Adds compatibility for OCP and ICP (#1870)

Adds compatibility for OCP (openshift container platform) and ICP (IBM cloud private)

- Sets folder permissions to group 0, because the arbitrary assigned user ids in openshift are all part of group 0
- Removes usage of root user 0, because it is prohibited in some environments
- Use numerical user id, because some environments do not accept non-numerical user ids
- Removes initContainer for setting volume permissions, because it is not needed anymore
- Removes chown in plugin script, because it is not needed anymore
- Adds extraArgs option in Helm chart to add arguments on server startup, i.e. initial admin username and password

Signed-off-by: pmarkiewka <philipp.markiewka@cloudogu.com>

docs/en/installation/k8s.md

@@ -30,6 +30,7 @@ The following table list the configurable parameters of the SCM-Manager chart an
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity settings |
+| extraArgs | list | `[]` | Arguments to pass to the container |
 | extraEnv | string | `""` | Additional environment variables, parsed through tpl function |
 | extraEnvFrom | string | `""` | Additional environment variables mapped from Secret or ConfigMap, parsed through tpl function |
 | extraVolumeMounts | string | `""` | Add additional volumes mounts, parsed through tpl function |
@@ -51,6 +52,7 @@ The following table list the configurable parameters of the SCM-Manager chart an
 | persistence.enabled | bool | `true` | Enable the use of a PVC for SCM-Manager home |
 | persistence.size | string | `"40Gi"` | The size of the PVC |
 | resources | object | `{}` | Resources allocation (Requests and Limits) |
+| securityContext | object | `{ fsGroup: 0 }` | Securitycontext for the pod |
 | service.port | int | `80` | k8s service port |
 | service.type | string | `"LoadBalancer"` | k8s service type |
 | ssh.dns | list | `["ssh.scm-manager.local"]` | dns names for the ssh service (requires installed external dns) |

gradle/changelog/helm_ocp_and_icp.yaml

@@ -0,0 +1,2 @@
+ - type: Added
+   description: Adds compatibility for OCP and ICP ([#1870](https://github.com/scm-manager/scm-manager/pull/1870))

scm-packaging/docker/Dockerfile

@@ -31,16 +31,17 @@ COPY . /
 RUN set -x \
  # ttf-dejavu graphviz are required for the plantuml plugin
  && apk add --no-cache ttf-dejavu graphviz mercurial bash ca-certificates \
- && addgroup -S -g 1000 scm \
- && adduser -S -s /bin/false -G scm -h ${SCM_HOME} -D -H -u 1000 scm \
+ && adduser -S -s /bin/false -h ${SCM_HOME} -D -H -u 1000 -G root scm \
  && mkdir -p ${SCM_HOME} ${CACHE_DIR} \
  && chmod +x /opt/scm-server/bin/scm-server \
- && chown scm:scm ${SCM_HOME} ${CACHE_DIR}
+ # set permissions to group 0 for openshift compatibility
+ && chown 1000:0 ${SCM_HOME} ${CACHE_DIR} \
+ && chmod -R g=u ${SCM_HOME} ${CACHE_DIR}
 
 WORKDIR "/opt/scm-server"
 VOLUME ["${SCM_HOME}", "${CACHE_DIR}"]
 EXPOSE 8080
-USER scm
+USER 1000
 
 # we us a high relative high start period,
 # because the start time depends on the number of installed plugins

scm-packaging/helm/src/main/chart/templates/deployment.yaml

@@ -49,23 +49,15 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
-      initContainers:
-      - name: volume-permissions
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        imagePullPolicy: IfNotPresent
-        command: ['sh', '-c', 'chown 1000:1000 /data']
-        securityContext:
-          runAsUser: 0
-        volumeMounts:
-        - name: data
-          mountPath: /data
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
       {{- if .Values.plugins }}
+      initContainers:
       - name: install-plugins
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: IfNotPresent
         command: ['sh', '/scripts/install-plugins.sh']
-        securityContext:
-          runAsUser: 0
         volumeMounts:
         - name: data
           mountPath: /data
@@ -75,6 +67,10 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          {{- with .Values.extraArgs }}
+          args:
+          {{- . | toYaml | nindent 12 }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.lifecycleHooks }}
           lifecycle:

scm-packaging/helm/src/main/chart/templates/scripts.yaml

@@ -36,10 +36,8 @@ data:
   install-plugins.sh: |
     #!/bin/sh
     mkdir -p /data/plugins
-    chown 1000:1000 /data/plugins
     {{ range $i, $plugin := .Values.plugins }}
     # install plugin {{ tpl $plugin.name $ }}
     wget -O /data/plugins/{{ tpl $plugin.name $ }}.smp {{ tpl $plugin.url $ }}
-    chown 1000:1000 /data/plugins/{{ tpl $plugin.name $ }}.smp
     {{ end }}
 {{ end }}

scm-packaging/helm/src/main/chart/values.yaml

@@ -41,6 +41,13 @@ nameOverride: ""
 # fullnameOverride -- Override the full resource names
 fullnameOverride: ""
 
+# securityContext -- Toggle and define securityContext
+securityContext:
+#  runAsUser: 999
+#  runAsGroup: 999
+  # unset fsGroup if working on openshift
+  fsGroup: 0
+
 service:
   # service.type -- k8s service type
   type: LoadBalancer
@@ -162,3 +169,8 @@ extraVolumeMounts: |
 #  - name: bucket-service-account
 #    mountPath: "{{.Values.bucket.mountPath}}"
 #    readOnly: true
+
+# extraArgs -- Add additional arguments on startup
+extraArgs: []
+#  - "-Dscm.initialPassword=admin"
+#  - "-Dscm.initialUser=admin"