Fix broken "read only" fields added in v0.11.0.

These fields were changed as a minor hardening attempt when we switched to Distroless, but I bungled the field names and we never noticed because Kapp doesn't apply API validations. This change fixes the field names so they act as was originally intended. We should also follow up with a change that validates all of our installation manifest in CI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:08:00 -05:00 · 2021-09-02 16:08:00 -05:00 · f0a1555aca
commit f0a1555aca
parent b3b3c2303f
2 changed files with 9 additions and 6 deletions
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@ -116,7 +116,6 @@ spec:
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      securityContext:
        readOnlyRootFilesystem: true
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: #@ defaultResourceName()
@ -132,6 +131,8 @@ spec:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          resources:
            requests:
              cpu: "100m"
@ -148,10 +149,13 @@ spec:
              mountPath: /tmp
            - name: config-volume
              mountPath: /etc/config
              readOnly: true
            - name: podinfo
              mountPath: /etc/podinfo
              readOnly: true
            - name: impersonation-proxy
              mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
              readOnly: true
          env:
            #@ if data.values.https_proxy:
            - name: HTTPS_PROXY
@ -185,7 +189,6 @@ spec:
            medium: Memory
            sizeLimit: 100Mi
        - name: config-volume
          readOnly: true
          configMap:
            name: #@ defaultResourceNameWithSuffix("config")
        - name: impersonation-proxy
@ -195,7 +198,6 @@ spec:
              - key: token
                path: token
        - name: podinfo
          readOnly: true
          downwardAPI:
            items:
              - path: "labels"
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@ -65,7 +65,6 @@ spec:
      labels: #@ defaultLabel()
    spec:
      securityContext:
        readOnlyRootFilesystem: true
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: #@ defaultResourceName()
@ -85,6 +84,8 @@ spec:
            - pinniped-supervisor
            - /etc/podinfo
            - /etc/config/pinniped.yaml
          securityContext:
            readOnlyRootFilesystem: true
          resources:
            requests:
              cpu: "100m"
@ -95,8 +96,10 @@ spec:
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
              readOnly: true
            - name: podinfo
              mountPath: /etc/podinfo
              readOnly: true
          ports:
            - containerPort: 8080
              protocol: TCP
@ -131,11 +134,9 @@ spec:
            failureThreshold: 3
      volumes:
        - name: config-volume
          readOnly: true
          configMap:
            name: #@ defaultResourceNameWithSuffix("static-config")
        - name: podinfo
          readOnly: true
          downwardAPI:
            items:
              - path: "labels"