Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
use read-only filesystem with mounted tmp volumes unless in developme…
Browse files Browse the repository at this point in the history 
…nt mode
@machisuji
machisuji committed Nov 29, 2023
1 parent 111c835 commit 5dd885a
Showing 8 changed files with 136 additions and 42 deletions.
46 changes: 46 additions & 0 deletions charts/openproject/bin/debug
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash

# Outputs the generated helm configurations after templating.

yaml_output=/tmp/op-hc-yaml-output.txt
error_output=/tmp/op-hc-error-output.txt
section_output=/tmp/op-hc-section-output.yml
vimrc=/tmp/op-hc-vim-rc

rm $yaml_output $error_output $section_output $vimrc &>/dev/null

helm template --debug "$@" . 1> $yaml_output 2> $error_output

if [ $? -gt 0 ]; then
section=`cat $error_output | grep 'Error: YAML parse error on' | cut -d: -f2 | cut -d' ' -f6-`

if [ -n "$section" ]; then
cat $yaml_output | sed -e "0,/\# Source: ${section//\//\\/}/d" | tail -n+2 | sed -e '/---/,$d' > $section_output

line=`cat $error_output | grep line | head -n1 | perl -nle 'm/line (\d+)/; print $1'`

if [ -n "$line" ]; then
echo "autocmd VimEnter * echo '`cat $error_output | grep line | head -n1`'" > $vimrc
vim +$line -u $vimrc $section_output
else
echo
echo "Template error: "
echo
echo ---
cat $section_output
cat $error_output
fi
else
echo
echo "Template error: "
echo
echo ---
cat $yaml_output
cat $error_output
fi
else
cat $yaml_output

echo
echo "Syntax ok"
fi
6 changes: 6 additions & 0 deletions charts/openproject/bin/install-dev
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# !/bin/bash

# Install OpenProject in development mode, that is without https and allowing writes
# to the container file system.

helm upgrade --create-namespace --namespace openproject --install openproject --set develop=true .
40 changes: 40 additions & 0 deletions charts/openproject/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{{/*
Returns the OpenProject image to be used including the respective registry and image tag.
*/}}
{{- define "openproject.image" -}}
{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}
{{- end -}}

{{/*
Yields the configured container security context if enabled.
Allows writing to the container file system in development mode
This way the OpenProject container works without mounted tmp volumes
which may not work correctly in local development clusters.
*/}}
{{- define "openproject.containerSecurityContext" }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{-
mergeOverwrite
(omit .Values.containerSecurityContext "enabled" | deepCopy)
(dict "readOnlyRootFilesystem" (not .Values.develop))
| toYaml
| nindent 2
}}
{{- end }}
{{- end }}

{{/* Yields the configured pod security context if enabled. */}}
{{- define "openproject.podSecurityContext" }}
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 2 | trim }}
{{- end }}
{{- end }}

{{- define "openproject.useTmpVolumes" -}}
{{- if not .Values.develop -}}
{{- true -}}
{{- end -}}
{{- end -}}
2 changes: 1 addition & 1 deletion charts/openproject/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@ stringData:
OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
OPENPROJECT_HTTPS: {{ .Values.openproject.https | quote }}
OPENPROJECT_HTTPS: {{ (.Values.develop | ternary "false" .Values.openproject.https) | quote }}
OPENPROJECT_SEED_LOCALE: {{ .Values.openproject.seed_locale | quote }}
OPENPROJECT_HOST__NAME: {{ .Values.openproject.host | default .Values.ingress.host | quote }}
OPENPROJECT_HSTS: {{ .Values.openproject.hsts | quote }}
19 changes: 7 additions & 12 deletions charts/openproject/templates/seeder-job.yaml
View file
Original file line number Diff line number Diff line change
@@ -19,15 +19,13 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
{{- end }}
{{- include "openproject.podSecurityContext" . | indent 6 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 | trim }}
{{- end }}
volumes:
{{- if (include "openproject.useTmpVolumes" .) }}
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -38,6 +36,7 @@ spec:
resources:
requests:
storage: 1Gi
{{- end }}
{{- if .Values.persistence.enabled }}
- name: "data"
persistentVolumeClaim:
@@ -57,10 +56,7 @@ spec:
name: {{ include "common.names.fullname" . }}
resources:
{{- toYaml .Values.initdb.resources | nindent 12 }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- include "openproject.containerSecurityContext" . | indent 10 }}
containers:
- name: seeder
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
@@ -72,14 +68,13 @@ spec:
- secretRef:
name: {{ include "common.names.fullname" . }}
volumeMounts:
{{- if (include "openproject.useTmpVolumes" .) }}
- mountPath: /tmp
name: tmp
{{- end }}
{{- if .Values.persistence.enabled }}
- name: "data"
mountPath: "/var/openproject/assets"
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- include "openproject.containerSecurityContext" . | indent 10 }}
restartPolicy: OnFailure
33 changes: 18 additions & 15 deletions charts/openproject/templates/web-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -46,12 +46,10 @@ spec:
nodeSelector:
{{ toYaml . | nindent 8 | trim }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
{{- end }}
{{- include "openproject.podSecurityContext" . | indent 6 }}
serviceAccountName: {{ include "common.names.fullname" . }}
volumes:
{{- if (include "openproject.useTmpVolumes" .) }}
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -63,7 +61,16 @@ spec:
requests:
storage: 1Gi
- name: app-tmp
emptyDir: {}
# we can't use emptyDir due to the sticky bit / world writable issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
ephemeral:
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
{{- end }}
{{- if .Values.egress.tls.rootCA.fileName }}
- name: ca-pemstore
configMap:
@@ -76,11 +83,8 @@ spec:
{{- end }}
initContainers:
- name: wait-for-db
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
{{- include "openproject.containerSecurityContext" . | indent 10 }}
image: {{ include "openproject.image" . }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
envFrom:
- secretRef:
@@ -90,11 +94,8 @@ spec:
- /app/docker/prod/wait-for-db
containers:
- name: "openproject"
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
{{- include "openproject.containerSecurityContext" . | indent 10 }}
image: {{ include "openproject.image" . }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
envFrom:
- secretRef:
@@ -105,10 +106,12 @@ spec:
value: "/etc/ssl/certs/custom-ca.pem"
{{- end }}
volumeMounts:
{{- if (include "openproject.useTmpVolumes" .) }}
- mountPath: /tmp
name: tmp
- mountPath: /app/tmp
name: app-tmp
{{- end }}
{{- if .Values.persistence.enabled }}
- name: "data"
mountPath: "/var/openproject/assets"
23 changes: 9 additions & 14 deletions charts/openproject/templates/worker-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -46,12 +46,10 @@ spec:
nodeSelector:
{{ toYaml . | nindent 8 | trim }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 | trim }}
{{- end }}
{{- include "openproject.podSecurityContext" . | indent 6 }}
serviceAccountName: {{ include "common.names.fullname" . }}
volumes:
{{- if (include "openproject.useTmpVolumes" .) }}
- name: tmp
# we can't use emptyDir due to the sticky bit issue
# see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -65,6 +63,7 @@ spec:
# or backups
# @todo put this into a separate PVC per replica
storage: 5Gi
{{- end }}
{{- if .Values.egress.tls.rootCA.fileName }}
- name: ca-pemstore
configMap:
@@ -77,11 +76,8 @@ spec:
{{- end }}
initContainers:
- name: wait-for-db
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
{{- include "openproject.containerSecurityContext" . | indent 10 }}
image: {{ include "openproject.image" . }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
envFrom:
- secretRef:
@@ -91,11 +87,8 @@ spec:
- /app/docker/prod/wait-for-db
containers:
- name: "openproject"
{{- if .Values.containerSecurityContext.enabled }}
securityContext:
{{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
{{- include "openproject.containerSecurityContext" . | indent 10 }}
image: {{ include "openproject.image" . }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
envFrom:
- secretRef:
@@ -109,8 +102,10 @@ spec:
- bash
- /app/docker/prod/worker
volumeMounts:
{{- if (include "openproject.useTmpVolumes" .) }}
- mountPath: /tmp
name: tmp
{{- end }}
{{- if .Values.persistence.enabled }}
- name: "data"
mountPath: "/var/openproject/assets"
9 changes: 9 additions & 0 deletions charts/openproject/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -2,6 +2,15 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

## Enable development mode.
##
## Set this to true if you want are working on the charts locally using
## local clusters such as minikube or kind.
##
## This will set `OPENPROJECT_HTTPS` to `false` and avoid using volumes for
## tmp folders as (permissions for) these don't work correctly in local clusters.
develop: false

global:
## Credentials to fetch images from private registry.
##

0 comments on commit 5dd885a

Please sign in to comment.