diff --git a/deploy/modules/service/cronjob.tf b/deploy/modules/service/cronjob.tf index 5380a9c5..2657b27f 100644 --- a/deploy/modules/service/cronjob.tf +++ b/deploy/modules/service/cronjob.tf @@ -77,6 +77,35 @@ resource "kubernetes_cron_job" "app" { } } + dynamic "init_container" { + for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false } + + content { + name = "fix-permissions-${init_container.key}" + image = "busybox" + command = [ + "chown", + "-R", + "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}", + init_container.value.mountPath, + ] + + security_context { + run_as_group = 0 + run_as_user = 0 + run_as_non_root = false + } + + volume_mount { + name = init_container.value.volumeName + mount_path = init_container.value.mountPath + read_only = lookup(init_container.value, "readOnly", false) + sub_path = lookup(init_container.value, "subPath", null) + mount_propagation = lookup(init_container.value, "mountPropagation", null) + } + } + } + security_context { run_as_user = lookup(var.podSecurityContext, "runAsUser", 1000) run_as_group = lookup(var.podSecurityContext, "runAsGroup", 1000) diff --git a/deploy/modules/service/deamonset.tf b/deploy/modules/service/deamonset.tf index ed20e3fd..155d37cd 100644 --- a/deploy/modules/service/deamonset.tf +++ b/deploy/modules/service/deamonset.tf @@ -62,6 +62,35 @@ resource "kubernetes_daemonset" "app" { } } + dynamic "init_container" { + for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false } + + content { + name = "fix-permissions-${init_container.key}" + image = "busybox" + command = [ + "chown", + "-R", + "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}", + init_container.value.mountPath, + ] + + security_context { + run_as_group = 0 + run_as_user = 0 + run_as_non_root = false + } + + volume_mount { + name = init_container.value.volumeName + mount_path = init_container.value.mountPath + read_only = lookup(init_container.value, "readOnly", false) + sub_path = lookup(init_container.value, "subPath", null) + mount_propagation = lookup(init_container.value, "mountPropagation", null) + } + } + } + security_context { run_as_user = lookup(var.podSecurityContext, "runAsUser", 1000) run_as_group = lookup(var.podSecurityContext, "runAsGroup", 1000) diff --git a/deploy/modules/service/deployment.tf b/deploy/modules/service/deployment.tf index e7e3e758..bef3500f 100644 --- a/deploy/modules/service/deployment.tf +++ b/deploy/modules/service/deployment.tf @@ -64,6 +64,35 @@ resource "kubernetes_deployment" "app" { } } + dynamic "init_container" { + for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false } + + content { + name = "fix-permissions-${init_container.key}" + image = "busybox" + command = [ + "chown", + "-R", + "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}", + init_container.value.mountPath, + ] + + security_context { + run_as_group = 0 + run_as_user = 0 + run_as_non_root = false + } + + volume_mount { + name = init_container.value.volumeName + mount_path = init_container.value.mountPath + read_only = lookup(init_container.value, "readOnly", false) + sub_path = lookup(init_container.value, "subPath", null) + mount_propagation = lookup(init_container.value, "mountPropagation", null) + } + } + } + security_context { run_as_user = lookup(var.podSecurityContext, "runAsUser", 1000) run_as_group = lookup(var.podSecurityContext, "runAsGroup", 1000) diff --git a/deploy/modules/service/statefulset.tf b/deploy/modules/service/statefulset.tf index 65558bac..3b95f2f3 100644 --- a/deploy/modules/service/statefulset.tf +++ b/deploy/modules/service/statefulset.tf @@ -70,6 +70,35 @@ resource "kubernetes_stateful_set" "app" { } } + dynamic "init_container" { + for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false } + + content { + name = "fix-permissions-${init_container.key}" + image = "busybox" + command = [ + "chown", + "-R", + "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}", + init_container.value.mountPath, + ] + + security_context { + run_as_group = 0 + run_as_user = 0 + run_as_non_root = false + } + + volume_mount { + name = init_container.value.volumeName + mount_path = init_container.value.mountPath + read_only = lookup(init_container.value, "readOnly", false) + sub_path = lookup(init_container.value, "subPath", null) + mount_propagation = lookup(init_container.value, "mountPropagation", null) + } + } + } + security_context { run_as_user = lookup(var.podSecurityContext, "runAsUser", 1000) run_as_group = lookup(var.podSecurityContext, "runAsGroup", 1000) diff --git a/deploy/modules/service/variables.tf b/deploy/modules/service/variables.tf index 5f313ce7..52d6d60b 100644 --- a/deploy/modules/service/variables.tf +++ b/deploy/modules/service/variables.tf @@ -654,3 +654,9 @@ variable "serviceType" { error_message = "serviceType must be one of ClusterIP, NodePort or LoadBalancer" } } + +variable "fixPermissions" { + type = bool + description = "Fix permissions of the mounted volumes (start an init container as root to chown the volumes)" + default = false +} diff --git a/deploy/stacks/apps/s42/storages.tf b/deploy/stacks/apps/s42/storages.tf index cd6fd407..f817c751 100644 --- a/deploy/stacks/apps/s42/storages.tf +++ b/deploy/stacks/apps/s42/storages.tf @@ -249,6 +249,8 @@ module "dragonfly" { replicas = 1 maxUnavailable = 0 + fixPermissions = true + prometheus = { enabled = true port = 6379