - mountPath: /test5 - hostPath: /testhost5 - asserts: - - documentIndex: &jobDoc 1 - isKind: - of: Job - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].securityContext - value: - runAsUser: 0 - runAsGroup: 568 - runAsNonRoot: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - privileged: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - add: - - CHOWN - - FOWNER - - documentIndex: *jobDoc - equal: - path: spec.template.spec.volumes - value: - - name: test1 - hostPath: - path: /testhost1 - - name: test2 - hostPath: - path: /testhost2 - - name: test3 - hostPath: - path: /testhost3 - - name: test4 - hostPath: - path: /testhost4 - - name: tmp-data - emptyDir: {} - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].volumeMounts - value: - - name: test1 - mountPath: /mounts/test1 - - name: test2 - mountPath: /mounts/test2 - - name: test3 - mountPath: /mounts/test3 - - name: test4 - mountPath: /mounts/test4 - - name: tmp-data - mountPath: /tmp - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].command - value: - - /bin/sh - - -c - - | - /bin/sh <<'EOF' - touch /tmp/healthy - echo "Automatically correcting ownership and permissions..." - echo "Automatically correcting permissions for /test1..." - echo "Permissions before: [$(stat -c "%a" /mounts/test1)]" - chmod -R 770 /mounts/test1 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test1)]" - echo "" - echo "Automatically correcting ownership for /test1..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test1)]" - chown -R -f :568 /mounts/test1 || echo "Failed setting ownership using chown..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test1)]" - echo "" - echo "Automatically correcting permissions for /test2..." - echo "Permissions before: [$(stat -c "%a" /mounts/test2)]" - chmod 770 /mounts/test2 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test2)]" - echo "" - echo "Automatically correcting ownership for /test2..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test2)]" - chown -f :568 /mounts/test2 || echo "Failed setting ownership using chown..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test2)]" - echo "" - echo "Automatically correcting permissions for /test3..." - echo "Permissions before: [$(stat -c "%a" /mounts/test3)]" - chmod 770 /mounts/test3 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test3)]" - echo "" - echo "Automatically correcting ownership for /test4..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test4)]" - chown -f :568 /mounts/test4 || echo "Failed setting ownership using chown..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test4)]" - echo "" - EOF - - - it: should render permissions job in ixChartContext - set: - workload: - workload-name: - enabled: true - primary: true - type: Deployment - podSpec: {} - ixChartContext: - some: context - persistence: - test1: - enabled: true - type: hostPath - autoPermissions: - chown: true - chmod: 770 - recursive: true - mountPath: /test1 - hostPath: /testhost1 - test2: - enabled: true - type: hostPath - autoPermissions: - chown: true - chmod: 770 - recursive: false - mountPath: /test2 - hostPath: /testhost2 - test3: - enabled: true - type: hostPath - autoPermissions: - chmod: 770 - mountPath: /test3 - hostPath: /testhost3 - test4: - enabled: true - type: hostPath - autoPermissions: - chown: true - mountPath: /test4 - hostPath: /testhost4 - # Should not appear - test5: - enabled: true - type: hostPath - mountPath: /test5 - hostPath: /testhost5 - asserts: - - documentIndex: *jobDoc - isKind: - of: Job - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].securityContext - value: - runAsUser: 0 - runAsGroup: 568 - runAsNonRoot: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - privileged: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - add: - - CHOWN - - FOWNER - - documentIndex: *jobDoc - equal: - path: spec.template.spec.volumes - value: - - name: test1 - hostPath: - path: /testhost1 - - name: test2 - hostPath: - path: /testhost2 - - name: test3 - hostPath: - path: /testhost3 - - name: test4 - hostPath: - path: /testhost4 - - name: tmp-data - emptyDir: {} - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].volumeMounts - value: - - name: test1 - mountPath: /mounts/test1 - - name: test2 - mountPath: /mounts/test2 - - name: test3 - mountPath: /mounts/test3 - - name: test4 - mountPath: /mounts/test4 - - name: tmp-data - mountPath: /tmp - - documentIndex: *jobDoc - equal: - path: spec.template.spec.containers[0].command - value: - - /bin/sh - - -c - - | - /bin/sh <<'EOF' - touch /tmp/healthy - echo "Automatically correcting ownership and permissions..." - echo "Automatically correcting permissions for /test1..." - echo "Permissions before: [$(stat -c "%a" /mounts/test1)]" - chmod -R 770 /mounts/test1 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test1)]" - echo "" - echo "Automatically correcting ownership for /test1..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test1)]" - /usr/sbin/nfs4xdr_winacl -a chown -G 568 -r -c "/mounts/test1" -p "/mounts/test1" || echo "Failed setting ownership using winacl..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test1)]" - echo "" - echo "Automatically correcting permissions for /test2..." - echo "Permissions before: [$(stat -c "%a" /mounts/test2)]" - chmod 770 /mounts/test2 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test2)]" - echo "" - echo "Automatically correcting ownership for /test2..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test2)]" - /usr/sbin/nfs4xdr_winacl -a chown -G 568 -c "/mounts/test2" -p "/mounts/test2" || echo "Failed setting ownership using winacl..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test2)]" - echo "" - echo "Automatically correcting permissions for /test3..." - echo "Permissions before: [$(stat -c "%a" /mounts/test3)]" - chmod 770 /mounts/test3 || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/test3)]" - echo "" - echo "Automatically correcting ownership for /test4..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/test4)]" - /usr/sbin/nfs4xdr_winacl -a chown -G 568 -c "/mounts/test4" -p "/mounts/test4" || echo "Failed setting ownership using winacl..." - echo "Ownership after: [$(stat -c "%u:%g" /mounts/test4)]" - echo "" - EOF - -# Failures - - it: should fail trying to set ownership on non hostPath - set: - workload: - workload-name: - enabled: true - primary: true - type: Deployment - podSpec: {} - persistence: - test: - enabled: true - type: pvc - autoPermissions: - chown: true - asserts: - - failedTemplate: - errorMessage: Auto Permissions - You can only change permissions/ownership automatically on host path type - - - it: should fail trying to set permissions on non hostPath - set: - workload: - workload-name: - enabled: true - primary: true - type: Deployment - podSpec: {} - persistence: - test: - enabled: true - type: pvc - autoPermissions: - chmod: 770 - asserts: - - failedTemplate: - errorMessage: Auto Permissions - You can only change permissions/ownership automatically on host path type diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index 4569392f..9bcf1cbb 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: common sources: null type: library -version: 12.13.2 +version: 12.14.0 diff --git a/library/common/templates/addons/vpn/_volume.tpl b/library/common/templates/addons/vpn/_volume.tpl index f2553b0e..956608f2 100644 --- a/library/common/templates/addons/vpn/_volume.tpl +++ b/library/common/templates/addons/vpn/_volume.tpl @@ -51,6 +51,10 @@ expandObjectName: true type: hostPath hostPath: {{ .Values.addons.vpn.configFile | default "/vpn" }} hostPathType: "File" +autoPermissions: + chown: true + user: 568 + group: 568 {{- end }} targetSelector: {{- range .Values.addons.vpn.targetSelector }} @@ -68,6 +72,10 @@ The volume (referencing VPN config folder) to be inserted into persistence. enabled: true type: hostPath hostPath: {{ .Values.addons.vpn.configFolder | quote }} +autoPermissions: + chown: true + user: 568 + group: 568 targetSelector: {{- range .Values.addons.vpn.targetSelector }} {{ . }}: diff --git a/library/common/templates/lib/container/_securityContext.tpl b/library/common/templates/lib/container/_securityContext.tpl index 8b631e60..f72d401f 100644 --- a/library/common/templates/lib/container/_securityContext.tpl +++ b/library/common/templates/lib/container/_securityContext.tpl @@ -171,6 +171,10 @@ objectData: The object data to be used to render the container. {{- fail (printf "Container - Expected items of to be [string], but got [%s]" $key (kindOf .)) -}} {{- end -}} {{- end -}} + + {{- if not (deepEqual (uniq $item) $item) -}} + {{- fail (printf "Container - Expected items of to be unique, but got [%s]" $key (join ", " $item)) -}} + {{- end -}} {{- end -}} {{- $secContext | toJson -}} diff --git a/library/common/templates/lib/container/_volumeMounts.tpl b/library/common/templates/lib/container/_volumeMounts.tpl index 38a896b6..b19aa46d 100644 --- a/library/common/templates/lib/container/_volumeMounts.tpl +++ b/library/common/templates/lib/container/_volumeMounts.tpl @@ -88,6 +88,22 @@ objectData: The object data to be used to render the container. {{/* If targetSelectAll is set, means all pods/containers */}} {{/* targetSelectAll does not make sense for vct */}} {{- if and $persistenceValues.targetSelectAll (ne $key "volumeClaimTemplates") -}} {{- $return = true -}} + {{/* Set custom path on autopermissions container */}} + {{- if and (eq $objectData.shortName "autopermissions") $persistenceValues.autoPermissions -}} + {{- if or $persistenceValues.autoPermissions.chown $persistenceValues.autoPermissions.chmod -}} + {{- $return = true -}} + {{- $_ := set $volMount "mountPath" (printf "/mounts/%v" $persistenceName) -}} + {{- end -}} + {{- end -}} + + {{/* If the container is the autopermission */}} + {{- else if (eq $objectData.shortName "autopermissions") -}} + {{- if $persistenceValues.autoPermissions -}} + {{- if or $persistenceValues.autoPermissions.chown $persistenceValues.autoPermissions.chmod -}} + {{- $return = true -}} + {{- $_ := set $volMount "mountPath" (printf "/mounts/%v" $persistenceName) -}} + {{- end -}} + {{- end -}} {{/* Else if selector is defined */}} {{- else if $persistenceValues.targetSelector -}} @@ -114,8 +130,12 @@ objectData: The object data to be used to render the container. {{- end -}} {{- end -}} + {{/* if its the codeserver */}} + {{- else if (eq $objectData.shortName "codeserver") -}} + {{- $return = true -}} + {{/* Else if not selector, but pod and container is primary */}} - {{- else if and $objectData.podPrimary (or $objectData.primary (eq $objectData.shortName "codeserver")) -}} + {{- else if and $objectData.podPrimary $objectData.primary -}} {{- $return = true -}} {{- end -}} diff --git a/library/common/templates/lib/pod/_volumes.tpl b/library/common/templates/lib/pod/_volumes.tpl index 1a6bd594..bcd4cfc6 100644 --- a/library/common/templates/lib/pod/_volumes.tpl +++ b/library/common/templates/lib/pod/_volumes.tpl @@ -19,6 +19,14 @@ objectData: The object data to be used to render the Pod. {{- if $persistence.targetSelectAll -}} {{- $selected = true -}} + {{/* If the pod is the autopermission */}} + {{- else if eq $objectData.shortName "autopermissions" -}} + {{- if $persistence.autoPermissions -}} + {{- if or $persistence.autoPermissions.chown $persistence.autoPermissions.chmod -}} + {{- $selected = true -}} + {{- end -}} + {{- end -}} + {{/* If targetSelector is set, check if pod is selected */}} {{- else if $persistence.targetSelector -}} {{- if (mustHas $objectData.shortName (keys $persistence.targetSelector)) -}} @@ -26,10 +34,8 @@ objectData: The object data to be used to render the Pod. {{- end -}} {{/* If no targetSelector is set or targetSelectAll, check if pod is primary */}} - {{- else -}} - {{- if $objectData.primary -}} - {{- $selected = true -}} - {{- end -}} + {{- else if $objectData.primary -}} + {{- $selected = true -}} {{- end -}} {{/* If pod selected */}} diff --git a/library/common/templates/lib/util/_autoperms.tpl b/library/common/templates/lib/util/_autoperms.tpl index d7b5c640..4ebbfc92 100644 --- a/library/common/templates/lib/util/_autoperms.tpl +++ b/library/common/templates/lib/util/_autoperms.tpl @@ -1,154 +1,142 @@ -{{/* contains the auto-permissions job */}} +{{/* Contains the auto-permissions job */}} {{- define "tc.v1.common.lib.util.autoperms" -}} -{{- $hostPathMounts := dict -}} + +{{- $permAllowedTypes := (list "hostPath" "pvc" "emptyDir" "nfs" "ixVolume") -}} +{{/* If you change this path, you must change it under _volumeMounts.tpl too*/}} +{{- $basePath := "/mounts" -}} + +{{/* Init an empty dict to hold data */}} +{{- $mounts := dict -}} + +{{/* Go over persistence and gather needed data */}} {{- range $name, $mount := .Values.persistence -}} {{- if and $mount.enabled $mount.autoPermissions -}} + {{/* If autoPermissions is enabled...*/}} {{- if or $mount.autoPermissions.chown $mount.autoPermissions.chmod -}} - {{- if ne $mount.type "hostPath" -}} - {{- fail (printf "Auto Permissions - You can only change permissions/ownership automatically on host path type") -}} + {{- $type := $.Values.fallbackDefaults.persistenceType -}} + {{- if $mount.type -}} + {{- $type = $mount.type -}} {{- end -}} + + {{- if not (mustHas $type $permAllowedTypes) -}} + {{- fail (printf "Auto Permissions - Allowed persistent types for auto permissions are [%v], but got [%v] on [%v]" (join ", " $permAllowedTypes) $type $name) -}} + {{- end -}} + {{- if $mount.readOnly -}} - {{- fail (printf "Auto Permissions - You cannot change permissions/ownership automatically with readOnly enabled") -}} + {{- fail (printf "Auto Permissions - You cannot change permissions/ownership automatically on [%v] with readOnly enabled" $name) -}} {{- end -}} - {{- $name = $mount.name | default ($name | toString) -}} - {{- $_ := set $hostPathMounts $name $mount -}} - + {{/* Add some data regarding what actions to perform */}} + {{- $_ := set $mounts $name $mount.autoPermissions -}} {{- end -}} {{- end -}} -{{- end }} +{{- end -}} -{{- if $hostPathMounts }} -{{- $fullName := include "tc.v1.common.lib.chart.names.fullname" . }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: {{ $fullName }}-autopermissions - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed -spec: - template: - spec: - restartPolicy: Never - containers: - - name: {{ $fullName }}-autopermissions - image: {{ .Values.alpineImage.repository }}:{{ .Values.alpineImage.tag }} - securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 568 - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - privileged: false - seccompProfile: - type: RuntimeDefault - capabilities: - add: - - CHOWN - - FOWNER - drop: - - ALL - resources: - requests: - cpu: 10m - memory: 50Mi - limits: - cpu: 4000m - memory: 8Gi - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 10 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 5 - periodSeconds: 10 - readinessProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 10 - failureThreshold: 5 - successThreshold: 2 - timeoutSeconds: 5 - periodSeconds: 10 - startupProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 10 - failureThreshold: 60 - successThreshold: 1 - timeoutSeconds: 2 - periodSeconds: 5 +{{- if $mounts }} +enabled: true +type: Job +annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed +podSpec: + restartPolicy: Never + containers: + # If you change this name, you must change it under _volumeMounts.tpl + autopermissions: + enabled: true + primary: true + imageSelector: alpineImage + securityContext: + runAsNonRoot: false + runAsUser: 0 + capabilities: + disableS6Caps: true + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + resources: + limits: + cpu: 2000m + memory: 2Gi + probes: + liveness: + type: exec command: - - "/bin/sh" - - "-c" - - | - /bin/sh <<'EOF' - touch /tmp/healthy - echo "Automatically correcting ownership and permissions..." + - cat + - /tmp/healthy + readiness: + type: exec + command: + - cat + - /tmp/healthy + startup: + type: exec + command: + - cat + - /tmp/healthy + command: + - /bin/sh + - -c + args: + - | + echo "Starting auto permissions job..." + touch /tmp/healthy - {{- if and (.Values.addons.vpn.configFile) (ne .Values.addons.vpn.type "disabled") (ne .Values.addons.vpn.type "tailscale") }} - echo "Automatically correcting ownership for vpn config file..." - {{- if $.Values.ixChartContext }} - /usr/sbin/nfs4xdr_winacl -a chown -O 568 -G 568 -c /vpn/vpn.conf -p /vpn/vpn.conf || echo "Failed setting ownership using winacl..." - {{- else }} - chown -f :568 /vpn/vpn.conf || echo "Failed setting ownership using chown..." - {{- end -}} + echo "Automatically correcting ownership and permissions..." + + {{- range $name, $vol := $mounts }} + {{- $mountPath := (printf "%v/%v" $basePath $name) -}} + + {{- $user := "" -}} + {{- if $vol.user -}} + {{- $user = $vol.user -}} {{- end -}} - {{- range $name, $hpm := $hostPathMounts }} - {{- $r := "" -}} - {{- if $hpm.autoPermissions.recursive -}} - {{- $r = "-R" -}} - {{- end -}} - {{- if $hpm.autoPermissions.chmod }} - echo "Automatically correcting permissions for {{ $hpm.mountPath }}..." - echo "Permissions before: [$(stat -c "%a" /mounts/{{ $name }})]" - chmod {{ $r }} {{ $hpm.autoPermissions.chmod }} /mounts/{{ $name }} || echo "Failed setting permissions using chmod..." - echo "Permissions after: [$(stat -c "%a" /mounts/{{ $name }})]" - echo "" - {{- end -}} - {{- if $hpm.autoPermissions.chown }} - echo "Automatically correcting ownership for {{ $hpm.mountPath }}..." - echo "Ownership before: [$(stat -c "%u:%g" /mounts/{{ $name }})]" - {{- if $.Values.ixChartContext }} - /usr/sbin/nfs4xdr_winacl -a chown -G {{ $hpm.autoPermissions.group | default $.Values.securityContext.pod.fsGroup }} {{ $r | lower }} -c "/mounts/{{ $name }}" -p "/mounts/{{ $name }}" || echo "Failed setting ownership using winacl..." - {{- else }} - chown {{ $r }} -f :{{ $hpm.autoPermissions.group | default $.Values.securityContext.pod.fsGroup }} /mounts/{{ $name }} || echo "Failed setting ownership using chown..." - {{- end }} - echo "Ownership after: [$(stat -c "%u:%g" /mounts/{{ $name }})]" - echo "" - {{- end -}} - {{- end }} - EOF - volumeMounts: - {{- range $name, $hpm := $hostPathMounts }} - - name: {{ $name }} - mountPath: /mounts/{{ $name }} - {{- end }} - - name: tmp-data - mountPath: /tmp + {{- $group := $.Values.securityContext.pod.fsGroup -}} + {{- if $vol.group -}} + {{- $group = $vol.group -}} + {{- end -}} - volumes: - {{- range $name, $hpm := $hostPathMounts }} - - name: {{ $name }} - hostPath: - path: {{ tpl $hpm.hostPath $ | squote }} - {{- with $hpm.hostPathType }} - type: {{ $hpm.hostPathType }} - {{- end }} - {{- end }} - - name: tmp-data - emptyDir: {} -{{- end }} + {{- $r := "" -}} + {{- if $vol.recursive -}} + {{- $r = "-$" -}} + {{- end -}} + + {{/* Permissions */}} + {{- if $vol.chmod }} + echo "Automatically correcting permissions for {{ $mountPath }}..." + before=$(stat -c "%a" {{ $mountPath }}) + chmod {{ $r }} {{ $vol.chmod }} {{ $mountPath }} || echo "Failed setting permissions using chmod..." + echo "Permissions after: [$before]" + echo "Permissions after: [$(stat -c "%a" {{ $mountPath }})]" + echo "" + {{- end -}} + + {{/* Ownership */}} + {{- if $vol.chown }} + echo "Automatically correcting ownership for {{ $mountPath }}..." + before=$(stat -c "%u:%g" {{ $mountPath }}) + {{- if $.Values.ixChartContext }}{{/* TODO: Add user here too? */}} + /usr/sbin/nfs4xdr_winacl -a chown -G {{ $group }} {{ $r | lower }} -c "{{ $mountPath }}" -p "{{ $mountPath }}" || echo "Failed setting ownership using winacl..." + {{- else }} + chown {{ $r }} -f {{ $user }}:{{ $group }} {{ $mountPath }} || echo "Failed setting ownership using chown..." + {{- end }} + + echo "Ownership before: [$before]" + echo "Ownership after: [$(stat -c "%u:%g" {{ $mountPath }})]" + echo "" + {{- end -}} + {{- end }} + echo "Finished auto permissions job..." +{{- end -}} +{{- end -}} + +{{- define "tc.v1.common.lib.util.autoperms.job" -}} + {{- $job := (include "tc.v1.common.lib.util.autoperms" $) | fromYaml -}} + {{- if $job -}} + # If you change this name, you must change it under _volumes.tpl + {{- $_ := set $.Values.workload "autopermissions" $job -}} + {{- end -}} {{- end -}} diff --git a/library/common/templates/loader/_apply.tpl b/library/common/templates/loader/_apply.tpl index 26921408..14d3c364 100644 --- a/library/common/templates/loader/_apply.tpl +++ b/library/common/templates/loader/_apply.tpl @@ -4,6 +4,9 @@ {{/* Inject custom tpl files, as defined in values.yaml */}} {{- include "tc.v1.common.spawner.extraTpl" . | nindent 0 -}} + {{/* Ensure automatic permissions containers are injected */}} + {{- include "tc.v1.common.lib.util.autoperms.job" $ -}} + {{/* Make sure there are not any YAML errors */}} {{- include "tc.v1.common.values.validate" .Values -}} @@ -55,9 +58,6 @@ {{/* Render Cert-Manager Certificates(s) */}} {{- include "tc.v1.common.spawner.certificate" . | nindent 0 -}} - {{/* Ensure automatic permissions containers are injected */}} - {{- include "tc.v1.common.lib.util.autoperms" . | nindent 0 -}} - {{/* Render/Set portal configmap, .Values.iXPortals and APPURL */}} {{- include "tc.v1.common.spawner.portal" . | nindent 0 -}}