use read-only filesystem with mounted tmp volumes unless in developme…

…nt mode
opf · Nov 29, 2023 · 893eac0 · 893eac0
1 parent 86e5b96
commit 893eac0
Show file tree

Hide file tree

Showing 7 changed files with 127 additions and 42 deletions.
diff --git a/charts/openproject/bin/debug b/charts/openproject/bin/debug
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Outputs the generated helm configurations after templating.
+
+yaml_output=/tmp/op-hc-yaml-output.txt
+error_output=/tmp/op-hc-error-output.txt
+section_output=/tmp/op-hc-section-output.yml
+vimrc=/tmp/op-hc-vim-rc
+
+rm $yaml_output $error_output $section_output $vimrc &>/dev/null
+
+helm template --debug "$@" . 1> $yaml_output 2> $error_output
+
+if [ $? -gt 0 ]; then
+  section=`cat $error_output | grep 'Error: YAML parse error on' | cut -d: -f2 | cut -d' ' -f6-`
+
+  if [ -n "$section" ]; then
+    cat $yaml_output | sed -e "0,/\# Source: ${section//\//\\/}/d" | tail -n+2 | sed -e '/---/,$d' > $section_output
+
+    line=`cat $error_output | grep line | head -n1 | perl -nle 'm/line (\d+)/; print $1'`
+
+    if [ -n "$line" ]; then
+      echo "autocmd VimEnter * echo '`cat $error_output | grep line | head -n1`'" > $vimrc
+      vim +$line -u $vimrc $section_output
+    else
+      echo
+      echo "Template error: "
+      echo
+      echo ---
+      cat $section_output
+      cat $error_output
+    fi
+  else
+    echo
+    echo "Template error: "
+    echo
+    echo ---
+    cat $yaml_output
+    cat $error_output
+  fi
+else
+  cat $yaml_output
+
+  echo
+  echo "Syntax ok"
+fi
diff --git a/charts/openproject/bin/install-dev b/charts/openproject/bin/install-dev
@@ -0,0 +1,6 @@
+# !/bin/bash
+
+# Install OpenProject in development mode, that is without https and allowing writes
+# to the container file system.
+
+helm upgrade --create-namespace --namespace openproject --install openproject --set develop=true .
diff --git a/charts/openproject/templates/_helpers.tpl b/charts/openproject/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{/*
+Returns the OpenProject image to be used including the respective registry and image tag.
+*/}}
+{{- define "openproject.image" -}}
+{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}
+{{- end -}}
+
+{{/*
+Yields the configured container security context if enabled.
+
+Allows writing to the container file system in development mode
+This way the OpenProject container works without mounted tmp volumes
+which may not work correctly in local development clusters.
+*/}}
+{{- define "openproject.containerSecurityContext" }}
+{{- if .Values.containerSecurityContext.enabled }}
+securityContext:
+  {{-
+    mergeOverwrite
+      (omit .Values.containerSecurityContext "enabled" | deepCopy)
+      (dict "readOnlyRootFilesystem" (not .Values.develop))
+    | toYaml
+    | nindent 2
+  }}
+{{- end }}
+{{- end }}
+
+{{/* Yields the configured pod security context if enabled. */}}
+{{- define "openproject.podSecurityContext" }}
+{{- if .Values.podSecurityContext.enabled }}
+securityContext:
+  {{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 2 | trim }}
+{{- end }}
+{{- end }}
+
+{{- define "openproject.useTmpVolumes" -}}
+{{- if not .Values.develop -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/templates/secrets.yaml b/charts/openproject/templates/secrets.yaml
@@ -19,7 +19,7 @@ stringData:
   OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
   OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
   OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
-  OPENPROJECT_HTTPS: {{ .Values.openproject.https | quote }}
+  OPENPROJECT_HTTPS: {{ (.Values.develop | ternary "false" .Values.openproject.https) | quote }}
   OPENPROJECT_SEED_LOCALE: {{ .Values.openproject.seed_locale | quote }}
   OPENPROJECT_HOST__NAME: {{ .Values.openproject.host | default .Values.ingress.host | quote }}
   OPENPROJECT_HSTS: {{ .Values.openproject.hsts | quote }}

diff --git a/charts/openproject/templates/seeder-job.yaml b/charts/openproject/templates/seeder-job.yaml
@@ -12,15 +12,13 @@ spec:
   ttlSecondsAfterFinished: 6000
   template:
     spec:
-      {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        {{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
-      {{- end }}
+      {{- include "openproject.podSecurityContext" . | indent 6 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 | trim }}
       {{- end }}
       volumes:
+        {{- if (include "openproject.useTmpVolumes" .) }}
         - name: tmp
           # we can't use emptyDir due to the sticky bit issue
           # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -31,6 +29,7 @@ spec:
                 resources:
                   requests:
                     storage: 1Gi
+        {{- end }}
         {{- if .Values.persistence.enabled }}
         - name: "data"
           persistentVolumeClaim:
@@ -50,10 +49,7 @@ spec:
                 name: {{ include "common.names.fullname" . }}
           resources:
             {{- toYaml .Values.initdb.resources | nindent 12 }}
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
       containers:
         - name: seeder
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
@@ -65,14 +61,13 @@ spec:
             - secretRef:
                 name: {{ include "common.names.fullname" . }}
           volumeMounts:
+            {{- if (include "openproject.useTmpVolumes" .) }}
             - mountPath: /tmp
               name: tmp
+            {{- end }}
             {{- if .Values.persistence.enabled }}
             - name: "data"
               mountPath: "/var/openproject/assets"
             {{- end }}
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
       restartPolicy: OnFailure
diff --git a/charts/openproject/templates/web-deployment.yaml b/charts/openproject/templates/web-deployment.yaml
@@ -46,12 +46,10 @@ spec:
       nodeSelector:
         {{ toYaml . | nindent 8 | trim }}
       {{- end }}
-      {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        {{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
-      {{- end }}
+      {{- include "openproject.podSecurityContext" . | indent 6 }}
       serviceAccountName: {{ include "common.names.fullname" . }}
       volumes:
+        {{- if (include "openproject.useTmpVolumes" .) }}
         - name: tmp
           # we can't use emptyDir due to the sticky bit issue
           # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -63,7 +61,16 @@ spec:
                   requests:
                     storage: 1Gi
         - name: app-tmp
-          emptyDir: {}
+          # we can't use emptyDir due to the sticky bit / world writable issue
+          # see: https://github.com/kubernetes/kubernetes/issues/110835
+          ephemeral:
+            volumeClaimTemplate:
+              spec:
+                accessModes: ["ReadWriteOnce"]
+                resources:
+                  requests:
+                    storage: 1Gi
+        {{- end }}
         {{- if .Values.egress.tls.rootCA.fileName }}
         - name: ca-pemstore
           configMap:
@@ -76,11 +83,8 @@ spec:
         {{- end }}
       initContainers:
         - name: wait-for-db
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
+          image: {{ include "openproject.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           envFrom:
             - secretRef:
@@ -90,11 +94,8 @@ spec:
             - /app/docker/prod/wait-for-db
       containers:
         - name: "openproject"
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
+          image: {{ include "openproject.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           envFrom:
             - secretRef:
@@ -105,10 +106,12 @@ spec:
               value: "/etc/ssl/certs/custom-ca.pem"
           {{- end }}
           volumeMounts:
+            {{- if (include "openproject.useTmpVolumes" .) }}
             - mountPath: /tmp
               name: tmp
             - mountPath: /app/tmp
               name: app-tmp
+            {{- end }}
             {{- if .Values.persistence.enabled }}
             - name: "data"
               mountPath: "/var/openproject/assets"

diff --git a/charts/openproject/templates/worker-deployment.yaml b/charts/openproject/templates/worker-deployment.yaml
@@ -46,12 +46,10 @@ spec:
       nodeSelector:
         {{ toYaml . | nindent 8 | trim }}
       {{- end }}
-      {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        {{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
-      {{- end }}
+      {{- include "openproject.podSecurityContext" . | indent 6 }}
       serviceAccountName: {{ include "common.names.fullname" . }}
       volumes:
+        {{- if (include "openproject.useTmpVolumes" .) }}
         - name: tmp
           # we can't use emptyDir due to the sticky bit issue
           # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -65,6 +63,7 @@ spec:
                     # or backups
                     # @todo put this into a separate PVC per replica
                     storage: 5Gi
+        {{- end }}
         {{- if .Values.egress.tls.rootCA.fileName }}
         - name: ca-pemstore
           configMap:
@@ -77,11 +76,8 @@ spec:
         {{- end }}
       initContainers:
         - name: wait-for-db
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
+          image: {{ include "openproject.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           envFrom:
             - secretRef:
@@ -91,11 +87,8 @@ spec:
             - /app/docker/prod/wait-for-db
       containers:
         - name: "openproject"
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext:
-            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
+          {{- include "openproject.containerSecurityContext" . | indent 10 }}
+          image: {{ include "openproject.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           envFrom:
             - secretRef:
@@ -109,8 +102,10 @@ spec:
             - bash
             - /app/docker/prod/worker
           volumeMounts:
+            {{- if (include "openproject.useTmpVolumes" .) }}
             - mountPath: /tmp
               name: tmp
+            {{- end }}
             {{- if .Values.persistence.enabled }}
             - name: "data"
               mountPath: "/var/openproject/assets"