Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm Chart rendering RunAsUser at the wrong indent #63

Open
avo-sepp opened this issue Feb 27, 2024 · 9 comments
Open

Helm Chart rendering RunAsUser at the wrong indent #63

avo-sepp opened this issue Feb 27, 2024 · 9 comments

Comments

@avo-sepp
Copy link
Contributor

avo-sepp commented Feb 27, 2024
edited
Loading

Screenshot 2024-02-27 at 10 46 58

See image. runAsUser is not being saved to Kubernetes because it is being rendered one tier above SecurityContext. It should be nested under SecurityContext.
@avo-sepp avo-sepp changed the title Helm Chart rendering RunAsRoot at the wrong indent Helm Chart rendering RunAsUser at the wrong indent Feb 27, 2024
@avo-sepp
Copy link
Contributor Author

More info, this problem is seen on native and default worker groups. I don't think we're running any other worker groups, so I cannot confirm/deny those.

@rubenfiszel
Copy link
Contributor

@avo-sepp can you share the values you are using ?

@avo-sepp
Copy link
Contributor Author

avo-sepp commented Feb 27, 2024
edited
Loading 

windmill:
  baseDomain: "redacted"
  baseProtocol: "https"
  databaseUrlSecretName: "redacted"
  databaseUrlSecretKey: url
postgresql:
  enabled: false
ingress:
  enabled: true
  className: "nginx"
  tls:
    - hosts:
        - "redacted"
      secretName: redacted 
  annotations:
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 10m

@avo-sepp
Copy link
Contributor Author

The Helm chart is being rendered and applied by ArgoCD. When rendered on the CLI the indenting is off. It looks like...

      containers:
      - name: windmill-worker

        securityContext:

            runAsNonRoot: false
            runAsUser: 0



        image: ghcr.io/windmill-labs/windmill:1.278.5

        imagePullPolicy: Always
        ports:
        - containerPort: 8001

@rubenfiszel
Copy link
Contributor

This should be fixed on latest commit normally (indent 12 -> indent 10 of the securityContext block body)

@rubenfiszel
Copy link
Contributor

@avo-sepp I also tested on the CLI/dry-run that the indentation was correct. We advise to pass HOME=/tmp as env variable if you use non root users.

@avo-sepp
Copy link
Contributor Author

Thank you. That's good information. Is there anything mounted in /tmp? If I overwrite that directory with an ephemeral/empty volume will any important data be blown away?

@rubenfiszel
Copy link
Contributor

Crucial data required for the operation of windmill is located at /tmp/windmill so would recommend using /tmp/home and mounting that instead

@rubenfiszel
Copy link
Contributor

To note, if you can mount /tmp/windmill/cache you will benefit from hot cache all the time, and on the EE we have superior tier of caching for python at scale that is distributed on S3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rubenfiszel @avo-sepp