@@ -29,6 +29,101 @@ spec:
2929 - name : {{ include "codetogether.fullname" . }}-pull-secret
3030 {{- end }}
3131 serviceAccountName : {{ include "codetogether.serviceAccountName" . }}
32+ {{- if .Values.openshift.enabled }}
33+ # OpenShift
34+ {{- else if .Values.podSecurityContext }}
35+ # Vanilla Kubernetes use what is set in podSecurityContext
36+ securityContext :
37+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
38+ {{- end }}
39+ {{- if .Values.securityContext.readOnlyRootFilesystem }}
40+ initContainers :
41+ - name : prepare-volatile
42+ image : busybox:1.36
43+ command : ["/bin/sh", "-c"]
44+ args :
45+ {{- if .Values.openshift.enabled }}
46+ - |
47+ set -eu
48+ for d in \
49+ /run/volatile/clients \
50+ /run/volatile/codetogether-config \
51+ /run/volatile/codetogether-forever \
52+ /run/volatile/codetogether-npm \
53+ /run/volatile/codetogether-pm2 \
54+ /run/volatile/codetogether-theia \
55+ /run/volatile/jicofo-etc \
56+ /run/volatile/jvb-etc \
57+ /run/volatile/log-codetogether \
58+ /run/volatile/log-jitsi \
59+ /run/volatile/log-prosody \
60+ /run/volatile/meet-web \
61+ /run/volatile/nginx \
62+ /run/volatile/pki-catrust \
63+ /run/volatile/prosody \
64+ /run/volatile/prosody-certs \
65+ /run/volatile/prosody-conf \
66+ /run/volatile/var-cache/dnf \
67+ /run/volatile/var-cache/ldconfig \
68+ /run/volatile/var-cache/libX11 \
69+ /run/volatile/var-cache/nginx \
70+ /run/volatile/var-cache/private \
71+ /run/volatile/var-cache/yum
72+ do
73+ install -d -m 0775 "$d"
74+ done
75+ {{- else }}
76+ - |
77+ set -eu
78+ for d in \
79+ /run/volatile/clients \
80+ /run/volatile/codetogether-config \
81+ /run/volatile/codetogether-forever \
82+ /run/volatile/codetogether-npm \
83+ /run/volatile/codetogether-pm2 \
84+ /run/volatile/codetogether-theia \
85+ /run/volatile/jicofo-etc \
86+ /run/volatile/jvb-etc \
87+ /run/volatile/log-codetogether \
88+ /run/volatile/log-jitsi \
89+ /run/volatile/log-prosody \
90+ /run/volatile/meet-web \
91+ /run/volatile/nginx \
92+ /run/volatile/pki-catrust \
93+ /run/volatile/prosody \
94+ /run/volatile/prosody-certs \
95+ /run/volatile/prosody-conf \
96+ /run/volatile/var-cache/dnf \
97+ /run/volatile/var-cache/ldconfig \
98+ /run/volatile/var-cache/libX11 \
99+ /run/volatile/var-cache/nginx \
100+ /run/volatile/var-cache/private \
101+ /run/volatile/var-cache/yum
102+ do
103+ install -d -m 0775 "$d"
104+ done
105+ chown -R {{ default 1000 .Values.securityContext.runAsUser }}:{{ default 1000 .Values.securityContext.runAsGroup | default 1000 }} \
106+ /run /var/log/nginx /var/cache/nginx
107+ {{- end }}
108+ securityContext :
109+ {{- if .Values.openshift.enabled }}
110+ runAsNonRoot : true
111+ allowPrivilegeEscalation : false
112+ {{- else }}
113+ runAsUser : 0
114+ runAsGroup : 0
115+ runAsNonRoot : false
116+ allowPrivilegeEscalation : false
117+ {{- end }}
118+ volumeMounts :
119+ - name : codetogether-runtime
120+ mountPath : /run
121+ - name : codetogether-runtime
122+ mountPath : /var/log/nginx
123+ - name : codetogether-runtime
124+ mountPath : /var/cache/nginx
125+ {{- end }}
126+
32127 containers :
33128 - name : {{ .Chart.Name }}
34129 securityContext :
@@ -248,6 +343,7 @@ spec:
248343
249344 resources :
250345 {{- toYaml .Values.resources | nindent 12 }}
346+
251347 {{- if .Values.securityContext.readOnlyRootFilesystem}}
252348 volumes :
253349 - name : codetogether-runtime
0 commit comments