Consolidate uids

galaxyproject · Jan 10, 2025 · 17be5da · 17be5da
1 parent 455f04d
commit 17be5da
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 17 deletions.
diff --git a/galaxy/templates/deployment-nginx.yaml b/galaxy/templates/deployment-nginx.yaml
@@ -29,7 +29,7 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "galaxy.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.securityContext | nindent 8 }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
       {{- if .Values.webHandlers.podSpecExtra -}}
         {{- tpl (toYaml .Values.webHandlers.podSpecExtra) . | nindent 6 }}
       {{- end }}

diff --git a/galaxy/templates/deployment-tusd.yaml b/galaxy/templates/deployment-tusd.yaml
@@ -32,7 +32,9 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "galaxy.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.tusd.securityContext | nindent 8 }}
+        runAsUser: {{ default .Values.securityContext.runAsUser .Values.tusd.securityContext.runAsUser }}
+        runAsGroup: {{ default .Values.securityContext.runAsGroup .Values.tusd.securityContext.runAsGroup }}
+        fsGroup: {{ default .Values.securityContext.fsGroup .Values.tusd.securityContext.fsGroup }}
       {{- if .Values.tusd.podSpecExtra -}}
         {{- tpl (toYaml .Values.webHandlers.podSpecExtra) . | nindent 6 }}
       {{- end }}

diff --git a/galaxy/templates/jobs-init.yaml b/galaxy/templates/jobs-init.yaml
@@ -19,7 +19,9 @@ spec:
         checksum/galaxy_extras: {{ include (print $.Template.BasePath "/configmap-extra-files.yaml") . | sha256sum }}
     spec:
       securityContext:
-        {{- toYaml .Values.setupJob.securityContext | nindent 8 }}
+        runAsUser: {{ default .Values.securityContext.runAsUser .Values.setupJob.securityContext.runAsUser }}
+        runAsGroup: {{ default .Values.securityContext.runAsGroup .Values.setupJob.securityContext.runAsGroup }}
+        fsGroup: {{ default .Values.securityContext.fsGroup .Values.setupJob.securityContext.fsGroup }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -29,7 +31,7 @@ spec:
         - name: {{ .Chart.Name }}-wait-postgres
           image: {{ .Values.jobs.init.image.repository }}:{{ .Values.jobs.init.image.tag }}
           imagePullPolicy: {{ .Values.jobs.init.image.pullPolicy }}
-          command: ['sh', '-c', 'echo Chown mount path; chown 10001:10001 {{ .Values.persistence.mountPath }}; echo Begin waiting for postgres; until nc -z -w3 {{ template "galaxy-postgresql.servicename" . }} 5432; do echo waiting for galaxy-postgres service; sleep 1; done; echo done;']
+          command: ['sh', '-c', 'echo Chown mount path; chown {{ .Values.securityContext.fsUser}}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}; echo Begin waiting for postgres; until nc -z -w3 {{ template "galaxy-postgresql.servicename" . }} 5432; do echo waiting for galaxy-postgres service; sleep 1; done; echo done;']
           volumeMounts:
             - name: galaxy-data
               mountPath: {{ .Values.persistence.mountPath }}

diff --git a/galaxy/values.yaml b/galaxy/values.yaml
@@ -180,6 +180,10 @@ rbac:
   enabled: true
 
 securityContext:
+  #- UID of the system user used by jobs. This user must exist in the container.
+  runAsUser: 10001
+  #- GID of the system group used by jobs. This group must exist in the container.
+  runAsGroup: 10001
   #- Security context and file system group used by jobs.
   fsGroup: 10001
 
@@ -211,13 +215,7 @@ extraVolumeMounts: []
 setupJob:
   #- create the database
   createDatabase: true
-  securityContext:
-    #- the setup jobs will run as this user
-    runAsUser: 10001
-    #- the `runAsUser` will belong to this group.
-    runAsGroup: 10001
-    #- the filesystem group
-    fsGroup: 10001
+  securityContext: {}
   ttlSecondsAfterFinished: 300
   downloadToolConfs:
     enabled: true
@@ -481,8 +479,8 @@ configs:
           {{- end }}
         k8s_namespace: "{{ .Release.Namespace }}"
         k8s_galaxy_instance_id: "{{ .Release.Name }}"
-        k8s_fs_group_id: "10001"
-        k8s_supplemental_group_id: "10001"
+        k8s_fs_group_id: "{{ .Values.securityContext.fsGroup }}"
+        k8s_supplemental_group_id: "{{ .Values.securityContext.fsGroup }}"
         k8s_pull_policy: IfNotPresent
         k8s_cleanup_job: onsuccess
         k8s_job_ttl_secs_after_finished: 90
@@ -765,10 +763,7 @@ tusd:
   annotations: {}
   podAnnotations: {}
   podSpecExtra: {}
-  securityContext:
-    runAsUser: 10001
-    runAsGroup: 10001
-    fsGroup: 10001
+  securityContext: {}
   image:
     repository: tusproject/tusd
     tag: v1.13.0