djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #835 from mattmoyer/fix-readonly-fields

Browse Source 
Fix broken "read only" fields added in v0.11.0.
This commit is contained in:
Matt Moyer 2021-09-02 15:23:26 -07:00 committed by GitHub
commit 6b7a230ca5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
deploy/concierge/deployment.yaml
View File

@ -116,7 +116,6 @@ spec:
scheduler.alpha.kubernetes.io/critical-pod: "" scheduler.alpha.kubernetes.io/critical-pod: ""
spec: spec:
securityContext: securityContext:
readOnlyRootFilesystem: true
runAsUser: #@ data.values.run_as_user runAsUser: #@ data.values.run_as_user
runAsGroup: #@ data.values.run_as_group runAsGroup: #@ data.values.run_as_group
serviceAccountName: #@ defaultResourceName() serviceAccountName: #@ defaultResourceName()
@ -132,6 +131,8 @@ spec:
image: #@ data.values.image_repo + ":" + data.values.image_tag image: #@ data.values.image_repo + ":" + data.values.image_tag
#@ end #@ end
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
resources: resources:
requests: requests:
cpu: "100m" cpu: "100m"
@ -148,10 +149,13 @@ spec:
mountPath: /tmp mountPath: /tmp
- name: config-volume - name: config-volume
mountPath: /etc/config mountPath: /etc/config
readOnly: true
- name: podinfo - name: podinfo
mountPath: /etc/podinfo mountPath: /etc/podinfo
readOnly: true
- name: impersonation-proxy - name: impersonation-proxy
mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
readOnly: true
env: env:
#@ if data.values.https_proxy: #@ if data.values.https_proxy:
- name: HTTPS_PROXY - name: HTTPS_PROXY
@ -185,7 +189,6 @@ spec:
medium: Memory medium: Memory
sizeLimit: 100Mi sizeLimit: 100Mi
- name: config-volume - name: config-volume
readOnly: true
configMap: configMap:
name: #@ defaultResourceNameWithSuffix("config") name: #@ defaultResourceNameWithSuffix("config")
- name: impersonation-proxy - name: impersonation-proxy
@ -195,7 +198,6 @@ spec:
- key: token - key: token
path: token path: token
- name: podinfo - name: podinfo
readOnly: true
downwardAPI: downwardAPI:
items: items:
- path: "labels" - path: "labels"

7
deploy/supervisor/deployment.yaml
View File

@ -65,7 +65,6 @@ spec:
labels: #@ defaultLabel() labels: #@ defaultLabel()
spec: spec:
securityContext: securityContext:
readOnlyRootFilesystem: true
runAsUser: #@ data.values.run_as_user runAsUser: #@ data.values.run_as_user
runAsGroup: #@ data.values.run_as_group runAsGroup: #@ data.values.run_as_group
serviceAccountName: #@ defaultResourceName() serviceAccountName: #@ defaultResourceName()
@ -85,6 +84,8 @@ spec:
- pinniped-supervisor - pinniped-supervisor
- /etc/podinfo - /etc/podinfo
- /etc/config/pinniped.yaml - /etc/config/pinniped.yaml
securityContext:
readOnlyRootFilesystem: true
resources: resources:
requests: requests:
cpu: "100m" cpu: "100m"
@ -95,8 +96,10 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/config mountPath: /etc/config
readOnly: true
- name: podinfo - name: podinfo
mountPath: /etc/podinfo mountPath: /etc/podinfo
readOnly: true
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
@ -131,11 +134,9 @@ spec:
failureThreshold: 3 failureThreshold: 3
volumes: volumes:
- name: config-volume - name: config-volume
readOnly: true
configMap: configMap:
name: #@ defaultResourceNameWithSuffix("static-config") name: #@ defaultResourceNameWithSuffix("static-config")
- name: podinfo - name: podinfo
readOnly: true
downwardAPI: downwardAPI:
items: items:
- path: "labels" - path: "labels"

6
hack/prepare-for-integration-tests.sh
View File

@ -219,8 +219,8 @@ ytt --file . \
--data-value "image_repo=$registry_repo" \ --data-value "image_repo=$registry_repo" \
--data-value "image_tag=$tag" >"$manifest" --data-value "image_tag=$tag" >"$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null popd >/dev/null
@ -238,8 +238,8 @@ ytt --file . \
--data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \ --data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
>"$manifest" >"$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
kapp deploy --yes --app tools --diff-changes --file "$manifest" kapp deploy --yes --app tools --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null popd >/dev/null
@ -281,6 +281,7 @@ ytt --file . \
>"$manifest" >"$manifest"
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest" kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null popd >/dev/null
@ -308,6 +309,7 @@ ytt --file . \
--data-value "discovery_url=$discovery_url" >"$manifest" --data-value "discovery_url=$discovery_url" >"$manifest"
kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest" kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null popd >/dev/null