Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(charts/dex): add optional initContainers to deployment. #93

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

larsla
Copy link

@larsla larsla commented Sep 15, 2022

Overview

This adds the possibility to configure initContainers for the deployment.

What this PR does / why we need it

Connecting to Postgres using TLS with a client certificate requires the private key to have permission mode 0600.
We need to store the TLS certificates/keys as a Kubernetes Secret and mount that to the deployment.
That is currently not possible when running the process as non-root since securityContext.fsGroup only modifies the group ownership and will chmod g+r the mounted files, thus making github.com/lib/pq reject the key due to bad permissions.

With the help of an initContainer we can copy the files from the secret to another volume and chown/chmod them.
This is the method we used with the old dex helm chart from the stable repository and it's been working well for a couple of years.

Closes: #9
The suggestions in that issue was to either use a mutating webhook or build a custom image. Neither works in our use case
since the cluster is too restricted to allow mutating webhooks and building a custom image would not solve the issue since
the root cause is in a library used by Dex.

Special notes for your reviewer

Checklist

  • Change log updated in Chart.yaml (see the contributing guide for details)
  • Chart version bumped in Chart.yaml (see the contributing guide for details)
  • Documentation regenerated by running make docs

@larsla larsla marked this pull request as ready for review September 15, 2022 10:52
@larsla
Copy link
Author

larsla commented Mar 15, 2023

Is there anything missing from this PR? Some feedback would be much appreciated.

@sagikazarmark
Copy link
Member

Looks like it needs a rebase. Other than that, it looks good to me.

@larsla
Copy link
Author

larsla commented Mar 15, 2023

Looks like it needs a rebase. Other than that, it looks good to me.

I rebased it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Sidecar containers support
2 participants