diff --git a/docs/en/installation/k8s.md b/docs/en/installation/k8s.md index a8c5c3f7d8..da002f2876 100644 --- a/docs/en/installation/k8s.md +++ b/docs/en/installation/k8s.md @@ -30,6 +30,7 @@ The following table list the configurable parameters of the SCM-Manager chart an | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity settings | +| extraArgs | list | `[]` | Arguments to pass to the container | | extraEnv | string | `""` | Additional environment variables, parsed through tpl function | | extraEnvFrom | string | `""` | Additional environment variables mapped from Secret or ConfigMap, parsed through tpl function | | extraVolumeMounts | string | `""` | Add additional volumes mounts, parsed through tpl function | @@ -51,6 +52,7 @@ The following table list the configurable parameters of the SCM-Manager chart an | persistence.enabled | bool | `true` | Enable the use of a PVC for SCM-Manager home | | persistence.size | string | `"40Gi"` | The size of the PVC | | resources | object | `{}` | Resources allocation (Requests and Limits) | +| securityContext | object | `{ fsGroup: 0 }` | Securitycontext for the pod | | service.port | int | `80` | k8s service port | | service.type | string | `"LoadBalancer"` | k8s service type | | ssh.dns | list | `["ssh.scm-manager.local"]` | dns names for the ssh service (requires installed external dns) | diff --git a/gradle/changelog/helm_ocp_and_icp.yaml b/gradle/changelog/helm_ocp_and_icp.yaml new file mode 100644 index 0000000000..c9e7b5caef --- /dev/null +++ b/gradle/changelog/helm_ocp_and_icp.yaml @@ -0,0 +1,2 @@ + - type: Added + description: Adds compatibility for OCP and ICP ([#1870](https://github.com/scm-manager/scm-manager/pull/1870)) diff --git a/scm-packaging/docker/Dockerfile b/scm-packaging/docker/Dockerfile index 1cae926790..762f8d4170 100644 --- a/scm-packaging/docker/Dockerfile +++ b/scm-packaging/docker/Dockerfile @@ -31,16 +31,17 @@ COPY . / RUN set -x \ # ttf-dejavu graphviz are required for the plantuml plugin && apk add --no-cache ttf-dejavu graphviz mercurial bash ca-certificates \ - && addgroup -S -g 1000 scm \ - && adduser -S -s /bin/false -G scm -h ${SCM_HOME} -D -H -u 1000 scm \ + && adduser -S -s /bin/false -h ${SCM_HOME} -D -H -u 1000 -G root scm \ && mkdir -p ${SCM_HOME} ${CACHE_DIR} \ && chmod +x /opt/scm-server/bin/scm-server \ - && chown scm:scm ${SCM_HOME} ${CACHE_DIR} + # set permissions to group 0 for openshift compatibility + && chown 1000:0 ${SCM_HOME} ${CACHE_DIR} \ + && chmod -R g=u ${SCM_HOME} ${CACHE_DIR} WORKDIR "/opt/scm-server" VOLUME ["${SCM_HOME}", "${CACHE_DIR}"] EXPOSE 8080 -USER scm +USER 1000 # we us a high relative high start period, # because the start time depends on the number of installed plugins diff --git a/scm-packaging/helm/src/main/chart/templates/deployment.yaml b/scm-packaging/helm/src/main/chart/templates/deployment.yaml index e9b00aca70..90eb81be3a 100644 --- a/scm-packaging/helm/src/main/chart/templates/deployment.yaml +++ b/scm-packaging/helm/src/main/chart/templates/deployment.yaml @@ -49,23 +49,15 @@ spec: imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- end }} - initContainers: - - name: volume-permissions - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: IfNotPresent - command: ['sh', '-c', 'chown 1000:1000 /data'] - securityContext: - runAsUser: 0 - volumeMounts: - - name: data - mountPath: /data + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} {{- if .Values.plugins }} + initContainers: - name: install-plugins image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: IfNotPresent command: ['sh', '/scripts/install-plugins.sh'] - securityContext: - runAsUser: 0 volumeMounts: - name: data mountPath: /data @@ -75,6 +67,10 @@ spec: containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- with .Values.extraArgs }} + args: + {{- . | toYaml | nindent 12 }} + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.lifecycleHooks }} lifecycle: diff --git a/scm-packaging/helm/src/main/chart/templates/scripts.yaml b/scm-packaging/helm/src/main/chart/templates/scripts.yaml index d2d54b7346..128d8ae54a 100644 --- a/scm-packaging/helm/src/main/chart/templates/scripts.yaml +++ b/scm-packaging/helm/src/main/chart/templates/scripts.yaml @@ -36,10 +36,8 @@ data: install-plugins.sh: | #!/bin/sh mkdir -p /data/plugins - chown 1000:1000 /data/plugins {{ range $i, $plugin := .Values.plugins }} # install plugin {{ tpl $plugin.name $ }} wget -O /data/plugins/{{ tpl $plugin.name $ }}.smp {{ tpl $plugin.url $ }} - chown 1000:1000 /data/plugins/{{ tpl $plugin.name $ }}.smp {{ end }} {{ end }} diff --git a/scm-packaging/helm/src/main/chart/values.yaml b/scm-packaging/helm/src/main/chart/values.yaml index d44a0f9bd9..8ac25e2ddd 100644 --- a/scm-packaging/helm/src/main/chart/values.yaml +++ b/scm-packaging/helm/src/main/chart/values.yaml @@ -41,6 +41,13 @@ nameOverride: "" # fullnameOverride -- Override the full resource names fullnameOverride: "" +# securityContext -- Toggle and define securityContext +securityContext: +# runAsUser: 999 +# runAsGroup: 999 + # unset fsGroup if working on openshift + fsGroup: 0 + service: # service.type -- k8s service type type: LoadBalancer @@ -162,3 +169,8 @@ extraVolumeMounts: | # - name: bucket-service-account # mountPath: "{{.Values.bucket.mountPath}}" # readOnly: true + +# extraArgs -- Add additional arguments on startup +extraArgs: [] +# - "-Dscm.initialPassword=admin" +# - "-Dscm.initialUser=admin"