flux: Readme: Improve documentation #291
Conversation
kksudo
force-pushed
the
feat/improve_readme
branch
from
8c367f2 to
6956588
Compare
|
Thanks! It looks good to me... but the main maintainer of the flux plugin is away this week, so I'll wait till they are back to review/merge. Would you mind updating the commit messages to follow the commit format we use?
|
kksudo
force-pushed
the
feat/improve_readme
branch
from
6956588 to
22ba9d1
Compare
Signed-off-by: Kirill <[email protected]> (cherry picked from commit d4b75d2) Signed-off-by: Kirill <[email protected]>
Signed-off-by: Kirill <[email protected]>
kksudo
force-pushed
the
feat/improve_readme
branch
from
22ba9d1 to
f617c23
Compare
Done |
|
The security context is mandatory to copy changes, without it, you will get an error: Also, there is no statefulset app, that is why use the PV with PVC is not correct, as the alternative I added an option to use an empty dir.
|
| - /bin/sh | ||
| - -c | ||
| - mkdir -p /build/plugins && cp -r /plugins/* /build/plugins/ | ||
| - mkdir -p /build/plugins && cp -r /plugins/* /build/plugins/ && chown -R 100:101 /build |
There was a problem hiding this comment.
Oh... I just realised the 100:101 here is the headlamp user and group from the alpine headlamp Dockerfile container?
Can we use chown -R headlamp:headlamp /build here instead?
How about a comment explaining why the chown is necessary?
There was a problem hiding this comment.
Oh... I just realised the 100:101 here is the headlamp user and group from the alpine headlamp Dockerfile container?
Yes
https://github.com/headlamp-k8s/plugins/blob/main/Dockerfile#L45
Actually we can improve also this line, to define exactly the number of the group to be more clear.
There was a problem hiding this comment.
Can we use
chown -R headlamp:headlamp /buildhere instead?
yes, but it's not a true way, because from image to image the number of the headlamp group could be diff.
It's a better to update the Dockerfile to set up a static number, smth like:
# Create a group with specific GID and user with specific UID
RUN addgroup -g 101 -S headlamp && \
adduser -u 100 -S -G headlamp headlamp
I can update it, WDYT ?
There was a problem hiding this comment.
Thanks. I understand I think... so if someone uses headlamp:headlamp in say their own custom Debian image maybe it's different from an alpine image?
Yeah, I think it's a good change to make.
| image: ghcr.io/headlamp-k8s/headlamp-plugin-flux:latest | ||
| imagePullPolicy: Always | ||
| name: headlamp-plugins | ||
| securityContext: |
There was a problem hiding this comment.
This part here is required because of the chown used above? Or is it for something else?
Could you please add a comment to there explaining why it's necessary?
There was a problem hiding this comment.
The securityContext overwrite the USER headlamp non root user.
Without it, we don't have enough permissions to do the dirs with non headlamp owner.
There was a problem hiding this comment.
Ok, that makes sense now. Thanks.
Could you please add a comment about that in there for future readers?
There was a problem hiding this comment.
Ok, that makes sense now. Thanks.
Could you please add a comment about that in there for future readers?
I can, it's not a big deal.
But, are you sure if it's necessary? Because it's a pretty simple setting. Moreover, we can't annotate every line. We should do it, only if it's some exception or TODO or workaround.
WDYT?
There was a problem hiding this comment.
Umm i don't understand this change we already did chwon above so we would not want to run this as root right??
maybe this is what we need here
securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
privileged: false
There was a problem hiding this comment.
Yes, it's true. What is the user who run this cmd?
Without it, you will fail.
Btw, you can try to run without these changes to check it.
There was a problem hiding this comment.
|
Added "Fixes #214" to PR description. |
| image: ghcr.io/headlamp-k8s/headlamp-plugin-flux:latest | ||
| imagePullPolicy: Always | ||
| name: headlamp-plugins | ||
| securityContext: |
There was a problem hiding this comment.
Umm i don't understand this change we already did chwon above so we would not want to run this as root right??
maybe this is what we need here
securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
privileged: false
Description
Improve the Flux plugin documentation
Fixes #214
Split this PR.
#290 (comment)