Fix rootless image usage with enhanced security-context (#160)

I've noticed that the commented `securityContext` is not really useable with the rootless image due to different directory structure compared to the default image. Important for the `readOnlyRootFilesystem` is to declare the `TMPDIR` environment variable, so that the tmp directory (which is readonly in this case) won't be used. Instead, another writeable directory can be used. Another thing is the explicit hint that all these security options cannot be used with the default (root-based) image, because of its design. ~~Although this PR would fix the referenced issue, I am not totally happy with the current implementation. It would be more straight forward to use the same mount points for both image variants. Unfortunately, this is not possible right now due to hard coded paths in the default (root) image startup scripts.~~ ~~Anyone have suggestions on how this could be more simple?~~ ------- **Sum-up:** As mentioned in Discord, this PR tried to make too many changes. The necessary changes made in 1f331a7e6577fc798196a84a957330aca0d663cd will fix an error that occurs due to restricted access to the `/tmp` directory in a rootless image with all the `securityContext` options enabled. I also updated the default image to 1.14.2. Fixes: #158 Co-authored-by: JustusBunsi <sk.bunsenbrenner@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/160 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io> Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-07 21:27:25 +08:00 · 2021-06-07 21:27:25 +08:00 · 5ab596937a
commit 5ab596937a
parent 5b5ea7173a
2 changed files with 5 additions and 2 deletions
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -80,6 +80,8 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
+            - name: TMPDIR
+              value: /tmp/gitea
            {{- if .Values.statefulset.env }}
            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
@ -137,7 +139,7 @@ spec:
            {{- toYaml .Values.securityContext | nindent 12 }}
          volumeMounts:
            - name: temp
-              mountPath: /tmp/gitea
+              mountPath: /tmp
            - name: data
              mountPath: /data
            {{- if .Values.extraVolumeMounts }}
--- a/values.yaml
+++ b/values.yaml
@ -8,12 +8,13 @@ clusterDomain: cluster.local

 image:
  repository: gitea/gitea
-  tag: 1.14.1
+  tag: 1.14.2
  pullPolicy: Always
  rootless: false # only possible when running 1.14 or later

 imagePullSecrets: []

+# only usable with rootless image due to image design
 securityContext: {}
 #  allowPrivilegeEscalation: false
 #  capabilities: