IODEV-1762: Поправил securityContext для license #387

Bolodya1997 · 2024-01-17T08:59:32Z

Описание

В 2.2.1 мы поменяли дефолтного пользователя в контейнере сервиса лицензирования с root на 1234. Для работы с TPM нужен root пользователь, поэтому теперь для license.type: 2 обязательно должен проставляться securityContext с root пользователем.

Соответственно немного поменял чарты:

убрал из values tpm.securityContext - тут больше не нужна вариативность,
переделал блок securityContext в STS, чтобы для license.type: 2 выбирался root пользователь:

securityContext:
  runAsUser: 0
  runAsGroup: 0

для прямого монтирования TPM (не через девайс плагин) дополнительно выставляется privileged флаг:

securityContext:
  runAsUser: 0
  runAsGroup: 0
  privileged: true

Как тестировать

Можно тестировать с образом 2.2.1.

endryhold · 2024-01-17T13:46:41Z

Задача на проверку
https://jira.2gis.ru/browse/ONPREM-657

charts/license/templates/statefulset.yaml

* Twins importer (#360) * Twins importer * Twins importer add dgctlStorage settings * Twins importer fix chart * fix chart * small fix * add logs * [keys-api] up keys-backend. Support truck, map-matching api keys (#386) * Update citylens to 1.4.0 (#388) * Update citylens to 1.4.0 * bump to 1.4.1 * Feature: add codeowners file (#383) * [license] Reworked securityContext for license type 2 (#387) * [PRO-4361] Обновление pro-api до версии 1.1.79 (#382) * [PRO-4361] Обновление pro-api до версии 1.1.74 * PRO-4361: update to 1.1.77 * PRO-4371: update to 1.1.78 * PRO-4361: update to 1.1.79 * PRO-4176: add auth scopes (#365) * PRO-4176: add auth scopes * PRO-4176: update pro-ui version * PRO-4176: update app version * PRO-4176: update to 1.7.5 * navi-castle: bugfix (#393) - scheduled tasks without PV - configuration parameters mistaken * navi-restrictions-api 1.0.1 release (#392) * navi-restrictions-api 1.0.1 release * readme upd * [DEVOPS-982] navi-front: update default locations (#389) * [DEVOPS-982] navi-front: Add pedestrian location (#396) * [platform] Upgrade version (#381) * PRO-3766: update platform to 0.8.1 * Fix Breaking-Changes (#401) * generic-chart added (#398) * PRO-3609: upgrade pro ui to 1.9.0 (#399) * navi-back: upstream update 7.15.2.4 (#402) * [PRO-4517] обновил хелм-чарт pro-api в onprem до версии 1.5.0 (#394) * PRO-0: upgrade PRO API to 1.5.1 (#404) * Feature: add PR template (#410) * PRO-4774: upgraded PRO API to 1.6.0 (#407) * [PRO-4635] pro-ui, версия 2.1.1 (#405) * Citylens 1.6.0 (#406) * Update citylens to 1.5.0 * Bump appversion * Fix citylens-api configmap * Fix license server url template * Fix review notes * Update headerLinks * Add camcom to headerLinks * Fix page name in configmap * Bump to 1.5.1 * Bump to 1.6.0 * Update breaking changes & bump app version in chart * [navi-router] rename router.keyManagementServices to keys (#409) * [navi-router] Remove trailing dots in param descriptions * [navi-router] Rename router.keyManagementService -> keys * [navi-router] Rename router.castleHost -> router.castleUrl * release-1.20.0 * add breacking-changes to template

* Twins importer (#360) * Twins importer * Twins importer add dgctlStorage settings * Twins importer fix chart * fix chart * small fix * add logs * [keys-api] up keys-backend. Support truck, map-matching api keys (#386) * Update citylens to 1.4.0 (#388) * Update citylens to 1.4.0 * bump to 1.4.1 * Feature: add codeowners file (#383) * [license] Reworked securityContext for license type 2 (#387) * [PRO-4361] Обновление pro-api до версии 1.1.79 (#382) * [PRO-4361] Обновление pro-api до версии 1.1.74 * PRO-4361: update to 1.1.77 * PRO-4371: update to 1.1.78 * PRO-4361: update to 1.1.79 * PRO-4176: add auth scopes (#365) * PRO-4176: add auth scopes * PRO-4176: update pro-ui version * PRO-4176: update app version * PRO-4176: update to 1.7.5 * navi-castle: bugfix (#393) - scheduled tasks without PV - configuration parameters mistaken * navi-restrictions-api 1.0.1 release (#392) * navi-restrictions-api 1.0.1 release * readme upd * [DEVOPS-982] navi-front: update default locations (#389) * [DEVOPS-982] navi-front: Add pedestrian location (#396) * [platform] Upgrade version (#381) * PRO-3766: update platform to 0.8.1 * Fix Breaking-Changes (#401) * generic-chart added (#398) * PRO-3609: upgrade pro ui to 1.9.0 (#399) * navi-back: upstream update 7.15.2.4 (#402) * [PRO-4517] обновил хелм-чарт pro-api в onprem до версии 1.5.0 (#394) * PRO-0: upgrade PRO API to 1.5.1 (#404) * Feature: add PR template (#410) * PRO-4774: upgraded PRO API to 1.6.0 (#407) * [PRO-4635] pro-ui, версия 2.1.1 (#405) * Citylens 1.6.0 (#406) * Update citylens to 1.5.0 * Bump appversion * Fix citylens-api configmap * Fix license server url template * Fix review notes * Update headerLinks * Add camcom to headerLinks * Fix page name in configmap * Bump to 1.5.1 * Bump to 1.6.0 * Update breaking changes & bump app version in chart * [navi-router] rename router.keyManagementServices to keys (#409) * [navi-router] Remove trailing dots in param descriptions * [navi-router] Rename router.keyManagementService -> keys * [navi-router] Rename router.castleHost -> router.castleUrl * WAPI-23469 Add configuration for audit logging (#414) * WAPI-23469 Add configuration for audit logging * fixes * upd version tag * release-1.20.2

* Twins importer (#360) * Twins importer * Twins importer add dgctlStorage settings * Twins importer fix chart * fix chart * small fix * add logs * [keys-api] up keys-backend. Support truck, map-matching api keys (#386) * Update citylens to 1.4.0 (#388) * Update citylens to 1.4.0 * bump to 1.4.1 * Feature: add codeowners file (#383) * [license] Reworked securityContext for license type 2 (#387) * [PRO-4361] Обновление pro-api до версии 1.1.79 (#382) * [PRO-4361] Обновление pro-api до версии 1.1.74 * PRO-4361: update to 1.1.77 * PRO-4371: update to 1.1.78 * PRO-4361: update to 1.1.79 * PRO-4176: add auth scopes (#365) * PRO-4176: add auth scopes * PRO-4176: update pro-ui version * PRO-4176: update app version * PRO-4176: update to 1.7.5 * navi-castle: bugfix (#393) - scheduled tasks without PV - configuration parameters mistaken * navi-restrictions-api 1.0.1 release (#392) * navi-restrictions-api 1.0.1 release * readme upd * [DEVOPS-982] navi-front: update default locations (#389) * [DEVOPS-982] navi-front: Add pedestrian location (#396) * [platform] Upgrade version (#381) * PRO-3766: update platform to 0.8.1 * Fix Breaking-Changes (#401) * generic-chart added (#398) * PRO-3609: upgrade pro ui to 1.9.0 (#399) * navi-back: upstream update 7.15.2.4 (#402) * [PRO-4517] обновил хелм-чарт pro-api в onprem до версии 1.5.0 (#394) * PRO-0: upgrade PRO API to 1.5.1 (#404) * Feature: add PR template (#410) * PRO-4774: upgraded PRO API to 1.6.0 (#407) * [PRO-4635] pro-ui, версия 2.1.1 (#405) * Citylens 1.6.0 (#406) * Update citylens to 1.5.0 * Bump appversion * Fix citylens-api configmap * Fix license server url template * Fix review notes * Update headerLinks * Add camcom to headerLinks * Fix page name in configmap * Bump to 1.5.1 * Bump to 1.6.0 * Update breaking changes & bump app version in chart * [navi-router] rename router.keyManagementServices to keys (#409) * [navi-router] Remove trailing dots in param descriptions * [navi-router] Rename router.keyManagementService -> keys * [navi-router] Rename router.castleHost -> router.castleUrl * WAPI-23469 Add configuration for audit logging (#414) * WAPI-23469 Add configuration for audit logging * fixes * upd version tag * fix duplication key * [navi-restrictions] update to style guide (#408) * [tiles-api] Upgrade to 4.52.8 (#416) * WAPI-23326 Add new s3 params, custom ca configuration (#390) * WAPI-23326 Add new s3 config params to keys and catalog-api charts * WAPI-23326 Add custom certs configuration to keys, catalog-api charts * fix typos * more fixes * fix configmap deploy * split configmap config for jobs and deploys * upd config for keys * fix to keys chart * upd image tags * upd docs * Chore: fix PR template (#418) * [PRO-4789] поправили values для сервиса ключей * Citylens 1.7.0 (#422) * Citylens 1.7.0 * bump version to 1.7.1 * Make reporterProTracks deploy one or no replicas * Bump version to 1.7.2 * [tiles-api] Upgrade to 4.52.9 (#421) * [+] release 1.21.0 branch * mapgl values fix --------- Co-authored-by: Dmitriy Donov <dmitriy@donov.ru> Co-authored-by: Voronkov Alexander <voronkov.alexander@gmail.com> Co-authored-by: Петр Беклемишев <pbekl@bk.ru> Co-authored-by: Andrey Morozov <62840181+endryhold@users.noreply.github.com> Co-authored-by: Vladimir Popov <v.popov@2gis.ru> Co-authored-by: Dmitrii Molochnikov <d.molochnikov@2gis.ru> Co-authored-by: Artem Malko <a.malko@2gis.ru> Co-authored-by: Alexander Voronkov <a.voronkov@2gis.ru> Co-authored-by: i-bogomazov <106957509+i-bogomazov@users.noreply.github.com> Co-authored-by: vgivanov <v.ivanov@2gis.ru> Co-authored-by: Dmitry Milov <senneerr@gmail.com> Co-authored-by: ostrovskiy2gis <108522609+ostrovskiy2gis@users.noreply.github.com> Co-authored-by: Andrew Mikhailov <Andrew.Mikhailov.18.01@gmail.com> Co-authored-by: Денис Беляев <d.belyaev@2gis.ru> Co-authored-by: Kirill Salnikov <k.salnikov@2gis.ru> Co-authored-by: Власов Сергей Сергеевич <s.vlasov@2Gis.ru>

* Twins importer (#360) * Twins importer * Twins importer add dgctlStorage settings * Twins importer fix chart * fix chart * small fix * add logs * [keys-api] up keys-backend. Support truck, map-matching api keys (#386) * Update citylens to 1.4.0 (#388) * Update citylens to 1.4.0 * bump to 1.4.1 * Feature: add codeowners file (#383) * [license] Reworked securityContext for license type 2 (#387) * [PRO-4361] Обновление pro-api до версии 1.1.79 (#382) * [PRO-4361] Обновление pro-api до версии 1.1.74 * PRO-4361: update to 1.1.77 * PRO-4371: update to 1.1.78 * PRO-4361: update to 1.1.79 * PRO-4176: add auth scopes (#365) * PRO-4176: add auth scopes * PRO-4176: update pro-ui version * PRO-4176: update app version * PRO-4176: update to 1.7.5 * navi-castle: bugfix (#393) - scheduled tasks without PV - configuration parameters mistaken * navi-restrictions-api 1.0.1 release (#392) * navi-restrictions-api 1.0.1 release * readme upd * [DEVOPS-982] navi-front: update default locations (#389) * [DEVOPS-982] navi-front: Add pedestrian location (#396) * [platform] Upgrade version (#381) * PRO-3766: update platform to 0.8.1 * Fix Breaking-Changes (#401) * generic-chart added (#398) * PRO-3609: upgrade pro ui to 1.9.0 (#399) * navi-back: upstream update 7.15.2.4 (#402) * [PRO-4517] обновил хелм-чарт pro-api в onprem до версии 1.5.0 (#394) * PRO-0: upgrade PRO API to 1.5.1 (#404) * Feature: add PR template (#410) * PRO-4774: upgraded PRO API to 1.6.0 (#407) * [PRO-4635] pro-ui, версия 2.1.1 (#405) * Citylens 1.6.0 (#406) * Update citylens to 1.5.0 * Bump appversion * Fix citylens-api configmap * Fix license server url template * Fix review notes * Update headerLinks * Add camcom to headerLinks * Fix page name in configmap * Bump to 1.5.1 * Bump to 1.6.0 * Update breaking changes & bump app version in chart * [navi-router] rename router.keyManagementServices to keys (#409) * [navi-router] Remove trailing dots in param descriptions * [navi-router] Rename router.keyManagementService -> keys * [navi-router] Rename router.castleHost -> router.castleUrl * WAPI-23469 Add configuration for audit logging (#414) * WAPI-23469 Add configuration for audit logging * fixes * upd version tag * fix duplication key * [navi-restrictions] update to style guide (#408) * [tiles-api] Upgrade to 4.52.8 (#416) * WAPI-23326 Add new s3 params, custom ca configuration (#390) * WAPI-23326 Add new s3 config params to keys and catalog-api charts * WAPI-23326 Add custom certs configuration to keys, catalog-api charts * fix typos * more fixes * fix configmap deploy * split configmap config for jobs and deploys * upd config for keys * fix to keys chart * upd image tags * upd docs * Chore: fix PR template (#418) * [PRO-4789] поправили values для сервиса ключей * Citylens 1.7.0 (#422) * Citylens 1.7.0 * bump version to 1.7.1 * Make reporterProTracks deploy one or no replicas * Bump version to 1.7.2 * [tiles-api] Upgrade to 4.52.9 (#421) * Чек-лист код-ревью для описания PR (#424) * [PRO-4789] Change PRO UI to 2.5.1 version and PRO API to 1.11.2 version (#419) * [PRO-4789] обновил PRO API до версии 1.11.2 Change UI and API Version * [PRO-4789] поправили values для сервиса ключей * [PRO-4789] добавлена обязательность параметров kafka.eventsTopic.name и kafka.eventsTopic.readerGroupId * [PRO-4789] добавлен хук удаления в asset-importer-starter * WAPI-23416 поддержка tls для коннектов к postgres в catalog (#395) * WAPI-23417 возможность указать кол-во ретраев на коннект к базе в twi… (#397) * WAPI-23417 возможность указать кол-во ретраев на коннект к базе в twins api * WAPI-23417 возможность указать кол-во ретраев на коннект к базе в twins api * PRO-4936: upgrade keys-ui to 0.7.0 (#425) * [DEVOPS-1025] Upgrade castle version (#417) * Update citylens chart to 1.8.0 version (#427) * Update citylens chart to 1.8.0 version * Fix typo in pull request template * Fix kafka.predictorsExtraTopics description * Simplify chart * update values --------- Co-authored-by: Dmitriy Donov <dmitriy@donov.ru> Co-authored-by: Voronkov Alexander <voronkov.alexander@gmail.com> Co-authored-by: Петр Беклемишев <pbekl@bk.ru> Co-authored-by: Andrey Morozov <62840181+endryhold@users.noreply.github.com> Co-authored-by: Vladimir Popov <v.popov@2gis.ru> Co-authored-by: Dmitrii Molochnikov <d.molochnikov@2gis.ru> Co-authored-by: Artem Malko <a.malko@2gis.ru> Co-authored-by: Alexander Voronkov <a.voronkov@2gis.ru> Co-authored-by: i-bogomazov <106957509+i-bogomazov@users.noreply.github.com> Co-authored-by: vgivanov <v.ivanov@2gis.ru> Co-authored-by: Dmitry Milov <senneerr@gmail.com> Co-authored-by: ostrovskiy2gis <108522609+ostrovskiy2gis@users.noreply.github.com> Co-authored-by: Andrew Mikhailov <Andrew.Mikhailov.18.01@gmail.com> Co-authored-by: Денис Беляев <d.belyaev@2gis.ru> Co-authored-by: Kirill Salnikov <k.salnikov@2gis.ru> Co-authored-by: Власов Сергей Сергеевич <s.vlasov@2Gis.ru> Co-authored-by: Aveldin1 <164148461+Aveldin1@users.noreply.github.com>

[license] Reworked securityContext for license type 2

b8e2e2f

Bolodya1997 requested review from dbelyaev-nsk, justcrafter, IgorYurevich, endryhold and alyoshinaarina January 17, 2024 08:59

IgorYurevich approved these changes Jan 17, 2024

View reviewed changes

v-a-v reviewed Jan 23, 2024

View reviewed changes

charts/license/templates/statefulset.yaml Show resolved Hide resolved

v-a-v approved these changes Jan 24, 2024

View reviewed changes

v-a-v merged commit 9aa6fdf into develop Jan 24, 2024
1 check passed

v-a-v deleted the feature/IODEV-1762-license-non-root branch January 24, 2024 06:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IODEV-1762: Поправил securityContext для license #387

IODEV-1762: Поправил securityContext для license #387

Bolodya1997 commented Jan 17, 2024

endryhold commented Jan 17, 2024

IODEV-1762: Поправил securityContext для license #387

IODEV-1762: Поправил securityContext для license #387

Conversation

Bolodya1997 commented Jan 17, 2024

Описание

Как тестировать

endryhold commented Jan 17, 2024