diff --git a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml index 57c12c8..d603ba1 100644 --- a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml +++ b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml @@ -103,7 +103,7 @@ metadata: categories: Modernization & Migration certified: "false" containerImage: quay.io/konveyor/tackle2-operator:latest - createdAt: "2024-10-09T15:56:59Z" + createdAt: "2024-11-07T18:19:51Z" description: Konveyor is an open-source application modernization platform that helps organizations safely and predictably modernize applications to Kubernetes at scale. @@ -331,6 +331,14 @@ spec: - '*' verbs: - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use serviceAccountName: tackle-hub - rules: - apiGroups: diff --git a/helm/templates/rbac/hub_role.yaml b/helm/templates/rbac/hub_role.yaml index 352b5b6..c8624e6 100644 --- a/helm/templates/rbac/hub_role.yaml +++ b/helm/templates/rbac/hub_role.yaml @@ -12,3 +12,11 @@ rules: - '*' verbs: - '*' +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use diff --git a/roles/tackle/tasks/main.yml b/roles/tackle/tasks/main.yml index 6ec6878..8ae1837 100644 --- a/roles/tackle/tasks/main.yml +++ b/roles/tackle/tasks/main.yml @@ -3,6 +3,15 @@ set_fact: api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}" +- name: Gather Facts + ansible.builtin.gather_facts: + gather_subset: + - user_uid + +- name: "Retrieve UID" + set_fact: + hub_task_uid: "{{ ansible_facts['user_uid'] }}" + - name: "Transfer rwx_storage_class setting if hub_bucket_storage_class is not defined" set_fact: hub_bucket_storage_class: "{{ rwx_storage_class }}" @@ -562,6 +571,37 @@ definition: "{{ lookup('template', 'route-ui.yml.j2') }}" when: openshift_cluster|bool +- name: "Check if Cache PersistentVolumeClaim exists" + kubernetes.core.k8s_info: + api_version: v1 + kind: PersistentVolumeClaim + namespace: "{{ app_namespace }}" + name: "{{ cache_data_volume_claim_name }}" + register: cache_pvc + +- name: "Delete cache PVC if non-root label is missing so it can be recreated" + when: cache_pvc.resources|length > 0 and cache_pvc.resources[0].metadata.labels['non-root'] is not defined + block: + - name: Scale down Hub + k8s: + state: present + definition: "{{ lookup('template', 'deployment-hub.yml.j2') }}" + merge_type: merge + vars: + hub_deployment_replicas: 0 + + - name: Delete cache PVC + k8s: + state: absent + definition: "{{ lookup('template', 'persistentvolumeclaim-cache.yml.j2') }}" + wait: true + + - name: Scale up Hub + k8s: + state: present + definition: "{{ lookup('template', 'deployment-hub.yml.j2') }}" + merge_type: merge + - name: "Setup Cache PersistentVolumeClaim" k8s: state: present diff --git a/roles/tackle/templates/deployment-hub.yml.j2 b/roles/tackle/templates/deployment-hub.yml.j2 index fdcc871..e34d4ad 100644 --- a/roles/tackle/templates/deployment-hub.yml.j2 +++ b/roles/tackle/templates/deployment-hub.yml.j2 @@ -204,6 +204,8 @@ spec: requests: cpu: {{ hub_container_requests_cpu }} memory: {{ hub_container_requests_memory }} + securityContext: + runAsUser: {{ hub_task_uid }} # TODO: Add liveness and readiness probes volumeMounts: - name: {{ hub_database_volume_name }} @@ -218,6 +220,23 @@ spec: - name: {{ hub_tls_secret_name }} mountPath: /var/run/secrets/{{ hub_tls_secret_name }}/tls.crt {% endif %} + initContainers: + - command: + - chown + - -R + - {{ hub_task_uid }}:root + - /buckets + - /database + image: "{{ hub_image_fqin }}" + imagePullPolicy: "{{ image_pull_policy }}" + name: update-perms + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /database + name: mta-hub-database + - mountPath: /buckets + name: mta-hub-bucket volumes: {% if rwx_supported|bool %} - name: {{ cache_data_volume_name }} diff --git a/roles/tackle/templates/persistentvolumeclaim-cache.yml.j2 b/roles/tackle/templates/persistentvolumeclaim-cache.yml.j2 index 6095576..40f63e3 100644 --- a/roles/tackle/templates/persistentvolumeclaim-cache.yml.j2 +++ b/roles/tackle/templates/persistentvolumeclaim-cache.yml.j2 @@ -8,6 +8,7 @@ metadata: app.kubernetes.io/name: {{ cache_name }} app.kubernetes.io/part-of: {{ app_name }} volume: {{ cache_data_volume_name }} + non-root: "true" spec: accessModes: - "{{ cache_data_volume_claim_mode }}"